The NCSC, JISC , and JANET have warned the UK education sector to bolster security over the holiday season, when security personnel are distracted and students are heading home. This concern comes when the UK education sector already is in the midst of a cyber crisis, fueled by rampant ransomware attacks.
Many educational establishments struggle with the dichotomy that exists between security and their core mission of information sharing, thereby balancing the ease of work practices against the needs of the organisation to drive collaboration and
In fact, a UK education establishment is 13x more likely to be breached than a UK enterprise business. UK education at the secondary and university levels are being targeted, with impacts causing financial loss across the board. In the university sector, reputation and competitive advantage are also at risk.
It’s abundantly clear that a change in the way we secure the sector is needed. Why are we still being reactive when a proactive security posture that’s easy to implement is possible — not to mention that it’s free right now for 14 days?
A quick lesson on cyber attack infrastructure
There is a way to get ahead of the attackers. From data breaches to ransomware, all cyber attacks start with a threat actor first setting up the infrastructure, which enables them to establish and maintain a foothold in the victim’s organisation, conduct command-and-control (C2) communications, and drop malware payloads onto a system.
An attacker’s infrastructure can include many components, including redirectors or even phishing landing pages, but a cornerstone of adversarial infrastructure is a C2 server. Essentially, threat actors use C2 servers as the “brain” of the attack to maintain persistence, move laterally, drop malware, and exfiltrate data.
Fortunately, we have the smartest “defensive” brains in the industry, and we know that having visibility into initial C2 activity can be game-changing for security personnel at educational organisations.
Why? Because detecting activities at this stage will likely help prevent any of the subsequent downstream malicious activities that a threat actor wants to perform in your network, leading to a more serious incident (such as a data breach or ransomware attack) further down the kill chain. We created IronNet’s IronRadarSM proactive threat intelligence tool as an easy-to-implement solution for organisations with limited cyber resources to automatically detect and block malicious C2 infrastructure as it is being set up.
How proactive threat intelligence dismantles a ransomware attack campaign — before the ransom
These days, the average age of a C2 (that is, the amount of time the server hosted the malicious infrastructure) is about 30 to 50 days. Detecting new C2 servers as they appear, therefore, is critical, because once the adversary has control of the compromised server, there’s little time left to thwart a serious cyber attack.
Indeed, by identifying C2 infrastructure as it is being set up (during the early stages of the kill chain), there is an invaluable opportunity to be proactive.
This is why IronNet has taken a focus on proactive threat intelligence (PTI), which includes actively searching for threat infrastructure that has yet to be actioned and, in turn, producing intelligence before an attack occurs.
In relation to the cyber attack kill chain of the MITRE ATT&CK® framework, PTI takes place at the resource development phase — that is, before the threat actor has gained initial access. While reactive threat intelligence remains an invaluable part of a cyber toolkit, it often is generated at the execution or persistence phase — that is, well after the threat actor begins an intrusion into a victim network.
Going well above the bell curve: The Case for Collective Defense
IronRadar gives educational organisations a quick fix for ransomware detection. To level up security even more, the sector must change the current model that has IT teams defending in silos — a fundamental flaw across the UK education sector. If multi-billion-dollar corporations and major critical infrastructure suppliers can’t defend themselves from Russian and Chinese threat actors, how can we expect a small, rural school district to combat nation-state attacks? And if large, well-resourced universities like Stanford University are unable to prevent digital extortionists from infiltrating their networks, how can we expect a local public school system to prevent ransomware?
The real way to improve security across the education sector is through a Collective Defense model — that is, requiring schools, like private-sector companies, to proactively defend with their peers up and down the vertical education chain.
Collective Defense integrates a collaborative approach to cyber defense, essentially creating a “community of defenders” to combat threat actors. In this case, the community would comprise individual schools, school districts, and higher-ed institutions, as well as government institutions, all of whom share anonymized threat intelligence generated by A.I. network detection and response (NDR) solutions that leverage behavioral analytics for real-time visibility of the threat landscape.
After a potential threat is detected, each member of the Collective Defense for education community would work together to coordinate proactive response efforts. This unified line of defense enhances community member’s ability to address vulnerabilities, respond to attacks, and mitigate their damage to strengthen the cybersecurity posture of the entire sector as a whole.
As the threats accelerate and become more pervasive, there’s never been a more important time for the UK education sector to shift toward a collaborative security posture — bolstered by proactive threat intelligence as a first line of defense and, ultimately, a Collective Defense approach — along with hyper-vigilance and cyber engagement.
Want to start blocking ransomware before the holiday season and school break? You can launch a free, 14-day trial of IronRadar here.
