Joint NCSC-DHS-CISA advisories and a warning from the FBI have recently highlighted activities of nation-state-backed groups targeting organizations focused on COVID-19 research. The goal is to obtain information for their domestic COVID-19 research efforts.
Security leaders at research organizations need to better understand the motivations and methods of these attackers. That will allow them to better inform stakeholders of the risks, identify data likely to be targeted, and adjust their defenses appropriately.
Protecting research data a necessity
Original research data attracts state-affiliated threat actors. “Our crown jewels in terms of data are high-value intellectual property,” said David Deighton, CISO at the University of Birmingham, while speaking at Cloud Security Expo in London earlier this year. “UK universities are being targeted, particularly over the last year or 18 months, by state-sponsored groups who have been trying to penetrate our environment and get access to that data.”
Despite that threat, education institutions in the UK haven’t been strong on security in recent years. A recent penetration testing study carried out by the Higher Education Policy Institute (HEPI) and Jisc found that its researchers were able to gain access to high-value data within two hours on every higher education network they tested. “We've been under-invested in IT and information security in this country for some time,” said Deighton.
Mick Jenkins, CISO at Brunel University and former military counter-intelligence officer, tells CSO he has seen improvement over the last two to three years, driven partly through government strategy and the fact that research institutes and universities are deemed to be part of the critical national infrastructure because of IP they generate.
There is also a strong business necessity. Doubts around security can see researchers shut out from funding if funding clients don’t believe the institution can keep that IP safe. “The strategic objectives of the university are to drive higher research, and partners won't come to us and give us the data unless we built a very sound solid foundation for looking after that data,” says Jenkins. ”You can turn this into not just business enabling, but a business winning investment.”
APT groups want high value IP and sellable data
China has long been known for stealing high-value research and IP to further local economic goals. Groups linked to Iran’s Islamic Revolutionary Guard are accused of conducting what the US Department of Justice has called a “massive and brazen cyber-assault on the computer systems of hundreds of universities” that saw terabytes of information stolen from universities globally. “From a national perspective, we'll lose multiple millions of pounds if we don't protect that intellectual property,” says Jenkins.
State-sponsored actors are often given cart blanche by their “clients” to profit from victims. APT41, a Chinese-affiliated group, is known to carry out state-sponsored espionage activity “in parallel” with financially motivated operations. “APTs are self-funding by nation states, saying, ‘There's your target; you can target personal data to self-fund',” says Jenkins.
Birmingham’s Deighton has seen first-hand how APT groups chase research data but steal data to make money. “We had an incident in July last year where we were penetrated by a team of Russian hackers who apparently were looking for some intellectual property that they didn't discover as far as we can tell,” he said during his talk.
The attackers had created shell scripts to look for research data, which they couldn’t find. However, they did take advantage of the data they could access. “They managed to get into Active Directory up to a point. We discovered that they ripped off our usernames and passwords and put them for sale on the dark web.”
APT defense strategy is key
It can be “very difficult” to stop a sophisticated state-backed actor, says Jenkins. CISOs should first have a holistic and well-thought out defense strategy that is intelligence-led. “You've got to get your thinking and strategy right at the start,” he says. “Where do you want to go? What does your end target model look like? What do you want to look like in five years’ time?”
“I've seen it time and time again: A project starts and they've not thought out the target model correctly based upon the way that the threats and the trends of nation states are changing,” Jenkins adds. “They get part of the way along with strategy, and they have to stop and retrofit because they've got it wrong at the beginning.”
Working toward what Jenkins calls a unified cybersecurity platform, Brunel works with a handful of partners – Exabeam (SIEM), Cisco (instrumentation) and Khipu (playbooks and penetration testing)– to develop that initial strategy and implement the core technologies to support it. Jenkins is also working toward a zero-trust model around its research and sensitive data and looks to add data loss prevention and cloud monitoring capabilities.
“You can't do this alone,” Jenkins says. “Bring in strategic partners to help shape a vision. You know your business, you know your vision, and they bring a lot of value to the thought leadership.”
Insider threats and research data
Nation-states also send people to education institutions to procure and return home with data. The FBI has said that China poses a threat to academia as the government will use some students and professors “to operate as non-traditional collectors of intellectual property” and will spend years targeting an individual and developing a relationship that leads the student, professor or researcher — either wittingly or unwittingly — providing information.
China’s Thousand Talents Plan, for example, was set up to recruit leading international experts in scientific research to further its competitiveness in key fields. The US Senate has called the plan a “threat” to US research. There have been several arrests this year alone of researchers accused of using their positions to help China, as well as similar incidents at large businesses.
During his talk, Birmingham’s Deighton says it has some students that are “pretty obviously not there just for their studies. It’s a bit of a difficult situation to manage, and we need to be sensitive about who gets allocated to research projects.”
Jenkins says CISOs should touch base with business leaders and HR to ensure that safeguards and the processes are in place for vetting or recruitment. There also needs to be inducting and briefing processes for people working on high-end IP. “It’s about making people aware that they can become targets as well and providing awareness of the ways that people will operate to get insiders in place, to pay people off, to infiltrate you through cyber, to use different methods to basically create damage and harm.”
People traveling overseas, for example, need to expect that they might come under surveillance, Jenkins says. “I see myself as a counter-intelligence officer and somebody who is responsible for doing the best they can to safeguard the university and the business from a range of different methods of attack.”
CISOs need strong network intel
Leaning on partners for intelligence can be useful, especially for organizations that have limited resources. The UK’s NCSC, for example, has published guides outlining key threats to universities and the types of information threat actors are likely to target. It also has information on how to better secure research data. “The alerts and the advisories and the guidance are critical for me to cascade the message into executive boards so that they've got an ongoing feel for what the threats and the risks are to the university itself and the data,” says Jenkins.
Being aware of what’s going on in the world can also help inform whether your organization may be at risk. “I've never seen it quite as bad in the last three years, never mind what's coming,” says Jenkins. “Geopolitical tensions are just going to exacerbate the need to future-proof your business. you've got to do a bit of a horizon scanning and see that the geopolitical escalations because that can switch very quickly into a strike mechanism.”
Jenkins says CISOs need to build a holistic picture so that their analysts are pulling in a variety of intelligence from different sources. “That allows them to build up that common threat picture and a common operational picture that they can take actions [on] very quickly based on what we know about the adversarial TTPs and methods to get in.”
Brunel runs attack simulation exercises to test defenses and see how attackers may compromise a network and exfiltrate data. The university has an information asset owner framework where the need for directors themselves to cascade security and privacy information into their business units is emphasized. The wargaming exercises allow the information owners to understand and appreciate the importance of good cybersecurity around critical data and systems.
“There's no better way for the practitioners and the owners of the data to observe and watch how a simulated attack happens and how they get into the network, get the privileged access rights, get into the data whether it's encrypted or not, and harvest it, both for personal data and intellectual property. Once you show, researchers and executives, how the criminals operate, they begin to buy into it.”
9 best practices for protecting research data
CISOs must understand the data they are holding and how threat actors strike research institutions and extract the data. “Research institutions are a goldmine target for threat actors,” says Richard Cassidy, senior director security strategy at Exabeam, “The factors that lead to a data breach start far earlier and are always related to a lack of understanding in how to effectively align process, technology and people.”
Cassidy, Jenkins and Deighton recommend the following best practices for protecting research data:
- Assume that your research is a target for attackers and understand which groups are after your data, why and their TTPs and methodologies. Continuously reassess and update this information and use it in inform your defenses.
- Map your assets, assess the value of the data, classify it, and put control measures in appropriate to that value of data and risk appetite against it.
- Ensure that owners of the information understand the risks to that data and their role in protecting it.
- Have multi-factor authentication with automated processing of people arriving, leaving and moving between jobs or projects.
- Segment research data as much as possible. Have monitoring in place around those datasets.
- Have a well-established vetting and interview process for those that will be involved in valuable or at-risk data.
- Identify high-risk people and place extra safeguards and monitoring around their accounts. Educate them about risks to themselves and research data.
- Have incident response and disaster recovery plans that cover the common methods and techniques threat actors use to steal research data. Use threat hunting and tabletop exercises to inform and update those playbooks.
- Embrace automation where possible to reduce the workload on security teams and enable faster response times.