The more central the Internet becomes to our daily lives, the more frequently bad actors work to disrupt it, be it by hijacking, spoofing, Distributed Denial of Service (DDoS) attacks, or some other means. California’s research and education community must assume that being targeted for such an attack is just a matter of time, and that it will eventually happen. Partnership and communication are critical approaches to defending against attacks.
Moreover, the vast majority of bad actors accessing educational institution websites are doing so with login credentials. Speaking during CENIC’s most recent The Right Connection conference in Monterey, California, Anthony Giandomenico said more than 60% of cyber intruders already had the information they needed to gain access to that environment.
“Adversaries are logging in, not necessarily hacking,” said Giandomenico, global vice president of FortiGuard’s cybersecurity consulting with Fortinet. “Adding onto that, they usually have the right credentials so when they get in, they can hide within the noise. That’s what we’re seeing a lot of.”
Once they’re logged in, Giandomenico said there are three things they need to be able to do: escalate their privileges, copy their malware from system-to-system, and then execute the malware remotely.
“The point I’m trying to make here is that all that activity is an opportunity for the defender to be able to detect something anomalous that may be occurring in the environment,” he told conference attendees. “The adversary gets to forgo a lot of that because they already have the right access.”
Giandomenico’s comments were part of a wider panel on safeguarding academic ecosystems. The hour-long discussion tackled current threats, incident response, data privacy and mandatory reporting requirements.
Also participating in the panel were Jim Richberg, field CISO for government at Fortinet and Rachelle Chong, former commissioner of the Federal Communications Commission (FCC) and California Public Utilities Commission.
It’s not unheard of for a cyberattack to strike an educational entity. In 2022, the Los Angeles Unified School District (LAUSD) was hit by a massive attack that compromised approximately 2,000 student assessment records, and the San Diego Community College District (SDCCD) recently found itself managing a DNS-focused Distributed Denial of Service (DDoS) attack with CENIC’s help.
Chong said that the silver lining of that breach was that it prompted a push to persuade the FCC to do more in cybersecurity. This culminated with Chairwoman Jessica Rosenworcel taking action. She did so by announcing a $200 million, three-year schools and libraries pilot program that will explore how funds could be used to help protect those entities from cyberattacks.
Chong said that while she was “thrilled” with the announcement, she was concerned that the amount of money allocated wasn’t enough.
“It’s a drop in the bucket, in my opinion,” she said. “We probably could have supported a lot more.”
If a university has been breached, Richberg said the response shouldn’t just be technical but must also encompass how to communicate the threat with students, parents, and staff.
“A lot of organizations get focused on figuring out ‘how do we respond?’ as if operating in a vacuum, and that’s how you lose trust,” he said. “Those are the kind of things that you need to think about.”
Richberg cited a law passed in 2022, called the Cyber Incident Reporting for Critical Infrastructure Act. It will, beginning next year, require all educational institutions to report significant incidents to the federal Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a breach being detected. Also contained in the act is a rule that will require organizations to report any ransom paid within 24 hours to CISA.
“Incident response is going to be important, not only what you do but who you are going to tell about what happened, and what you’re doing about it,” he said.
Giandomenico said in nearly all of his investigations, contributing factors that led up to a successful cyberattack–or the increased impact of the incident–involved inadequate incident response procedures.
Effective incident response involves understanding how to detect, analyze, and contain the adversaries in the environment, he said, adding the ability to remediate and recover data are also important.
“I think it’s the easy button to say ‘I’m going to buy a piece of technology,’” Giandomenico said. “You put that technology in, and there’s a process you have to put in place around all that technology investment for you to truly reap the ROI on that.”
Giandomenico also shared best practices universities should consider to prepare for incidents in advance. He said organizations should be sure to understand what their current capabilities are, as well as their target capabilities. This will allow them to create a roadmap, while learning what they need to do to accomplish to get there.
Educational organizations should also have an understanding of a threat-informed defense, meaning they have the situational awareness necessary to prepare for an attack, he said.
“I almost feel like we’re flying blind,” Giandomenico said. “We’re purchasing different types of technology, but not really understanding what it will protect you against. I think Muhammad Ali said it best: ‘The hands can’t hit what the eyes can’t see.’”
Given that so many cybercriminals are accessing websites using existing credentials, Giandomenico added that organizations might want to seek out services searching the dark web for stolen credentials.
Richberg spoke to the benefits of partnering in online security, saying institutions can’t do it alone and should instead leverage the resources available both internally, and at state and federal levels.
“It’s a waste of your time to try to do it yourself,” he said. “That’s a game for the varsity players to do and give you the feed from that.”
He cited CISA’s toolkit and roadmap published online to help the K-12 system better arm themselves against threats.
“We do a lot of work at the federal level that we actually want to share with others to benefit from,” he said. “In some cases, we do it explicitly for them.”
At the state level, he said there are at least three security operations centers built by CalSecure that could be leveraged by organizations. On the private sector side, he said companies are available to help too.
The FBI has field agents in California who would love to help as well, Richberg said. He noted that the federal agency has a program called Infragard with local chapters that meet quarterly to talk about threats and best practices.
“There’s a lot of partners that you could enlist,” he said. “You’re not playing this game alone.”
CENIC offers its Associates protection from increasingly common DDoS attacks. Through its Internet2 membership, CENIC is able to contract for Radware’s on-demand, cloud-based DDoS Mitigation Services (DMS), which was invaluable in helping the SDCCD recover from the DDoS attack previously mentioned.
CENIC has developed in-house tools to assist with DDoS detection and identification using NetFlow data that is continuously ingested from backbone interfaces. CENIC’s Operations team uses these tools to monitor and quickly identify potential DDoS attacks, taking appropriate actions on behalf of associates using this service.
When a DDoS attack is identified, Operations will request approval from the network contact at the DMS customer site before initiating mitigation. Once approved, Operations will adjust routing policies to shift traffic bound for that site to Radware, with all “clean” traffic coming through Radware’s scrubbing servers and returned to CENIC’s California Research and Education Network (CalREN) over the 4 Gbps connection that CENIC has established with Radware through Internet2. The service is capable of scrubbing /24 for IPv4 subnets and /48 for IPv6 subnets.
After a DDoS attack has ended and no further occurrences have been seen for 48 hours, a post-mortem report will be generated and provided to affected DMS customers.
If you're interested in learning more, contact CENIC's Network Operations Center at noc@cenic.org or your institution's representative in the CENIC Project Management Office.