Mar 23 2023

How to Detect and Respond to Bot Attacks in Higher Education

As attacks become more sophisticated, university IT teams should know how to identify and respond when malware strikes.

Lately, artificial intelligence chatbots like ChatGPT are getting all the attention, but there’s another type of bot posing an immediate and serious threat to your university’s cybersecurity. Old-school bots are pieces of malware that infiltrate your environment and infect devices on your networks. Attackers can then remotely control the bots on those devices to steal data and launch a staggering variety of additional attacks directed at either other university systems or third parties.

Bots continue to become more capable and harder to detect, so it’s more important than ever that you know how to prepare for them, spot them and stop them.

Be Aware of Common Bot Attacks

A single bot infection can have a major negative impact on a university. When a computer, smartphone, Internet of Things device or other digital tool becomes infected, external attackers effectively gain remote control over that device.

In many bot attacks, the bot surreptitiously collects information from infected devices, such as keystrokes or screenshots, and gains unauthorized access to data stored on the devices. Attackers can steal passwords and other credentials, personal information, credit card numbers, bank account information and anything else a user might be entering into or viewing from an infected device. Bots can also monitor local networks and snag unencrypted communications passing by.

Click the banner below to receive exclusive content about cybersecurity in higher ed.

Other bot attacks may focus on expanding the attacker’s kingdom. For example, an attacker might want to infect more devices so they can use them in future attacks or rent them to other attackers to make money. Bots are also often used to generate and spread spam, phishing attacks, malware, and other malicious code and content, which are all intended to infect more devices.

A third type of bot attack focuses on using the bot to perform a larger incursion as part of a vast army of bots known as a botnet. Attackers use botnets to perform coordinated, large-scale distributed denial of service attacks. DDoS attacks can make websites, networks and other computing services unavailable for extended periods.

Another example is credential stuffing. Through bot infections, phishing attacks and other means, an attacker may collect usernames and passwords for internal university systems. In a credential stuffing attack, one or more bots automatically log in to as many internal resources as they can using all the collected login credentials.

EXPLORE: How to avoid security breaches within the IT department.

Reducing Infection Requires Proactive Security Controls

Any type of computing device can potentially be “botted.” Bots can reach and infect devices through all the typical methods attackers use: exploiting unpatched vulnerabilities and software misconfigurations, tricking users through social engineering, and doing drive-by downloads. Infections can’t be completely prevented, but there are some best practices for reducing infections in common device types.

Whether dealing with physical or virtual servers, desktops or laptop computers, follow all conventional cyber hygiene practices, such as keeping the operating system and applications fully updated, running up-to-date anti-virus software and configuring all software with security in mind. For internal university systems, such as those for finance, keep networks separate and tightly restrict incoming network connections.


The number of DDoS attacks on educational organizations in the first half of 2022

Source: Netscout, “Adaptive DDoS Attacks and Learning How to Suppress Them,” July 2022

With smartphones, tablets and IoT devices, keep all software up to date and securely configured. IoT devices that can’t be updated and secured should be placed on isolated networks to protect them from attackers and to shield the university if the devices become infected.

Training your users to follow cyber hygiene practices and avoid social engineering attacks should also help reduce the number of bot infections.

Finally, having DDoS mitigation solutions in place can prevent external botnets from taking your networks and services offline.

DIVE DEEPER: How modernized networking helps colleges and universities serve students.

Why You Should Quickly Identify and Respond to Bot Infections

Bots can be difficult to find, but it’s important to be proactive in identifying and stopping them. Each infected device will be running bot malware, and hopefully anti-virus software and other security controls will spot and quarantine the malware. Realistically, infections will happen. Bots have become so sophisticated that few users would have any clue that their devices have been infiltrated, so it’s up to the university to find the bot infections.

Most bots today misuse common protocols to communicate with the attacker and each other; for example, bots might conceal their communications within standard web and email protocols. Some bots even use encryption to prevent anyone from seeing what they’re communicating.

A common “tell” for bots is making Domain Name System requests for unusual domains, where those domains are used only for malicious purposes. Cyberthreat intelligence feeds can provide universities with detailed, up-to-date information on the latest threats and the domains they are using. By comparing threat intelligence against university DNS logs, you may be able to identify bot infections and immediately know the identity of the infected devices and the type of bot infecting each device.

Robbie Porter/Ikon Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT