Lessons learned after a cyberattack

Cyberattacks often come with hard lessons. These lessons are only valuable if shared for others to learn from. So here’s the question: Do you have the right security and recovery tools in place for your enterprise? Here’s why I ask.

Over the holiday season in 2022, my personal tech blog for sharing information with others, was attacked by malware. It was almost unrecoverable. Even though this was “just a blog,” the troubleshooting and recovery process that I used was the same as what I would have done for any enterprise company I worked at during my past 25 years in tech as an IT practitioner.

I want to share this experience and the lessons learned with any enterprise, small or large, and any data type—even just a blog. Cyberattacks can occur on any digital data type in any organization. Still, the most important part of what I will share today is that the security posture for your data is ongoing.

What happened?

My personal blog was attacked by malware during the last couple of months in 2022, and it took me the better part of four weeks to research and restore it. The blog was mostly down during this timeframe as I worked through various stages of recovery and data cleaning.

The cyberattack was facilitated through a vulnerability in my malware scanner, plus a brute force attack on my accounts. Once they were in—they attached the malware to my site and didn’t leave without infiltrating my backups. Neither my website hosting provider nor my secondary backup solution offered immutability due to the hosting platform used for my small-scale deployment. My third option for recovery was localized copies of the articles written.

The attack became apparent to me when I went to log in to my blog as the primary malware was attached to my login page which executed the malware and made my website completely unavailable. I found that I had a malware infection to recover from and a hard system down. The reality is that I almost didn’t get my “enterprise” back. The data was restored, but the only recovery state was malware infected, and the only way back was to have a third-party clean the data immediately following the restore.

My security strategy

It’s helpful to know what security elements were in place at the time of the attack and why this isn’t the best strategy any longer. My last security review was many months prior. A defense-in-depth strategy was implemented. Details include:

• Perimeter level blocking was in place through a third-party
• A valid SSL certificate
• Three backup options: Manual offline archive, through a hosting provider, through a third-party plugin
• A malware scanning application
• An antivirus scanning application
• MFA (multifactor authentication) was not a readily-available option for my blog when reviewed previously without buying an expensive third-party tool. This was not in place.

Cyberthreats have become so advanced and even though I just had a blog—it was still interesting enough for someone to try to break into it, steal it, and exploit it for financial gain.

Remediation

This step was painful because my backups were compromised. After three different restores and a third-party malware cleaning tool, the website was finally online. But this was only the beginning of the next level of recovery. I researched to understand how to close the security gaps that caused the problem. Here are the actions I took:

• Added a second perimeter level protection layer.
• Removed the old malware scanner and installed a new updated one.
• Added a second external third-party malware scanner.
• Removed all old and outdated/unused applications.
• Implemented software that protects the names of my user logins.
• Renamed every login account (They were all compromised).
• Implemented a MFA login application now that it’s available.
• Updated my backup strategy to include more retention and a more modern solution now that tools are improving and becoming more readily available.

Many updates were needed to secure the blog and keep it clean from malware. I recovered from my last possible backup option, so my security strategy needed this refresh.

Lessons learned

If it can happen to me, it can happen to you. Using my experience as an example, here’s what you should take into consideration when you review your enterprise security strategy.

• Cyberattacks can happen to any data at any time: Even if the data seems as though it was uninteresting or insignificant.
• Security posture reviews and implementation should be ongoing: I suspect many of you are doing this already, but it’s worth that callout. We get busy or in my case, a blog is a passive activity so it may not be top of mind. But it should be.
• Check again and review often: Be open to updating and implementing new tools to ensure a multilayered and defense-in-depth approach.
• Backup and recovery testing: Be sure that your backups are on WORM for a layer of immutability to ensure your backups are tamper-proof and continue to do recovery testing.

If it can happen to me, it can happen to you

Data can be valuable to a cyberattacker, even if we don’t think it’s interesting. Beyond that, check again to be sure you review and update your security posture frequently—legacy tools may not be enough in today’s threat landscape. Implement multiple layers of tools that overlap in detection capability. For example, it’s ok to have more than one malware scanner and multiple perimeter-level defenses in place. Lastly, make sure that you implement a solution that offers immutability. Without immutability, recovery may not be possible.

For further reading on Cohesity enterprise data protection:

• Cohesity DataProtect
• Cohesity DataHawk