Attackers rely on time. The longer they go unnoticed, the more they can learn, spread, and take. Yet most organisations have no real way of knowing whether someone is already inside.
You don’t need a security operations centre to catch the basics. You need to know what to look for and to actually be looking.
A few signs that deserve attention:
Logins that don’t make sense. An account signing in at 3am, from a country you don’t operate in, or from two places at once. These are some of the clearest early signals — but only if someone is reviewing login activity.
New accounts or changed permissions. Attackers often create their own accounts or quietly elevate an existing one so they can return later. An account that suddenly gained admin rights, with no ticket explaining why, is worth a hard look.
Unexpected scheduled tasks or services. Persistence — the attacker’s way of surviving a reboot — often shows up as a new scheduled task, service, or startup entry that nobody recognises.
Security tooling being switched off. If antivirus or logging gets disabled on a machine and no one did it deliberately, treat that as a serious signal, not a glitch.
Logs that suddenly go quiet. Clearing or stopping logs is a common way to cover tracks. A gap where there should be activity can be as telling as the activity itself.
The common thread: none of these are visible if you aren’t generating and reviewing the right logs in the first place. The single most useful thing many organisations can do is make sure key events — logins, account changes, privilege changes — are being recorded and that someone, or something, is actually watching them.
Knowing what normal looks like is what makes abnormal stand out. That’s where detection really begins.
