All things tech
Welcome to the Blog
The University of Virginia Vs. Hackers: A Remediation
Case Analysis – The Phoniex Project
In 2015 the University of Virginia was faced with a cyber attack. The analysis is based on the remediation of the cyber attack and how their CIO, Virginia Evans, faced the situation. This is my personal analysis of the Phoenix project remediation of a cybersecurity crisis at the University of Virginia (UVA). The analysis was written for Dr. Joshua Davis's course on information security at Missouri State University.
Information Technology Services
The Information Technology Services (ITS) played a considerable role in the remediation of the cyber attack. They also played a significant role at the UVA before and after the cyberattack in 2015. The UVA was a leader within the higher education community regarding Information Technology. The UVA was an IT leader because of the ITS organization that operated under the University's umbrella. From the Harvard course pack document, the ITS mission was to "be a trusted partner and strategic resource to the University community, aligning technology to advance the University's mission." Adding to the significant role that ITS played, the document highlighted that they had over 200 employees and a 50 million dollar operating budget that same year.
Leading the ITS and being CIO, Evans played prominent roles in IT within the University. Her tasks included working with IT infrastructure, applications, information security, policy, and records management. As CIO, all of these tasks contributed to fulfilling UVAs mission in the Information Technology space. However, it is important to note that her tasks are not the sole reason for ITS's success but rather a contribution. She had only been CIO for roughly a year before the cyber attack. Nevertheless, ITS played a significant role in the success of UVA, being a prominent IT leader in higher education and the University's mission as a whole.
Cyber Attackers
There are many reasons that a university attracts cyber attackers. One of the first reasons universities are an attractive target is personally identifiable information (PII). This type of information is not unique to just universities but too large corporations and businesses that store their customers' personal information. Attackers can use PII in many different ways, including demanding a ransom from the institution for the criminals to not release the PII to the public. Additionally, they can use the PII to attack the end-users of the people who had their information exposed. Depending on what type of records are stolen depends on how the attackers can use it to exploit the data further. These are just a few reasons that PII is valuable to attackers and make universities an attractive target
Another significant reason why the University would be attractive to cyber attackers is the considerable research and intellectual property that the university stores. These attackers are looking to exploit the University's financial assets and intellectual property. Similar to PII, this intellectual property can be used for several different reasons. The document highlights that this type of intellectual property is attractive to cybercriminals because the information can be used for political motivations (Harvard). Since universities typically invest lots of resources into research and development, this type of intellectual property combined with PII makes universities a lucrative target.
Now that we have identified two significant reasons that make universities an attractive target, let's dive into a few cybercriminals' methods to attack these assets. The document highlights that in 2015 when the UVA was targeted, during this time, the three most common attack methods were spear phishing, unpatched systems, and zero-day exploits (Harvard). Spear phishing is a slightly more advanced version of phishing. A typical phishing attack method would be sending thousands to millions of emails to victims trying to get them to click on a malicious link or download an infected file. Spear phishing uses a similar method; however, it is more tailored to the victims. Instead of sending millions of emails, spear phishing emails are fewer, allowing cybercriminals to design the email to look more realistic and specifically designed for a particular victim. Like actual spearfishing, this method is narrower, and accuracy is key to hitting the victim. Unfortunately, this also makes it harder for software designed to detect these types of attacks to detect them.
The other two methods, unpatched systems, and zero-day exploits are also effective attack methods from cybercriminals. Software vendors issue updates to their software to patch known vulnerabilities that cybercriminals can use to attack the software. When vulnerable software is not fixed promptly or at all, this leaves the University vulnerable. This is another reason why keeping software up to date is critical. Zero-day exploits are separate from unpatched systems as typically, the University or organization had known about the vulnerability for zero days. These exploits are significant because software vendors and software users have to scramble and mitigate the issue before the vulnerability can be attacked or remediated.
The Phoenix Project
With Dana German's help, she and Evan created a covert project called the phoenix project. The phoenix project consisted of five objectives crucial in the remediation of this cyber attack. The first of the five objectives were to determine the intrusion's extent. This would include a more in-depth assessment and analysis of the intrusion to ensure everyone involved had all the necessary information. Although this step is essential, I believe the effort to accomplish this objective is relatively low. Before creating the project, Mandiant and Microsoft Services had already spent three weeks assessing the intrusion. This objective was to add and further complete the information that had already been gathered.
The second objective of the phoenix project was to develop a remediation plan. The level of effort to complete this objective would be very high. A high level of effort would be needed on this objective because the objective needs to be completed in a timely manner. This objective is crucial in remediating the cyberattack as it lays out the blueprints for the remediation plan, including a go-dark phase. The remediation plan's blueprints need to be highly detailed and address the correct issues and vulnerabilities that are currently being exposed. This objective needs to be completed before the other three objectives can begin. Additionally, the remediation plan would need to be completed on time. Since this objective is time-sensitive and crucial in remediating the attack, I would rate this level of effort as high.
The third objective was to execute the remediation plan. I would call this the all-hands-on-deck phase. This phase would require all hands on deck and many people and resources to manage the remediation plan developed from objective two. Objective three has a very high level of effort and importance, similar to objective two. However, separate from objective two, objective three would require more time to complete all of the steps involved. Therefore, the third objective has a little more gray area than objective two. The gray area is due to the number of necessary steps. Additionally, there is a gray area because the steps must adapt to different situations. The Steps directly highlighted in the document are:
- Tracking foreign attacker activities and responding as necessary,
- Developing methods of procedure (MOP)
- Identifying workstations impacted by the attack
- Evaluating UVA's password management system
- Preparing to support end-users before and after the go-dark phase
- Communicating all necessary information with internal and external constituencies.
Objective three in the phoenix project would have a high level of effort as it requires much adaptability from the team and input from everyone on the team, hence all hands on deck.
Objective four is to harden the UVA defenses. This step goes hand in hand with the previous actions and is vital to prevent further damage and future attacks. Although this objective is essential, I would put it at a lower level of effort than the other objectives. I would put this objective as a lower level of effort; however, it goes hand-in-hand with all the Phoenix project objectives.
The fifth objective is to restore all services. This objective is similar to Objective three because there are many gray areas and potentially a massive amount of time required to complete the objective. This objective has much potential for something to go wrong as it involves restoring and testing the systems after the go-dark phase. I would imagine that this objective was the shortest in the remediation plan. Similar to objective two, this step has many unknowns when creating the project. The objective could potentially take the longest to complete because of the unknowns and gray areas. Since there are unknowns, the level of effort involved in this objective could be high; however, it could also be lower (medium) depending on how the previous objectives are handled.
Risks
Many key risks are inherent specifically in this project. The first key risk would be what happens if the security compromise at the University became public. This risk is significant and should be handled with caution. I would recommend that the team alert affected stakeholders of the attack as soon as possible. From an ethical perspective, I feel it is essential to inform anybody involved at the University that may have had their information exposed during the attack and let them know what information may have been revealed. However, it is also important not to release this information to the public too early because it could alert the cybercriminals that they know they have been discovered in the University's network. Additionally, the vulnerabilities should be patched before the University goes public with the information regarding the attack.
Another critical key risk to consider is the scheduling conflicts with the UVA programs and events. Specifically regarding the go-dark phase and when it would take place. The document highlighted the pros and cons of having the go-dark stage during the semester or after the semester. They don't want their remediation of the cyber attack to interfere with other UVA operations. When deciding on the go-dark phase and implementing additional security measures, I would recommend implementing them when the University requires few resources for what is being updated. For example, patching systems early in the mornings and on weekends when the University may not be actively using the resources.
Evaluation
The phoenix project should be evaluated after all phases and objectives have been completed, including the go-dark phase. Proper evaluation should consider the completion status of the goals and their performance. This means evaluating how effective the remediation plan of the cyber attack can't be completed until the remediation is completed in its entirety. The evaluation of the phoenix project remediation plan should be completed by a third party such as Mandiant. The third-party needs to test (pen-test) the university system and attempt to exploit it in the same fashion the cybercriminals used to exploit the system. This would give a proper evaluation of the phoenix project.
Additionally, pen-testing would assure that the vulnerability has been patched and the systems have been hardened. The pen testing needs to be done by a third-party organization that is not related to or affiliated with the University. This would illuminate bias and give a better real-world scenario of how well their systems can handle an attack. The university systems should be tested regularly to evaluate this cyber-attack and help prevent future attacks.
Sources: