My Cyber Attack Experience: A Lesson in Response
Welcome Readers!
When I created the new website for the Canadian Animation Directory, I had always made sure security was in mind. Because of that I had never expected a cyber incident to happen so early on. After a smooth first year without any significant issues, I encountered my first real cyberattack: a bot-driven spam campaign that began creating fake user accounts on the site. Here's how I used the NIST Cybersecurity Framework to navigate and mitigate the situation.
Identify: Spotting the Attack
It all began when I noticed a surge in new user accounts on the site—accounts with spam or fake email addresses. What caught my attention even more was that these accounts were created in quick succession, but there was no corresponding activity on the website. The user sessions were unusually short, and most were immediately inactive after account creation. It became clear that this wasn't just an organic increase in user registrations.
Protect: Taking Immediate Action
Once I identified the issue, I moved quickly to protect the site from further harm. To prevent any additional spam accounts from being created, I temporarily removed the “Create Account" button from the site, along with the "Contact Us" form and other interactive functions that might be vulnerable to abuse. While I worked on finding the root cause, this immediate action helped minimize the risk of further malicious activity.
Detect: Investigating the Logs
To understand the scope of the attack, I turned to Hostinger’s logs to get a clearer picture of what was happening. From the log data, I discovered that the bot accounts were indeed being created, but there were no additional actions being performed, such as submitting forms or accessing restricted content. This helped confirm that the malicious activity was confined to the account creation process, which gave me a better focus for my next steps.
Respond: Enhancing Security Measures
With the root cause narrowing down to bot-driven account creation, I acted swiftly to fortify the site. I installed a WordPress plugin that blocks suspicious IP addresses, effectively preventing the bots from gaining further access. Additionally, I implemented Two-Factor Authentication (2FA) for all user accounts to provide an extra layer of protection. These measures significantly reduced the risk of future unauthorized access and helped keep the site secure.
Recover: Cleaning Up and Returning to Normal
The final step in my response was recovery. I carefully went through and removed all the spam accounts from the system, ensuring that no malicious data remained on the site. Afterward, I restored the website's regular functions, including the account creation and contact forms, with the new security enhancements in place. With the immediate threat neutralized, I was able to get back to baseline activity.
Key Takeaways
This experience was a valuable reminder that cybersecurity is an ongoing responsibility. As threats evolve, it’s essential to stay vigilant, update systems regularly, and follow best practices. By using the NIST Cybersecurity Framework, I was able to respond methodically to a potential disaster and strengthen the site’s defenses moving forward.
Cybersecurity is not something that can be checked off and forgotten. It requires continuous learning, adaptation, and action. With new threats emerging every day, staying updated on the latest security trends and best practices is critical. Don’t wait for a cyberattack to occur—take steps now to protect your site, your users, and your data.
This was just one type of cyber attack, I have created a short list below of other kinds and the best way to defend against them but remember to always stay vigilant and to stay ready.
1. Ransomware
Description: Ransomware is a type of malicious software that encrypts a victim's files and demands a ransom for the decryption key. It often spreads through phishing emails, infected downloads, or vulnerabilities in outdated software. If paid, there's no guarantee the attacker will provide the key or refrain from future attacks.
Defense: Prevent ransomware by regularly backing up critical data, using robust antivirus software, and keeping all systems updated with the latest security patches. Train employees on identifying phishing emails and implement network segmentation to limit the spread of infection.
2. Social Engineering
Description: Social engineering involves manipulating individuals into divulging confidential information, such as login credentials or financial details. A common method is phishing where threat actors pretending to be from reputable companies send e-mails in order gain access to sensitive information. Attackers often pose as legitimate authorities, such as IT staff or executives, to exploit trust and bypass technical defenses.
Defense: Educate employees on recognizing phishing attempts and suspicious behaviors. Implement multi-factor authentication (MFA) to add an additional layer of security and regularly test staff through simulated phishing exercises.
3. Malware
Description: Malware refers to any malicious software designed to damage, steal, or gain unauthorized access to a system. Common types include viruses, worms, Trojans, and spyware, often delivered via infected websites, emails, or USB drives.
Defense: Install and maintain up-to-date anti-malware programs, limit the use of USB drives, and regularly patch all software vulnerabilities. Encourage users to avoid downloading files from untrusted sources and visit only secure, reputable websites.
4. Insider Threats
Description: Insider threats occur when individuals within an organization—employees, contractors, or business partners—intentionally or unintentionally cause harm to the company's data, systems, or reputation. This can include theft of sensitive data or sabotage.
Defense: Implement strict access controls based on the principle of least privilege, monitor user activity for unusual behavior, and conduct background checks for employees with access to critical systems. Encourage a culture of security awareness and provide clear reporting mechanisms for suspicious behavior.
5. Cloud Vulnerabilities
Description: Cloud vulnerabilities arise from insecure configurations, inadequate access controls, or poorly managed cloud services, making systems susceptible to unauthorized access, data breaches, or service disruptions. These risks can be compounded by shared responsibility models between service providers and users.
Defense: Secure cloud environments by configuring firewalls, using encryption, and employing identity and access management (IAM) protocols to restrict unauthorized access. Regularly audit cloud configurations and ensure all users are trained on cloud-specific security best practices.
Links
NIST has since updated their framework since February 2024 please see NIST Framework 2.0.
