It has been some time since I last posted. Sorry it’s been a challenging year, as I am sure you can all understand. So, I finally have had the chance to sit and get something together. I have had an incredible amount of emails asking about reporting for Red Team engagements. Which is very hard to share, so what I have done for this first post is to share three questions that come up in all reports and an example of how we respond to them:
In this case, the target is a University, and the three questions I always ask my self when first looking into the target are:
The target.
The industry.
Threat Actor’s Modus Operandi.
The ACME University as a Target
ACME University is a University with a strong reputation for excellence in teaching and research. As the fastest growing University in ACME Land, ACME University is an institution with strong industry engagement, prioritizing academic learning coupled with practical industry experience in preparing students for the workforce. One of the clearest demonstrations of this approach is the opening of the University’s ACME precinct. This $200 million flagship teaching and research facility is designed to promote innovation and enterprise through the collaboration of education, research, and business.
Housing the University’s Department of Computer Science, Engineering and Mathematics, Medical Device Research Institute; Centre for Nanoscale Science and Technology; and industry partners such as ABC and DEF, the ACME precinct is making a substantial contribution to the economic development of current and future industries. ACME University’s strong commitment to research innovation and excellence can also be seen in the record number of grants worth almost $20 million awarded as part of the ACME Research Council 2020 funding program. As a member of the ACME Innovative Research Group - ACME universities conducting research of national and international standing – the University’s specific research strengths include biomedical and clinical sciences; culture; policy and society; health and human behaviours; molecular science and technology; engineering; water and environment.
The University continues to embrace an outward focus of teaching and research collaboration, particularly in the Asia Pacific region, including China, Malaysia, and Hong Kong. This focus is further consolidated in the University’s membership of the International Network of Universities, a global consortium of higher education institutions seeking international partnerships and experiences.
The Industry as a Target
The Higher Education sector faces unique challenges with regard to cybersecurity. Universities are attractive cyber targets, and there are a number of reasons for this. Firstly, information is essential to the core business of universities. Information and data are critical for the smooth running of large, complex institutions, and as such, large organizations use and store large volumes of data in their day-to-day business.
Data is also essential in the generation of complex, valuable, and innovative research. This combination of students’ personal, financial, and other confidential data, along with commercially desirable research, makes the Higher Education sector so desirable to cyber threat actors. Secondly, universities have significant information processing power that is attractive for threat actors (such as organized crime groups) to use for their own nefarious purposes. This includes using university networks to propagate bulk phishing emails or carry out other large-scale cyber-attacks. What further heightens the risk to this sector is the nature of the university operating environment. Universities do not operate within traditional organizational boundaries - they engage in a wide range of activities, in multiple industries, in multiple locations. Those individuals using university networks are highly mobile and often transient and range from students to industry professionals. Universities are involved in teaching, research, and related commercial activity on an interconnected global scale that cannot be ‘shut down’ in ways other businesses might.
Furthermore, it is collaboration and the very act of information sharing that is essential for universities to succeed. University culture is defined by its embracing of openness, and it is this openness that universities must continually seek to balance with the need for protection. Added to the challenge is the reality that universities often have limited options when it comes to resources. For example, education technology has not traditionally been a lucrative field, and in a market without fierce competition, security has not been a critical differentiator. This means universities often have limited options regarding technology that meets their needs for both service provision and adequate protection. For these reasons, ensuring appropriate and proportionate security controls that both empower and protect university core business is extremely difficult.
Threat Actors and Modus Operandi
Attacks against universities and those who use them are increasing worldwide. Cyber security breaches experienced by universities over the past few years have been carried out by a range of cyber threat actors, using a range of methods, with the most common being phishing emails and the exploitation of SQL injection and cross-site scripting. Cyber threat actors can be categorized into four main groups: criminals, corporate entities, state-sponsored, and activists. Each of these threat actors has different motivations and objectives in carrying out cyber-attacks. Very broadly, the objectives of threat actors can be divided into two: obtaining information and disrupting information. Obtaining information (for example, personal/financial data or sensitive information) is more likely to be carried out by criminals, corporate entities, and state-sponsored threat actors. Disruption (for example, denial of service attacks and website defacements) is more likely to be carried out by activist threat actors. Notable recent examples of disruption attacks against universities include the multiple attacks on Rutgers University in the United States throughout 2014 and 2015 and the attacks against Network Janet - the publicly funded academic computer network in the United Kingdom – that affected numerous United Kingdom universities in December 2015.
Most attacks on universities to date, however, have been in relation to obtaining information – both personal details and research. The past two years have seen an increasing number of breaches relating to student data. These attacks, most likely by criminal threat actors, have occurred at institutions such as UCLA Health (4.5 million personal records including names, medical information, social security numbers, physical addresses); University of Maryland (310,000 current and former student/staff records since including social security numbers); North Dakota University (nearly 300,000 student records including social security numbers); Butler University (200,000 personal documents including social security number, drivers licenses, and bank details); Indiana University (146,000 current and former student records, including social security numbers); University of California Berkeley (80,000 personal financial information); University of Central Florida (63,000 current and former student records, including social security numbers); and Arkansas State University (50,000 student records, including social security numbers). Closer to home, recent attacks involving student data have also been reported at the University of Sydney, University of Queensland, Monash University, and the University of Western Australia. Attacks targeting student information have also been identified as having potential political motivations.
In 2015 following the Occupy protests in Hong Kong, Hong Kong University experienced attacks targeting usernames and passwords details, similar in nature to other attacks previously seen originating from China. Meanwhile, in 2014, it was reported that student details from Queen Mary University of London had been obtained by the group Anonymous, who claimed this targeting was in revenge for “invasive research sponsored by the Ministry of Defence.”
Other cyberattacks experienced by universities in recent times have had a different focus, targeting university research. In 2015, Pennsylvania State University experienced an attack that targeted their Engineering Department (part of a broader identified pattern of targeting such Departments, particularly in the United States) and commercialization aspects of research. Similarly, in 2015, the University of Virginia experienced a security breach based around the targeting of two researchers whose work had connections to China. The University of Virginia is known for its links to the defence industry and its involvement in a Research Park with strong links to industry. Both attacks experienced by these universities were identified by those investigating as originating from China.