Have You Been Hacked? Indicators of Compromise (IOC)

How do you know if you have been hacked?  Organizations often find out they have been hacked 3 to 6 months after the initial incident.  Typically, they learn of the hack from an outside source.

There are many items that should be monitored in a network to determine if there is a potential incident.  Below is a list of a few key items for monitoring Active Directory (AD) and your firewall.

In AD monitor these key items:

  • Any network login from a user with privileged (administrative) access. Privileged accounts should only be used to manage the network.  Users with administrative accounts should have a regular user account to perform normal business functions.  The use of privileged accounts must be justified.
  • The creation and deletion of user accounts.
  • The modification of user access rights – escalation or de-escalation.
  • Failed logins. Many failed logins can indicate the account is at risk.

On your firewall monitor these key items:

  • Top users by bandwidth and sessions. These metrics should be used to create a baseline to detect anomalies.
  • Outbound firewall traffic that is being blocked. This indicates that a user or their computer is trying to reach unauthorized sites.

The items suggested above are the minimum key indicators that can be monitored to help you if you have a potential incident.

Posted by Jack Gerbs