Cyber Threats to Edu Cloud Platforms: Google Workspace

In a previous blog, we delved into identifying cyber threats to schools and how they cause impact using MITRE ATT&CK. Today, we narrow down our focus to understanding how adversary groups attack cloud-based platforms (Google Workspace), particularly in the educational sector.

If you missed our previous article, "How to Spot Cyber Threats that Could Harm Schools", it's beneficial to start there for a broad perspective. This piece will give a step-by-step guide with visuals for clarity.

Unpacking School Cloud Risks

• Start at MITRE's official database: Visit attack.mitre.org.
• Search for education-focused attacks: In the Search box, type "education" and then click on "load more results". You should see a list of adversaries that target educational institutions. 
• Select the ransomware gang: "Clop, Software S0611."

Ransomware gangs, like “Clop, Software 50611”, often target K12 schools. They first gain initial access (labeled TA0001) and then use ransomware to steal data, risking identity theft for students and staff.  By reviewing the Clop page, Schools will get an understanding of the inventory of assets that Clop targets, and the techniques they use to gain an advantage. 

• Deep dive into Clop’s modus operandi: By selecting the blue button “ATT&CK Navigator Layers” and then “view”, a comprehensive visualization appears, highlighting tactical objectives from Reconnaissance to Impact. Techniques in use are in blue, and the procedures (or sequences) provide an insight into how Clop operates.

Tailor to Google Workspace: For institutions using Google Workspace, filter the results. On the top right, there's an icon (see red arrow). Click on the filter icon and deselect all but "Google Workspace". There should only be one blue square and that is the one next to Google Workspace.

The outcome? You'll see precisely how Clop and others adversaries first gains initial access to an organization that uses Google Workspace and then the sequence of techniques they deploy for maximum damage.

Critical Questions for Schools

For schools to effectively defend against such threats, here are some questions to consider:

1. Is our email system equipped with SPF, DKIM, and DMARC to thwart phishing attempts?
2. Are there anti-phishing mechanisms active to block email phishing attempts?
3. Are we using phishing-resistant authentication to mitigate the risk of stolen credentials and the bypassing of multi-factor authentication (MFA)?
4. Have we set up Adaptive MFA to control endpoint activities and halt malicious executions?
5. Do we possess a robust cloud access and identity management strategy?
   
   

Conclusion

The MITRE ATT&CK framework, when harnessed effectively, provides educational institutions a clearer picture of potential threats, particularly when targeting specific platforms like Google Workspace. By leveraging this knowledge, K12 organizations can build stronger, tailored defenses.

Avertere offers no-cost evaluations for K12 institutions, assessing potential risks. Interested? Contact Us for assistance.

Found this piece insightful? Share it within the K12 community and engage with us. Drop your questions or comments below.