How do you know if you have been hacked? Organizations often find out they have been hacked 3 to 6 months after the initial incident. Typically, they learn of the hack from an outside source.
There are many items that should be monitored in a network to determine if there is a potential incident. Below is a list of a few key items for monitoring Active Directory (AD) and your firewall.
In AD monitor these key items:
- Any network login from a user with privileged (administrative) access. Privileged accounts should only be used to manage the network. Users with administrative accounts should have a regular user account to perform normal business functions. The use of privileged accounts must be justified.
- The creation and deletion of user accounts.
- The modification of user access rights – escalation or de-escalation.
- Failed logins. Many failed logins can indicate the account is at risk.
On your firewall monitor these key items:
- Top users by bandwidth and sessions. These metrics should be used to create a baseline to detect anomalies.
- Outbound firewall traffic that is being blocked. This indicates that a user or their computer is trying to reach unauthorized sites.
The items suggested above are the minimum key indicators that can be monitored to help you if you have a potential incident.