6 Steps To Survive a Cyber Attack
The range and variety of sensitive data in higher education make it difficult to secure. In the event of a breach, this six-phase incident response plan will help guide your institution through the crisis.
Like corporations, universities and colleges have copious amounts of data to protect. But campuses are not corporations. They're more like little cities, providing an array of services and functions. "We have an enormous range and variety of confidential information and that makes it very challenging to secure," said Michael Corn, deputy CIO for Library and Technology Services and CISO at Brandeis University.
IT must protect not just the identity of students, faculty and staff but also the intellectual property and sensitive data generated by hours of research. When a cyber-attack does occur, the incident response team needs a plan that guides it through the crisis.
In 1998, the SANS Institute designed a high-level response plan comprising six phases: preparation, identification, containment, eradication, recovery and follow up. Nearly 20 years later, these six phases are still the basis for most incident response plans at campuses across the nation.
1) Preparation
During this phase, IT staff members are trained on how to secure a single computer or an entire network that has been breached. In addition, all users are given general awareness training, such as learning the difference between a strong and weak password, knowing not to click on links in e-mails from individuals they don't know and how to identify phishing e-mails. To stay prepared, IT staff members examine computer logs and follow the critical controls put in place to avoid an attack.
The preparation phase also considers those in the upper echelons of the institution. "Is your management aware of the consequences, both financial and legal, of data exposure?" said Randy Marchany, university IT security officer at Virginia Tech and a SANS instructor who helped develop the SANS response plan in 1998.
2) Identification
In the identification phase, IT personnel deploy systems that can detect a breach rather than learning about it from outside the perimeter, often after damage has been done. IT determines the type of intrusion detection system it will run on the network and the network architecture it will employ to detect an intruder trying to "brute force" into the network, said Marchany. "What do you have to detect an attack?" he said.
At Brandeis, Corn employs a next-generation firewall protection system that detects the work-a-day incoming scans common on a college campus. But its real value, he noted, is in its ability to detect malicious outgoing traffic that usually indicates a compromised machine.
As in the preparation phase, user training plays a significant role in identifying attacks. "A user may say, 'I usually go to this website but today it doesn't look right — and I remember when I watched that awareness video it said if you think something is not right to let the IT people know,'" said Marchany.
3) Containment
If IT personnel detect a successful attack, the incident response team must determine the extent of the damage and answer some important questions, like what percentage of the network is under attack and how many systems have been compromised. "Is it an attack aimed specifically at the HR database engine or is it an attack aimed at gaining password access to as many machines as possible to use them to send spam?" said Marchany. Once the team determines the extent of the attack, it can work to contain it.
The procedures a response team uses to work through the containment, eradication and recovery phases depends on where the attack occurred and the complexity of the school's network. Corn, for example, can quarantine users on some parts of his network. If a computer is compromised, the user is directed to a website telling him to call IT for further instructions. "At the very large schools it's challenging to do that everywhere," said Corn.
4) Eradication
Once the incident response team contains the attack, team members assess the situation and determine the measures they will take to eradicate it. The eradication phase ensures that the response team is aware of those measures and acts upon them. But before team members can act, they must determine if they have adequate backups, if they need to reinstall software from scratch and if they can determine whether or not sensitive data was modified.
5) Recovery
When someone from the response team gives the all clear, the recovery phase kicks in. In this phase, IT personnel begin the task of restoring the systems along with the data that have been compromised in the attack. The goal is to get users back to normal operations, said Marchany.
6) Follow-up
Often overlooked by IT personnel, the follow-up phase is just as important as the previous five phases. A member of the response team writes the after-action report after looking at the previous five phases with a critical eye and providing harsh criticism of both the plan and the team's performance. The purpose is to determine which, if any, of the phases failed and which ones succeeded. "Then you address the areas that were weak and that failed and hopefully you've built a slightly stronger response model for when the next incident happens," said Marchany.
Drilling Down
Corn considers the previous six phases a 30,000-foot view. The response plan document determines what is considered an incident and, if one occurs, dictates incident command and governance. No response plan is complete, however, without a robust set of documents that provide granular detail — a set of standard operating procedures (SOPs) — at a lower level. "We have a process about what we do when we find a compromised computer and it's very detailed. Our security engineers are going to look at X and they're going to look at Y and document this and document that. But I'm not going to put that in the high-level incident response plan," said Corn.
Detailed procedures such as these are part of his operation manual. He encourages IT personnel to be judicious and cautious about how much detail they write into their response plan. Response plans must be flexible enough to withstand changes in both technology and staff. "Our operations manual changes week-to-week, month-to-month and year-to-year as technology, people and tools change," said Corn.
Between the high-level response plan and the lower-level SOPs, Corn maintains a spreadsheet that he calls a "toolkit." This spreadsheet contains contact information and templates. "(I use this) as a cheat sheet, a checklist if we're dealing with something so I know I haven't forgotten something," said Corn.
Look to the Experts
Many universities, especially large ones with mature security functions, post their high-level response plans on their websites. A simple Google search for "incident response plan site:.edu" will return countless plans. IT professionals charged with creating a response plan don't need to start from scratch. "Browse these plans, pick the parts that you like, the structure that you like, the format that you like and that work at your institution," said Corn.
Most response plans will include the six basic phases found in the SANS outline. The difference is going to be that every institution has different technologies in place and a different set of tools to accomplish each task in the plan. "How you operationalize that plan has to be strongly informed by what you know about your environment, what you know about your endpoint and some of the intelligence you have about what's going on on your network," said Corn.