Early warning is the first line of defence against cyber gangs

Newcastle Grammar School ICT manager, Michael Browning, logged into his monitoring dashboard one Saturday morning and watched as all his security alerts switched one-by-one to red. 

He realised, to his horror, the school was being hacked and its data was being encrypted. 

There was a particular alert coming up on a whole bunch of servers that just made my stomach drop. You get that cold sweat, you know? 

Browning had been alerted to the problem by a phone call from the school’s principal, who had been interviewing for prospective students over the weekend. 

A note appeared on his screen with instructions on how to get to a dark web address for assistance. That “help” required $1 million in cryptocurrency to be paid within a week. Thinking quickly, Browning asked the hackers to prove they had access to the data they claimed. The criminals asked for three to five hours to come up with that proof. 

“At which point I said to my senior engineer: ‘Switch off the internet, shut all the firewall ports off – no external traffic whatsoever.’ 

The Newcastle Grammar team discovered that the criminals were mostly manually working through the school’s servers. 

“We found them relatively early in their process of encrypting everything,” says Browning. That was a stroke of luck that meant some of the school’s servers could be quarantined. 

“They had screenshots of our folder structures. That was their proof, but they didn’t actually have any data and were bluffing in that regard.” 

Disconnecting from the internet made the school go “dark” as the IT staff investigated and rebuilt the IT environment from scratch. The school had no access to emails, landline phones, photocopiers or security gates. The school was inoperable. 

It wasn’t until Sunday evening that the IT team found a system that had not been touched and could be used to email parents about the hack and request that students stay home on Monday. 

The co-educational school was deemed safe for the 950 students and 200 staff to return on Tuesday and the IT team had almost all of the IT systems up and running within a week. It took four weeks to rebuild and about six months to get back on track. 

The fact that the school could act before the hackers had reached too deep into their system was a blessing. It was also fortunate that none of the personal data accessed seems to have been dumped onto the dark web. However, some things could not be recovered: around five weeks’ worth of data was lost from file servers, staff had to rewrite exams and attendance 
records were sought from parents. In some cases, teachers had to rewrite a whole syllabus for the new term, a task that could take up to 100 hours. 

When the hack occurred, the school considered itself relatively secure. It had undertaken an external review of its systems and security only three months earlier. It is still unknown how the criminals broke in, but Browning suspects it may have been a compromised remote desktop gateway used by staff. 

Browning says the hack and subsequent rebuild has left the school in better shape for the future: “I say this very carefully, knowing that there is no 100 per cent certain way that you can lock out hackers if they’re determined, but we’re in a better position than most other organisations that haven’t been through it”. 

The school upgraded its security by deploying Microsoft Sentinel, which can collect, detect, investigate and respond to security threats and incidents. This is a SIEM (Security Information and Event Management) and Security Orchestration and Automated Response (SOAR) system in Microsoft’s public cloud platform. 

Microsoft Sentinel is provided to the school through a managed service with MOQdigital (recently acquired by Brennan), which monitors the system 24 hours a day and can note suspicious activity. Sentinel collects data from different sources and performs data correlation and visualisation in a single dashboard. It also has built-in advanced machine learning capabilities that can detect actors of threats and suspicious behaviours. 

MOQdigital does the initial investigation and sends the school a thorough report. The school investigates further if there is a “high alert” – it receives about two of those a week from a total of 200 incidents a month. 

Browning says the early warning capabilities of Microsoft Sentinel mean the school will be able to act even earlier if there is ever another attack. In addition, its integration with the other Microsoft products at the school, such as email and OneDrive, enhances its effectiveness. 

In 2020, the hackers had been inside the school’s systems for about a week before they revealed themselves. “These days, the first thing ransomware companies do is take the data and they try and get that exfiltrated before you’re aware of it,” says Browning. 

“They hit us very early on a Saturday morning, when they figured there would be fewer people around. And so, hopefully, they’d have time to get through it before anybody noticed.” 

Browning says the school now has the confidence that they have the systems in place should they become a target again. 

“We’ve learned from the experience and we’ve got the skills to get things back up and running.” 

With the extra tools that we’ve put in, like Sentinel, we’ve learned about the gaps that we had in our defences. Having that early warning is the key.