University Fights Off Cyber Attack from Another School

• By Dian Schaffhauser
• 06/03/20

A security company was able to work with a major unnamed university in the northeast to stop an attack that was initially thought to originate from students to disrupt online testing. It turned out to come from another university. Netscout Systems shared some details about the attack, which hit the university's online test platforms. Netscout produces programs that provide visibility into application and network performance.

According to Netscout experts, the attack vectors used weren't especially innovative, but the traffic was localized to sources geographically close to the university. And the timing of the security incidents coincided with what the company referred to as "typical student cyber activities."

The process of identifying and diagnosing the problem was quick, the company noted. It took Netscout's security operations center a couple of hours to identify the pattern and communicate that information to the university's IT department. From there the institution's IT organization examined its own traffic patterns. The attack was eventually traced back to a campus proxy run at another university.

Netscout said schools could expect an increase in security events as they shift more and more to remote learning. "Over the past couple of months and for the foreseeable future, students and teachers are relying on the internet to submit and grade assignments, conduct testing, collaborate on projects, share research and complete other vital tasks during the academic year," said Carlos Morales, vice president and general manager of DDoS mitigation services at Netscout. "With this level of reliance comes increased risk, as hackers seek out areas of vulnerability to exploit."

Attacks on educational networks vary. Those that are student-instigated, according to Morales, frequently focus on the use of "internet-based botnets for the purpose of test cancellation/delay." In this case, there was no specific motivation for the attack that could be readily identified.

On a larger scale, however, "attacks on admissions could have detrimental consequences on an academic institution from a monetary and reputation standpoint," said Morales. "In essence, universities by nature have a lot of bandwidth, allowing these varied attackers to bring to bear many different tools to take down their systems. Attacks can range from being very subtle to full-fledged 'carpet bombing' of vast IP address space, and can take many forms, making it difficult for universities to identify and mitigate."

As Morales explained, schools are susceptible to DDoS attacks because of their many connections with other institutions. A major challenge is differentiating legitimate traffic from harmful traffic. "As a result of collaboration, research and even gaming that takes place between parties from separate universities, a large attack surface is formed, providing plenty of opportunities for attackers to strike," he said.

If an attack is constructed well, it can mimic normalcy and come across initially as legitimate traffic, making it difficult to identify in the early stages, thereby allowing more time in which to cause damage. In the case of the university in this situation, Netscout's security team was able to look beneath the surface of the traffic that the school was seeing to find clues about the origins of the attack in order to create appropriate defenses. In doing so, they were also able to confirm that another university was behind the attack.

The job of the SOC is to build "client-specific templates and measures for each client," which can facilitate automatic mitigation, Morales noted. However, no automated approach can stop every attack. That's when a SOC's "collective experience and skills come together" and the team pulls together to analyze and adapt defenses to match attackers' methods. He added that success requires "having the right people to talk to and [keeping] the channel of communication open. Response time and the ability to mitigate threats depend on this collaboration and combined expertise."

Morales warned that as institutions prepare to include virtual instruction in their planning for the fall semester, they must be ready for the risks that coincide with external traffic entering networks. "Whereas in times past universities had a sense of what applications were available on campus, remote learning has moved everything off premise, posing numerous challenges," he said. "Universities have to continue observing and learning these new patterns, which is no small feat." The work is made more difficult by the various levels of a school's uniqueness — size, structure, varying curriculum and tools for each program and so on. "This can potentially bring to light many vulnerabilities that hackers will recognize and take advantage of."

Morales advised that universities spend time now "learning how their network behaves, what apps are available for use and what normal traffic looks like." From there, he said, "they can set up long-term monitoring and review the results of this monitoring on a regular basis. Universities have to understand their environment to secure it properly, and, if possible, reduce the size of their attack surface." Likening it to a boxer's stance, where the fighter "holds their hands up to reduce the amount of space on their body their opponent can hit," colleges and universities "must reduce their attack surface to a bare minimum and focus on those remaining exposed pieces to construct specialized defenses."