December 2020 - Cyber Security Incident Response

Posted on Monday, December 14th, 2020

As you may know, universities, like any large organization, are the target of constant cyber security attacks from a variety of bad actors. This is why our Information Security team proactively monitors our network for signs of attack and are ready to respond should an incident occur. We in IT are often asked how this works with questions like, How do we monitor the network? What is the anatomy of a cyberattack? How does an attacker gain access? What do they do once access is gained? How do we detect, stop and mitigate an attack and the associated damage? These are all excellent questions, which I will attempt to answer as we go through the steps taken in response to a cyber security incident.

Vigilance by All is Key to Our Success

One thing to remember is that while the University of Guelph has an industry-leading security operations centre run by an experienced team of information security experts, protecting University information requires vigilance by us all. Attackers are always searching for any gap they can exploit via phishing emails, unsupported operating systems and unpatched devices. Simply sharing too much information online or on social media can give provide an external attacker with what they need to gain initial entry.  

It is important to keep devices up to date, be suspicious of unexpected email and generally work from a security mindset, verifying information and being cautious about what you share and where you share it. 

Initial Attack and Reconnaissance

First, an attacker gains access through a vulnerable account or system and begins an initial exploration phase. They look for additional devices, users and services that are now accessible from the inside to expand the devices and services they can access, command or control. This is done by both manually searching and by deploying software to autonomously scan for additional vulnerable devices and accounts they can compromise.  

While it is best to prevent access in the first place, this exploration phase is the most important phase for detection and mitigation. The earlier in this phase their attack is identified and terminated, the less damage they can do and the lower the risk to the University. 

Detection 

Attacks are typically detected through a combination of activities: user observation, such as a slow or oddly behaving system; an account password that suddenly changed or an unusual sign-in notification; administrative observation, such as unusual account requests, activity or network traffic irregularities; and automated tools looking for key indicators such as an account that is accessed from Guelph and then, minutes later, from another country.  

Mitigation 

Once an attack is identified, the containment and cleanup work begins. Accounts are locked and recovered, malicious software is identified and traced, and systems are shut down, cut off, cleaned, patched and updated. This process requires a great deal of time and effort not just from the Information Security team, but from any affected users and departments who are helping with the investigation or are otherwise affected because of how their accounts and systems interface with their work. 

Mitigation is also the stage where we can gain a detailed understanding of the attack, its likely goals, and any data that was compromised. While mitigation is always a laborious process, the earlier the team can detect the attack, the quicker the resolution.

Recovery 

Once an incident has been resolved, it is studied to learn how to better harden our systems against similar attacks. We look for lessons learned with respect to processes and detection mechanisms and how to refine our tools and tactics to prepare for the next attempt. There are also patches and updates to apply, policy and software changes to implement, training to be done and, in the end, we return to maintaining vigilance. Back to business as usual. 

Conclusion

While it is best to block the attacker before they can gain a toehold in our network, we have robust processes and policies in place which allow a rapid, comprehensive response in the event of an incident. That said, we still need your help! Your vigilance is a critical part of our shared security. Our Information Security team regularly posts information on what to watch for and how to stay secure at infosec.uoguelph.ca. 