Early warning is the first line of defence against cyber gangs

Newcastle Grammar School ICT manager, Michael Browning, logged into his monitoring
dashboard one Saturday morning and watched as all his security alerts switched one-by-one
to red.

He realised, to his horror, the school was being hacked and its data was being encrypted.

There was a particular alert coming up on a whole bunch of servers that just made my stomach drop. You get that cold sweat, you know?

Browning had been alerted to the problem by a phone call from the school’s principal, who
had been interviewing for prospective students over the weekend.

A note appeared on his screen with instructions on how to get to a dark web address for
assistance. That “help” required $1 million in cryptocurrency to be paid within a week.
Thinking quickly, Browning asked the hackers to prove they had access to the data they
claimed. The criminals asked for three to five hours to come up with that proof.

“At which point I said to my senior engineer:

‘Switch off the internet, shut all the firewall ports off – no external traffic whatsoever.’

The Newcastle Grammar team discovered that the criminals were mostly manually working
through the school’s servers.

“We found them relatively early in their process of encrypting everything,” says Browning.
That was a stroke of luck that meant some of the school’s servers could be quarantined.

“They had screenshots of our folder structures. That was their proof, but they didn’t actually
have any data and were bluffing in that regard.”

Disconnecting from the internet made the school go “dark” as the IT staff investigated and
rebuilt the IT environment from scratch. The school had no access to emails, landline phones,
photocopiers or security gates. The school was inoperable.

It wasn’t until Sunday evening that the IT team found a system that had not been touched and
could be used to email parents about the hack and request that students stay home on
Monday.

The co-educational school was deemed safe for the 950 students and 200 staff to return on
Tuesday and the IT team had almost all of the IT systems up and running within a week. It
took four weeks to rebuild and about six months to get back on track.

The fact that the school could act before the hackers had reached too deep into their system
was a blessing. It was also fortunate that none of the personal data accessed seems to have
been dumped onto the dark web. However, some things could not be recovered: around five
weeks’ worth of data was lost from file servers, staff had to rewrite exams and attendance
records were sought from parents. In some cases, teachers had to rewrite a whole syllabus for
the new term, a task that could take up to 100 hours.

When the hack occurred, the school considered itself relatively secure. It had undertaken an
external review of its systems and security only three months earlier. It is still unknown how
the criminals broke in, but Browning suspects it may have been a compromised remote
desktop gateway used by staff.

Browning says the hack and subsequent rebuild has left the school in better shape for the
future: “I say this very carefully, knowing that there is no 100 per cent certain way that you
can lock out hackers if they’re determined, but we’re in a better position than most other
organisations that haven’t been through it”.

The school upgraded its security by deploying Microsoft Sentinel, which can collect, detect,
investigate and respond to security threats and incidents. This is a SIEM (Security
Information and Event Management) and Security Orchestration and Automated Response
(SOAR) system in Microsoft’s public cloud platform.

Microsoft Sentinel is provided to the school through a managed service with MOQdigital
(recently acquired by Brennan), which monitors the system 24 hours a day and can note
suspicious activity. Sentinel collects data from different sources and performs data
correlation and visualisation in a single dashboard. It also has built-in advanced machine
learning capabilities that can detect actors of threats and suspicious behaviours.

MOQdigital does the initial investigation and sends the school a thorough report. The school
investigates further if there is a “high alert” – it receives about two of those a week from a
total of 200 incidents a month.

Browning says the early warning capabilities of Microsoft Sentinel mean the school will be
able to act even earlier if there is ever another attack. In addition, its integration with the
other Microsoft products at the school, such as email and OneDrive, enhances its
effectiveness.

In 2020, the hackers had been inside the school’s systems for about a week before they
revealed themselves. “These days, the first thing ransomware companies do is take the data
and they try and get that exfiltrated before you’re aware of it,” says Browning.

“They hit us very early on a Saturday morning, when they figured there would be fewer
people around. And so, hopefully, they’d have time to get through it before anybody
noticed.”

Browning says the school now has the confidence that they have the systems in place should
they become a target again.

“We’ve learned from the experience and we’ve got the skills to get things back up and
running.”

With the extra tools that we’ve put in, like Sentinel, we’ve learned about
the gaps that we had in our defences. Having that early warning is the key.

Additional resources: