Cyberattacks often come with hard lessons. These lessons are only valuable if shared for others to learn from. So here’s the question: Do you have the right security and recovery tools in place for your enterprise? Here’s why I ask.
Over the holiday season in 2022, my personal tech blog for sharing information with others, was attacked by malware. It was almost unrecoverable. Even though this was “just a blog,” the troubleshooting and recovery process that I used was the same as what I would have done for any enterprise company I worked at during my past 25 years in tech as an IT practitioner.
I want to share this experience and the lessons learned with any enterprise, small or large, and any data type—even just a blog. Cyberattacks can occur on any digital data type in any organization. Still, the most important part of what I will share today is that the security posture for your data is ongoing.
My personal blog was attacked by malware during the last couple of months in 2022, and it took me the better part of four weeks to research and restore it. The blog was mostly down during this timeframe as I worked through various stages of recovery and data cleaning.
The cyberattack was facilitated through a vulnerability in my malware scanner, plus a brute force attack on my accounts. Once they were in—they attached the malware to my site and didn’t leave without infiltrating my backups. Neither my website hosting provider nor my secondary backup solution offered immutability due to the hosting platform used for my small-scale deployment. My third option for recovery was localized copies of the articles written.
The attack became apparent to me when I went to log in to my blog as the primary malware was attached to my login page which executed the malware and made my website completely unavailable. I found that I had a malware infection to recover from and a hard system down. The reality is that I almost didn’t get my “enterprise” back. The data was restored, but the only recovery state was malware infected, and the only way back was to have a third-party clean the data immediately following the restore.
It’s helpful to know what security elements were in place at the time of the attack and why this isn’t the best strategy any longer. My last security review was many months prior. A defense-in-depth strategy was implemented. Details include:
Cyberthreats have become so advanced and even though I just had a blog—it was still interesting enough for someone to try to break into it, steal it, and exploit it for financial gain.
This step was painful because my backups were compromised. After three different restores and a third-party malware cleaning tool, the website was finally online. But this was only the beginning of the next level of recovery. I researched to understand how to close the security gaps that caused the problem. Here are the actions I took:
Many updates were needed to secure the blog and keep it clean from malware. I recovered from my last possible backup option, so my security strategy needed this refresh.
If it can happen to me, it can happen to you. Using my experience as an example, here’s what you should take into consideration when you review your enterprise security strategy.
Data can be valuable to a cyberattacker, even if we don’t think it’s interesting. Beyond that, check again to be sure you review and update your security posture frequently—legacy tools may not be enough in today’s threat landscape. Implement multiple layers of tools that overlap in detection capability. For example, it’s ok to have more than one malware scanner and multiple perimeter-level defenses in place. Lastly, make sure that you implement a solution that offers immutability. Without immutability, recovery may not be possible.
For further reading on Cohesity enterprise data protection: