The University of Manchester’s CISO has highlighted how the institution approached remediation and recovery following the damaging cyber-incident it experienced in June 2023.
The attack occurred just weeks after Heather Lowrie began her role as CISO as the university. During the cyber-attack, threat actors were able to access data held by the institution.
The incident is now closed and Lowrie discussed the incident response process during a presentation at the CIISEC Live conference.
Cybersecurity is a particularly significant challenge in the university sector she noted. These educational institutions hold sensitive research and intellectual property data, as well as personal information on students and staff.
There is an “extremely large attack surface with multiple points of entry,” said Lowrie.
How the University of Manchester Cyber-Attack Unfolded
Lowrie revealed she was alerted to a potential cybersecurity issue by a colleague on June 5, 2023. Within 30 minutes it was identified as a credible threat, with the attacker claiming to have exfiltrated data.
This was not a traditional ransomware attack, Lowrie emphasized, because the data was not encrypted and remained available to the University of Manchester.
The attack was sophisticated, with initial access gained via a phishing email, and subsequent persistent access. The attacker also performed reconnaissance and privilege escalation and took steps to cover their tracks.
Upon discovery, the university’s incident command structure was mobilized, as per cyber exercises taken the previous year. This was comprised of representatives from various departments, including HR, legal, IT and the senior leadership team.
A small, computer security incident response team (CSIRT) was formed to focus full time on mitigating the incident, comprising Lowrie and four security colleagues. She then liaised with the rest of the command structure and external bodies who offered support.
This external support came in the form of UK government agencies such as the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and digital education charity Jisc, among others.
Lowrie said this external network of support “was really important” and provided a much-needed morale boost for the rest of the team.
Overall, there were five key areas of impact from the incident:
- Recovery and rebuild
- Partners and collaboration – providing communication and assurance to research partners
- Regulatory – such as data breach reporting obligations
- Research and operations – ensuring academic colleagues could continue their work
- Human – the human toll on those involved in incident response and the wider IT team
Response Strategy
Lowrie said the underlying ambition was to allow the university to function as normally as possible during the incident. This differs from the approach often seen in the education industry, where systems are immediately taken offline. She highlighted three key phases of the incident response strategy:
- Stabilization – Here, the team worked through containment and eradication of the attack. This involved locking down access to systems to reduce the attack surface, while balancing essential business.
- Restoration – Once the attack surface had reduced and network visibility increased, the CSIRT sought to open up more systems to support core university services.
- Security transformation – Lowrie said this is an ongoing process, largely involving the acceleration of pre-planned changes to the IT estate.
Key Learnings
Lowrie said the longer-term aim is to “be more resilient as a result of what we suffered this summer.” She emphasized the importance of always being able to “keep the lights on” during cyber incidents. After all, cyber incidents can occur at any time and organizations must build in resiliency and don’t allow attackers to prevent their core services from operating.
This is particularly vital in education, where loss of services can have a potentially significant long-term impact on students.
Another key learning from the incident was to delegate decisions to local areas within such a large institution containing many different networks and systems. “That was extremely effective in enabling us to work through this period,” added Lowrie.