Last year, Education and Research were the top targets for cybercriminals, according to a study by Check Point. With remote learning becoming normal, bad actors are finding new ways to leverage techniques such as phishing and ransomware, often using DNS as an attack target or a vector. IDC’s 2022 Global DNS Threat Report shows that 84% of schools and universities were victims of DNS attacks in the past 12 months.
The report then goes on to provide recommendations on how purpose-built DNS security solutions should be leveraged to strengthen network security to safeguard users and data.
Limited budget and IT resources open the door to ransomware
From local school districts to university research facilities, insufficient funding has caused the education sector to lag in cyber-maturity, making it an easy target for data theft and system disruption, causing app and cloud downtime. Dozens of major universities and entire school districts in Europe, North America, and beyond have been affected, such as the University of California medical school in 2020. During the transition to online learning platforms, educators found themselves locked out of systems, with cybercriminals having encrypted all network data and stolen sensitive records including staff social security numbers, student grades, and addresses. The university was forced to pay a ransom of $1.14 million to prevent potential identity theft.
DDoS Attacks continue to rise
As students returned to classrooms, Higher education institutions were among the sectors that saw the biggest increases in DDoS attacks during the second half of 2021, suffering a 102% increase in attacks, according to a recent threat intelligence report which analyzed botnet trends and DDoS-resistant network architectures. The surge resulted from three prolific DDoS extortion campaigns operating simultaneously – high-profile DDoS extortion or ransom DDoS attacks from a REvil copycat, Lazarus Bear Armada (LBA), and Fancy Lazarus. At the same time, ransomware gangs continued to add triple extortion to their arsenals (attacks comprising data theft or leakage, file encryption, and DDoS attacks).
The Achilles heel for network security is DNS
The openness of DNS makes it an obvious target for cybercriminals to enter networks and cause mayhem or steal valuable data. And with the recent surge of connected (IoT) devices offering an entry point for external threat actors, DNS is frequently being used as a vector for attacks.
The IDC 2022 Global DNS Threat Report shows that the frequency and damage cost of DNS attacks on education facilities has remained high, each organization suffering on average 6 attacks per year with an attack costing $822k on average, and some attacks resulting in damages of over $5M.
*The percentage of schools and universities suffering different types of DNS attack types, however, rose considerably compared to 2021:
|DDoS or amplification||29%||17%|
|DNS domain hijacking||23%||17%|
|Cloud instance misconfiguration abuse||25%||21%|
|Zero Day Vulnerabilities||24%||16%|
Attack types suffered by x% of Education Institutions
The Threat Report states that Education suffered the largest DDoS attacks, with 12% of institutions stating they suffered attacks of over 50Gb/s, causing widespread disruption to the network and a negative impact on productivity.
DNS attacks lead to app downtime and brand damage as well as ransomware
With universities needing to support remote classes and hybrid learning, the impacts of DNS attacks are proving very disruptive. The risk of ransomware and data theft are the most obvious ones. Educational institutions hold incredibly valuable data: personal contact details as well as financial and social security data of staff, students, and parents; highly-sensitive scientific research data; digital and connected equipment; and online platforms to connect and engage with professors and students.
When DNS exfiltration occurs, firewalls are incapable of detecting data theft until several weeks or months later, so to protect data confidentiality and meet data regulatory compliance (GDPR, CCPA, PDPA, etc..) a complementary solution is needed – one that analyzes the DNS transactions themselves. Other damaging impacts of DNS attacks reported included: 41% suffered App downtime, 39% Cloud service downtime, 37% compromised websites, and 32% brand damage, affecting the reputation of the university and thus making it more challenging to attract future students.
With institutions taking on average 7 hours to mitigate each attack, the countermeasures being taken to mitigate attacks are worrying as they mean students and staff are unable to access vital apps and distance-learning services are disrupted. When faced with a DNS attack, 33% of institutions shut down a DNS server or service, 37% disabled the affected apps, and 28% shut down part of the network infrastructure.
Purpose-built DNS security helps fight ransomware
The flip side of DNS being the main target is that it can also be leveraged as a fundamental component of the enterprise network security ecosystem, thanks to its unique visibility over network traffic intent. Unfortunately, the education sector does not yet seem to be taking full advantage of that. For example, for protecting against ransomware, only 53% of universities and schools make use of DNS – the average across all industries survey was 57%. While basic DNS protection solutions will offer some help, ransomware protection can be greatly enhanced by implementing a high-performance dedicated DNS, investing in response policy zones (RPZs), and making use of threat intelligence and log analysis.
Strengthening zero trust by overcoming access privilege abuse
A further example, which concerns zero trust, is that only 45% currently use DNS for improving application access control & filtering, compared to an average of 56% across all industries. And perhaps another area to look at, considering the steep rise of connected devices, is strengthening IoT security, where only 42% see the value of DNS versus an industry-wide average of 51%.
App access control using DNS filtering can reduce the attack surface considerably, as the threat is detected at the earliest point in the traffic flow. EfficientIP’s Client Query FIltering solution builds on this via Allow Lists and Deny Lists which offer the unique capability of filtering down to individual client level (micro-segmentation). So by using Allow Lists, each IoT device, for example, can have its access limited to only authorized apps or infrastructure. Issues around privilege abuse are hence overcome and defense against IoT botnets is strengthened.
With ransomware threats becoming incredibly worrisome, the rise of connected devices and BYOD, and IT staff having low confidence in their Shadow IT detection capability, the education sector would do well to heed IDC’s recommendations of leveraging DNS security to secure anywhere networking. If you want to assess your network security against DNS attacks, and learn how you can improve your security posture, feel free to try our free DNS Risk Assessment.