Equipping the Education Sector With Threat Intelligence to Defend Against Cyberattacks

When you think about sophisticated cyberattacks, certain targeted industries probably come to mind immediately — government, critical infrastructure, and financial services, to name a few. It’s fair to say that for most people, the education sector isn’t generally first on that list.

Despite this, educational institutions (particularly those in higher education) have become an increasingly popular target for cyberattacks. Generally, these fall into two categories: espionage and financially-motivated attacks.

A War on 2 Fronts

Many countries have an interest in industrial and scientific espionage — China and Iran are particularly common culprits — and attacking universities is a logical way to conduct it. Universities are often involved in cutting-edge research, and many partner with companies to develop valuable innovations. These universities, as well as those housing well-known research institutes, are particularly attractive targets for state-sponsored espionage.

A brief look at the security headlines of recent years only confirms this. In 2018, the U.S. Department of Justice indicted Iranian state-sponsored hackers for carrying out cyberattacks against more than 300 universities spread across 22 countries. Despite the indictment, the hacking group is still actively involved in targeting universities — including those in the U.S. — for espionage purposes.

Of course, no matter what industry you’re in, there’s no getting away from financially-motivated attacks. Educational institutions at all levels hold large quantities of personally identifiable information (PII) on both students and faculty members, making them highly attractive targets for cybercriminals. Data exfiltration and ransomware attacks are both common and can be extremely damaging.

To illustrate this point, in May 2019, Australia’s top-ranked university discovered its network had been breached in late 2018. The stolen information included student PII and banking information going back 19 years. This type of data is extremely valuable to hacking groups, and can easily be sold via dark web marketplaces.

Even smaller educational institutions, like elementary and secondary schools, can’t avoid the attention of hackers. In July 2019, three schools in Louisiana were hit by malware attacks, prompting the state’s governor to issue an emergency declaration. While the scale of these attacks may be smaller, they can nonetheless cause huge disruption and expense for targeted institutions.

To make matters worse, schools and universities often have large and highly complex network environments. With many unique users and endpoints — often spread across disparate locations — educational institutions are challenging to protect, and have many possible entry points for attackers to exploit.

The Education Sector’s Cyber Challenge

According to Verizon’s 2019 Data Breach Investigations Report, denial of service (DoS) attacks are the most common attack vector faced by the education sector, with phishing also playing a major role. While DoS attacks are more disruptive than they are dangerous, they nonetheless require dedicated preventative measures to ensure normal operations can be maintained.

Phishing, on the other hand, is a huge concern from a privacy and breach protection standpoint. The education sector has the highest click-rate of any industry for malicious emails at 4.93%. That means around one in every 20 malicious emails received by students or faculty will induce the reader to follow a link or take some other undesirable action.

In terms of motivation, around 80% of security breaches in the education sector are financially motivated, while 11% are espionage. These figures naturally vary from year-to-year — in 2016, a massive 43% of breaches were the result of espionage. Even at 11%, this constitutes a massive threat to educational institutions given that espionage is generally conducted by highly sophisticated (often state-sponsored) attackers.

Meanwhile, Ponemon’s 2018 Cost of Data Breach Study found that data breaches cost educational institutions on average $166 per record lost, placing the industry in 7th place overall. Somewhat surprisingly, the secondary cost of breaches in the industry is a 2.7% churn rate, meaning that some students will take their business elsewhere in the event of a breach.

Finally, perhaps the worst news of all — educational institutions take on average 217 days to detect a data breach, and a further 84 days to contain, making the industry the 4th slowest overall. As always, the longer it takes to identify and contain a breach, the more it costs to do so.

Threat Intelligence for the Education Sector

Protecting educational institutions — particularly those engaged in important research — from cyber threats is far from an easy job. The industry is under constant threat of attack from both state-sponsored and financially-motivated attackers, and security teams are under huge pressure to manage cyber risk with relatively modest budgets.

This is where threat intelligence comes in. It helps security teams in the education sector make the best possible use of their resources — both human and financial. By investing in threat intelligence, educational institutions can:

• Identify and Contain Cyber Incidents More Quickly: In many cases, cyberattacks against educational institutions take a long time to identify. In a few cases, attackers have exfiltrated data from university networks for years before being identified. Threat intelligence provides indicators of compromise (IoCs) and other valuable information that helps security teams search for and identify possible breaches, drastically improving response times and limiting the amount of damage caused by successful attacks.
• Harden Existing Security Systems and Protocols: As important as security technologies such as firewalls, EDRs, and email filters are, they can only do their job properly if they have access to the latest threat indicators. Powerful threat intelligence solutions integrate with existing security technologies, adding new rules automatically to ensure users and systems are protected from the latest threats — including malware, ransomware, phishing, malicious URLs, and more.
• Maximize the Utility of Security Resources: When security resources are limited — as they inevitably are in the education sector — making informed decisions about how to invest in them is crucial. Threat intelligence enables security leaders in the education sector to accurately assess cyber risk, and make informed decisions on which initiatives and technologies to invest their resources in.

Protecting PII and Research Data

Educational institutions are a surprisingly enticing target for threat actors, and a very common target for state-sponsored hacking groups. Not only that, but the typical institution in higher education has an extremely large and complex network environment with huge numbers of endpoints, switches, routers, and unique users. Naturally, this makes securing against cyberattacks an extremely difficult task.

Threat intelligence helps educational institutions protect against cyberattackers — whether they are motivated by financial gain or espionage — by helping them to understand how they are likely to be attacked and where they can best invest their security resources.

If your organization isn’t currently using threat intelligence, here’s an easy way to get started. Sign up for our free Cyber Daily newsletter to receive the top cybersecurity intelligence direct to your inbox each morning. That includes:

• Top targeted industries
• Most active threat actors
• Most exploited vulnerabilities
• Trending malware
• The latest suspicious IPs
• And much more