Incident Response Helps Schools Quickly Recover from Cyberattacks

What’s in an Incident Response Plan?

While many districts proactively deploy cybersecurity measures and technology to detect threats and prevent breaches, no IT infrastructure is completely impenetrable. Schools must plan for the inevitable and develop incident response plans to execute when successful cyberattacks take place, district IT leaders say.

A plan includes having an incident command structure: identifying who leads the response, who handles communications, who has authority to turn off IT systems and establishing the criteria for when to escalate issues to district leadership, says Amy McLaughlin, project director for CoSN’s cybersecurity and network and systems design initiatives.

McLaughlin recommends that districts develop high-level plans. “You don’t know what the incidents are going to be. Sometimes, people try to plan for every possible scenario, and then it becomes overwhelming,” she says.

Other important elements include updated contact information, including after-hours emergency numbers, for IT staff, key district leaders, vendors and ISPs, she says. Districts should also maintain readily accessible technical documentation, such as network architecture maps and a detailed inventory of servers and applications.

“You want to have it all in one place, so it’s at your fingertips,” McLaughlin says.

After recovering from an incident, districts should also perform after-action reports to identify lessons learned and make improvements, she says.

READ MORE: Inventory is a key element of incident response planning.

Arizona School District Activates Response Plan After Attack

When Gabel was promoted to network operations manager, the Agua Fria lacked an incident response plan, so he drew one up: a one-page flowchart that outlines staff roles and responsibilities and the process for identifying, containing and eradicating threats to restore operations.

In September 2023, he presented the strategy to the superintendent and the executive cabinet, got their buy-in and then explained the plan to his IT staff.

“It’s imperative that you have a blueprint for what’s going to happen, if not for yourself, then for your team and stakeholders, so that everyone knows what part they will play,” he says.

There is no one-size-fits-all plan. It can be as detailed as a district needs it to be, says Gabel, now IT director. In Agua Fria’s case, Gabel created a simple chart that matched his team’s technical knowledge.

“We are a cohesive team,” he says. “We’ve built trust with each other, where we know our capabilities and we know who’s going to do what, so when an event happens, our team is ready.”

Agua Fria’s plan was put to the test when ransomware infected the district’s virtualized environment. Gabel served as incident commander, managing the process.

At 6 a.m., the IT team didn’t know ransomware was the cause. The server cluster, which runs about 40 virtual machines, was nonresponsive, so the team rebooted it, but it was still not working. Meanwhile, the district’s CrowdStrike security software sent alerts that it repeatedly blocked a service account from accessing other servers over VPN. That’s when the staff and the consulting firm realized the district was hacked.

They immediately shut down the network and VPN and alerted the Department of Homeland Security, the FBI and the district’s insurance provider. Then the IT staff and consulting team collaborated on two tasks: investigating how the hackers got in and determining the scope of impact. Meanwhile, a recovery team sanitized affected servers, verified the integrity of data backups and restored services.

As outlined by the incident response plan, Lauren Owens, executive director of technology, kept district leaders informed while shielding the IT staff from interruptions.

By 11:30 p.m., they had critical systems back up and running. The recovery team restored the virtual environment using air-gapped cold backups. They also changed everyone’s passwords across the district’s six high schools and headquarters.

Since the attack, Gabel has beefed up cybersecurity by replacing an outdated firewall with a new Palo Alto Networks next-generation firewall and upgrading to a Commvault solution that backs up data on-premises and in the cloud.

The district’s consulting firm said that this type of attack could cost up to $100,000, but Agua Fria limited damages to $20,000, primarily because the district’s IT staff were hands-on and because no data was stolen, Gabel says.

Gabel’s advice to other districts on developing and using an incident response plan: “Trust the process, because we put the process in place for a reason,” he says.

Practicing Plans and Writing After-Action Reports Is Key to Recovery

In Illinois, Oak Park Elementary School District 97 has prepared itself for cybersecurity incidents by creating an incident response plan and continuing to practice it.

The 10-school district has not yet suffered a cyber intrusion. But instead of waiting for a major breach, IT Services Director Will Brackett uses small incidents, such as email phishing attempts, to practice response procedures.

“Some people may say, ‘I don’t want to do an incident response unless it reaches a certain level,’ but how do you know you’re going to do well if you don’t practice it?” he says.

Brackett’s plan defines people’s roles and duties and serves as a general blueprint for responding to cybersecurity incidents. He works with the IT staff to diagnose and resolve incidents, while the CTO shields the IT staff from phone calls, emails and texts so they can focus.

When needed, the CTO also gathers resources by reaching out to vendors. The IT staff pulls in affected departments, while the communications team updates employees and parents with information, he says.

The first step, however, is to contact the district’s insurance company because it may provide the district specific instructions, such as using a preferred third-party forensics expert, he says.

After an incident, Brackett writes an incident report for district leaders and an after-action report to find lessons learned.

A few years ago, the district successfully thwarted a spear-phishing attempt when hackers impersonating an administrator targeted a new staff member in the business office. They sent her an email saying she needed to pay a bill right away. 

She responded to the hackers. Then she reached out to an employee in the administrator’s office and said the funding request wasn’t going through proper channels. That employee flagged that it was a fake request. 

The team members collaborated to verify the legitimacy of the request, ultimately determining it was a phishing attempt. The district’s IT administrators confirmed no financial loss occurred and used the incident to strengthen cybersecurity protocols.

In the after-action review, the employees involved reflected on their disagreement over the legitimacy of the request. Brackett praised their willingness to question and verify the situation, as this ultimately prevented the threat from succeeding.

“The after-action review is your learning experience,” Brackett says. “We can document what worked, what didn’t work and what we can do better if this happens again.”

Improve Incident Response With Backup Solutions and Tabletop Drills

In New Jersey, a May 2024 ransomware attack prompted the Township of Union Public Schools to strengthen its cybersecurity posture, including making improvements to incident response and disaster recovery planning.

When the 10-school district suffered a network disruption after the attack, the district took systems offline while the district’s IT department, aided by external cybersecurity experts, assessed the intrusion, secured the network and restored operations using data backups.

While the district had viable backups, the antiquated backup server itself was impacted, requiring the IT staff to rebuild the backup server to restore operations, says John Sousa, the district’s new chief information & technology officer who was not part of the district during the cyberattack.

Sousa, who joined the district last November, is developing a high-level incident response plan. He is focused on having the right people, processes and technology in place to tackle any cyber incident.

LEARN MORE: Securing endpoints gets easier for overwhelmed K–12 IT teams.

He recently upgraded data backup and recovery with a new Cohesity solution that backs up data on-premises with a second, air-gapped backup copy in the cloud.

“The biggest thing is the business continuity part of incident response,” Sousa says. “Making sure we can bring ourselves online anywhere at any time is important, and that’s what we have now.”

The district also has a third-party incident response team that’s available 24/7. Next school year, he hopes to get budget for tabletop exercises, so he can practice incident response with key stakeholders. The exercises will allow Sousa to observe team dynamics and fine-tune his plan.

“The next year is about firming up people and processes,” he says. “In the meantime, having an air-gapped backup gives us some comfort and a little peace of mind.”