How to detect and respond to bot attacks in higher education

Trish Riley
Trish Riley

As bot attacks become more sophisticated, university IT teams should know how to identify issues – and respond effectively –  when malware strikes.

Lately, artificial intelligence chatbots like ChatGPT get lots of attention. But there is another type of bot posing an immediate and serious threat to a university’s cybersecurity. 

Old-school bots are pieces of malware that infiltrate the IT environment and infect devices on networks. Attackers can then control the bots remotely to steal data and launch a staggering variety of additional attacks. These attacks may be directed at other university systems or third parties.

As bots continue to become more capable and harder to detect, it’s more important than ever to prepare for them, recognise them, and have efficient systems in place to stop them as quickly as possible.

- Advertisement -

Be aware of common bot attacks

A single bot infection can have a devastating impact on a university. When a computer, smartphone, Internet of Things device or other digital tool becomes infected, external attackers effectively gain remote control over that device.

In many bot attacks, the bot surreptitiously collects information from infected devices, such as keystrokes or screenshots, and then gains unauthorised access to data stored on those devices.

This access enables attackers to steal passwords and other credentials, as well as sensitive personal information, credit card numbers, bank account information and anything else an unsuspecting user might enter or view from an infected device. Bots may also have the capability to monitor local networks and snag unencrypted communications in the immediate area.

Other bot attacks may focus on expanding the attacker’s kingdom. If an attacker can infect more devices, they can use them in future attacks or create an illegal income stream by renting them to other attackers. 

- Advertisement -

Bots are also often used to generate and spread spam, phishing attacks, malware, and other malicious code and content, which are all intended to infect more devices.

Another type of bot attack utilises individual bots to perform a larger invasion as part of a vast army of bots, known as a botnet. Attackers use botnets to perform coordinated, large-scale distributed denial of service attacks. DDoS attacks can make websites, networks and other computing services unavailable for extended periods – events that can have an enormous impact on educational institutions.

Another example of cyber attack is credential stuffing. Via bot infections, phishing attacks and other means, an attacker may collect usernames and passwords for internal university systems. In a credential stuffing attack, one or more bots automatically log in to as many internal resources as they can, using all the collected login credentials.

Reducing infection requires proactive security controls

Any type of computing device can potentially be “botted.” Bots can reach and infect devices through all the typical methods attackers use: exploiting unpatched vulnerabilities and software misconfigurations, tricking users through social engineering, and drive-by downloads. Although infections can’t be completely prevented, there are some best practices for reducing infections in common device types.

Positive steps to better protection against bots

Whether dealing with physical or virtual servers, desktops or laptop computers, there are ways to minimise the risks of bot infection. These include:

- Advertisement -
  • Following all conventional cyber hygiene practices, such as keeping the operating system and applications fully updated.
  • Running up-to-date anti-virus software.
  • Configuring all software with security in mind. 
  • For internal university systems, such as finance departments, keep networks separate and ensure incoming network connections restrictions are tight.
  • With smartphones, tablets and IoT devices, keep all software up-to-date and securely configured. IoT devices that can’t be updated and secured should be placed on isolated networks to protect them from attackers and to shield the university if the devices do become infected.
  • Training all users to follow cyber hygiene practices and avoid social engineering attacks, to help reduce the number of bot infections.
  • Having DDoS mitigation solutions in place, to prevent external botnets from taking your networks and services offline.

Primary and secondary institutions can learn from tertiary sector bot attacks

Although there is always more to do, the good news is that the tertiary education sector continues to lead the way in protecting against bot attacks. But with Netscout reporting 9.7 million attacks against educational institutions in 2021, it’s clear that staying ahead of the problem is a critical issue. The figures represent a 14 per cent increase since 2019, and with the higher education sector experiencing a 102 per cent increase in the second half of 2021, compared to the first half of the year, finding fresh ways to combat the growing problem should be at the forefront of IT system protection in primary and secondary schools too.

Identifying bot infections quickly is vital

Bots can be difficult to find, but it’s important to be proactive in identifying and stopping them. Each infected device will be running bot malware, and, hopefully, anti-virus software and other security controls will spot and quarantine the malware. Realistically, infections will happen. Bots have become so sophisticated that few users would have any clue that their devices have been infiltrated, so it’s up to the university to find the bot infections.

Most bots today misuse common protocols to communicate with the attacker and each other. For example, bots might conceal their communications within standard web and email protocols. Some bots even use encryption to prevent anyone from seeing what they’re communicating.

A common “tell” for bots is making Domain Name System requests for unusual domains, where those domains are used only for malicious purposes. Cyberthreat intelligence feeds can provide universities with detailed, up-to-date information on the latest threats and the domains they are using. By comparing threat intelligence against university DNS logs, you may be able to identify bot infections and immediately know the identity of the infected devices, as well as the type of bot infecting each device.

Prepare for when – not if – bot attacks will strike

Every enterprise—across all regions, industries and business size—is at risk of DDoS attacks. And any network downtime can materially impact an organisation’s performance and expose it to data exfiltration by cybercriminals.

- Advertisement -

The bottom line is that a DDoS attack is a matter of when, not if. While IT departments at tertiary institutions and schools should do all they can to prevent an attack in the first place, they must also be prepared to alleviate the impact of an attack once it happens.


Share This Article
Trish Riley is a Zimbabwean-born writer and communications specialist. With experience in journalism, and public relations, Trish has been developer and editor of several trade publications and regularly contributes articles for diverse sectors including aged care, animal care, construction and education.