As you can see, there are a lot of tools and procedures at your disposal to help spot attackers. There are many activities that attackers must engage in to learn and expand in an environment. Getting in, for them, is just the first step. At a minimum, a bot needs to connect back and monetize the intrusion through bitcoin mining, click fraud, spam, or other nefarious means. In the more serious cases, the initial intrusion is just the beachhead the attacker uses to then learn and expand on your network in the pursuit of your data. In either case, all is not lost upon intrusion - there is still plenty of time to find and root out attackers and malware before serious damage is done.
Further, it is actually possible to spot all these activities, and more, directly from the network - if you are able to extract the right metadata from the packet flows. This is harder to do manually, but is a great option for an automated tool. By analyzing network traffic with Deep Packet Inspection, an automated security solution can identify the anomalies indicative of a live attack.
If you are interested in automating these detection steps and more, find a solution that uses machine learning to automate the baselining process on your network so you can quickly find and stop attackers who have circumvented traditional security controls.
Sign up for CIO Asia eNewsletters.