I think I’ve been hacked

A lot of individuals and companies of all sizes often use the phrase where they ‘think’ they’ve been hacked or breached, or had some form of unwanted event.

There is usually a lack of conviction in this statement, and in hindsight it’s not easy to validate.

Sure, one could use a service like haveibeenpwned.com to retrospectively check, or wait for a service provider to inform them that their data has been compromised – but there are better ways, if one is more proactive in their approach.

Perhaps one of the best features of Gmail is the ability to add a +something to your email address to identify which providers are either breached or have shared your email address.

For example, if my email is javvad@gmail.com; when signing up for BSidesLondon, I’ll provide my email address as javvad+bsideslondon@gmail.com.

It’s also worth looking at getting an adblocker (note not all adblockers are created equally – look for a good one that won’t sell you out in other ways). But basically, the less scripts that are allowed to run in your browser, the less tracking, and the less opportunity available for anyone to inject malicious content is good.

For those that have a bit more patience to validate every connection, get something like LittleSnitch or RadioSilence (or similar – I’m not endorsing these products). But anything that can detect outbound connections applications and software on your machine is making. It gives you the ability to control and decide which apps can communicate externally and send who knows what data.

Finally, one of my favourite techniques is to use honey tokens. The free ones available at Canarytokens are super easy to use and set up.

Other ways to set up your own honey tokens would be to put false customer records into your CRM. Set this customers email to an address that you control. That way, if you ever get emails sent to that particular address, you know that your customer records have been compromised – probably by your most recently-departed sales person.

While there are many other things one can do to enable quick detection of compromises, I find these some of the easiest and quickest to setup and get running with.

Having an early warning system is good, but it’s only as good as the response. Therefore you should have a plan of action as to what to do if you are notified that someone has accessed your files or compromised your accounts. Mainly this would include changing your passwords, notifying relevant parties, and putting your guard up. But it will depend on what is triggered, by who, and what your personal risk tolerance is.

For small businesses, and even larger corporations, these techniques can still work – however, there robust enterprise-grade offerings available which are more suited to the task (maybe the Canary hardware device is good for you, or AlienVault USM Anywhere) . Still, I wouldn’t be against having a few honey tokens scattered around a corporate network just to see who may be poking their nose around where it doesn’t belong.