[iboisvert]

As someone who knows very little about security, this is really interesting, thanks! A question though: how would one know if there has been a breach? These examples look relatively easy to detect, but I guess there would be more complex cases?

[macintux]

I also know very little, but something that struck me upon reading your question: if a breach is successful, the logs can't be relied upon for detection/analysis if they're on the same server. It's important to ship them elsewhere.

[kevindamm]

This is why some people run a honeypot in their network... and even those won't necessarily catch everything if the honeypot only mimics services that the attacker isn't probing for. You can set up tripwires on access and egress of sensitive data but that's only part of the surface area (and if the system gets attacked those tripwires could be disabled, if the attacker either knows what to look for or has a plan for a side channel for exfiltrating data).

Really the only good answer is defense in depth and keep looking for any indicators of odd behavior, and wall out unrelated systems entirely from each other, keep the DMZ and public facing bits as simple as possible.

[takemine]

You can use honeypot that bait hackers . I am running a non-intrusive one where you put baits in your servers or laptop, when hackers see it, they'll try to use them.

[tamimio]

IOC or indicators of compromise, but if you know little it is always advisable to hire someone to go through it on demand or periodically as there’s no one trick to rule them all.