High-profile intrusions are rarely interesting because of a single clever exploit. They are interesting because the attacker stays longer than defenders expect. Persistence happens when identity is weakly monitored, when privileges are too broad, and when one compromised account can touch everything.
Key idea: initial access is only the opening move. Most damage comes from what the attacker can still do a week later.
Triage checklist
- Turn on high-signal identity alerts (new admins, MFA changes, new device enrollments, new email forwarding rules).
- Separate admin accounts from daily accounts and remove stale privileged roles.
- Inventory internet-facing services and patch or reduce exposure for the exposed list first.
- Review third-party access and remove unused integrations and OAuth grants.
- Make restore readiness real: test restores and protect backups with separate credentials.
If you suspect compromise now, use what to do if your business or employees are hacked as an immediate response flow.
Why persistence is the real problem
Attackers do not always want to break things immediately. They often want options: a backdoor, a token, an admin role, a delegated permission. Those options let them return after you “fix” the obvious issue.
Persistence is common because defenders focus on endpoints and forget identity:
- Admin role changes are not reviewed.
- New OAuth app grants are not noticed.
- Email forwarding rules and delegated access are not audited.
- Service accounts and API keys accumulate without ownership.
Rule of thumb: if you cannot quickly answer “who has admin,” you cannot quickly remove attacker access.
Boundary-first defense: the controls that scale down
You cannot defend like a large agency, but you can copy the boundary logic that prevents a single compromise from becoming universal access.
| Boundary | What it limits | What to implement |
|---|---|---|
| Admin separation | Daily compromise becoming admin compromise | Separate admin accounts and enforce stronger authentication for admin actions |
| Least privilege | Lateral movement across systems | Role-based access, remove stale admins, time-box elevation where feasible |
| Exposure inventory | Drive-by exploitation | Explicit list of internet-facing services with owners and patch deadlines |
| Third-party constraints | Vendor tools becoming one-to-many access | Review vendor access, restrict permissions, remove unused integrations |
| Recoverability | Extortion leverage | Defensible backups, restore tests, separate backup admin credentials |
Identity monitoring: the safety net
Many intrusions are detected through identity and admin changes, not through malware alerts. High-signal items to monitor and review:
- New privileged roles or group memberships
- MFA disabled or re-registered
- New mailbox forwarding rules and delegated access
- New OAuth grants with broad permissions
- Unexpected device enrollments
For authentication method tradeoffs and why some methods resist phishing better than others, see two-factor authentication (2FA) and its many names.
Supply chain and one-to-many risk
High-profile intrusions often involve a one-to-many dynamic: a trusted vendor tool or service becomes the entry path into many downstream organizations. The defense is not “never use vendors.” The defense is to constrain vendors like privileged insiders.
Practical constraints:
- Limit vendor tooling permissions to what is necessary.
- Use separate roles for vendor access, with strong authentication.
- Segment networks so a vendor tool cannot reach everything by default.
For more supply chain framing, use after SolarWinds and FireEye: how can you avoid hackers and the Exchange incident translation in Microsoft Exchange breach lessons.
What to do when you suspect a persistent intruder
If you see repeated suspicious logins, admin changes, or signs that access returns after resets, treat it as a persistence problem, not a password problem.
Containment principles:
- Use a known-clean device to reset credentials and revoke sessions.
- Audit privileged roles and remove what is not explicitly required.
- Rotate API keys and service account credentials that could preserve access.
- Preserve logs and snapshots before rebuilding systems.
Safety note: do not rush to delete evidence. Preserve logs first, then rebuild. Evidence is often what tells you which access paths to close.
What to monitor when you cannot monitor everything
Small teams often do not have full-time security operations. That is fine. The failure is not lack of a SOC. The failure is lacking any routine for high-signal review. Build a short list and assign ownership.
| Signal | Owner | Why it matters |
|---|---|---|
| New admin roles or group membership | IT/Ops | Often indicates persistence or privilege escalation |
| MFA disabled or re-registered | IT/Ops | Common attacker move before widening access |
| New forwarding rules or delegates | IT/Ops | Email persistence and silent monitoring of resets |
| New OAuth grants | IT/Ops | Long-lived access that survives password changes |
| DNS and registrar changes | IT/Ops | Outages and redirection can become prolonged and expensive |
Assume token theft, not only password theft
Many defenders think in terms of passwords. Modern compromise often involves tokens and sessions. That is why “change password” alone can fail. Practical defensive moves:
- Use “log out of all devices” or session revocation during incidents.
- Review device lists and remove devices you do not recognize.
- Rotate API keys and service account credentials that could preserve access.
Containment boundaries: known-clean vs unknown
Large organizations often create containment boundaries: segments and accounts treated as known-clean versus unknown. Small teams can do the same conceptually:
- Protect a small set of recovery-capable admin accounts and keep them off suspicious devices.
- Restore critical services into an isolated environment before reconnecting to production networks.
- Keep unknown endpoints off the clean network until rebuilt or validated.
Rule of thumb: if you cannot prove a device is clean, do not let it touch the systems that can reset everything else.
Third-party access review: the part most teams skip
Vendor tools and integrations are often overlooked because they are “expected.” In persistent intrusions, they can be the return path. Review:
- Remote management and remote support tools
- SSO integrations and OAuth grants
- Shared admin accounts used by MSPs
Remove what is unused, restrict permissions for what remains, and ensure vendor access is logged.
Use authoritative patch prioritization signals
When patching cannot be immediate for everything, prioritize based on exposure and exploitation. CISA’s Known Exploited Vulnerabilities catalog is a useful input at known exploited vulnerabilities.
High-profile intrusions feel distant, but the defensive logic is not distant.
When identity changes are visible, privileges are constrained, third-party access is reviewed, and recovery is proven, persistence becomes harder and noisier.
That is the practical translation of headline intrusions into everyday defense.
Email compromise is often the persistence layer
Email is frequently used to maintain long-term access. Even if you remediate endpoints, mailbox rules can preserve attacker visibility into resets and vendor communication.
High-yield mailbox checks:
- Forwarding rules and auto-delete rules
- Delegated access and shared mailbox permissions
- New connected apps and OAuth grants
- Unexpected sign-ins and new device enrollments
Least privilege is not only about humans
Service accounts, API keys, and automation often outlive the person who created them. They are a common persistence path because they are rarely reviewed. Create a short inventory of non-human access:
- Which systems use API keys
- Which keys have broad permissions
- Who owns rotation and revocation
Most teams do not need more tools. They need fewer long-lived secrets with unclear owners.
Data retention: you cannot investigate what you did not keep
Persistence detection often depends on logs, and logs often disappear. Even small organizations can improve this dramatically by keeping a modest retention window for identity and admin logs.
Practical minimum:
- Identity sign-in logs and admin change logs retained long enough to compare “before” and “after” an incident.
- Email audit logs for rule changes and app grants.
- DNS and registrar changes retained and reviewed.
If you need a decision rule: keep the logs that let you answer “who changed what” for the systems that can reset everything else.
Hybrid environments: treat identity as the connective tissue
Many organizations are hybrid by accident: some on-prem services, some cloud services, and identity connecting them. Hybrid risk increases when one admin account can manage everything. Reduce that coupling:
- Use separate admin roles and separate admin accounts for different domains (email admin vs device admin vs DNS admin).
- Restrict administrative actions to known devices and known locations where feasible.
- Review privileged roles on a schedule and remove what is not explicitly required.
These boundaries do not require special tools. They require discipline and ownership.
Recoverability is part of intrusion defense
Persistent access and destructive incidents often travel together. Even if the initial objective is espionage, the same weak boundaries can later enable extortion or disruption. Make recovery a defensive control:
- Protect backups with separate credentials and limited admins.
- Test restores so you know the real time-to-restore.
- Alert on backup deletions and retention changes.
When recovery is proven, you reduce the attacker’s ability to control your timeline.
Make investigations repeatable
Intrusions are stressful partly because teams have no standard way to answer basic questions. Build a repeatable checklist for scoping: which identities changed, which sessions were active, which admin roles exist now, which integrations were added, and which remote access paths are still reachable. A repeatable checklist reduces the chance that the same persistence path survives across resets.
High-profile intrusions are reminders that compromise often persists because defenders stop at the first fix.
When you monitor identity changes, separate admin access, and constrain third-party privileges, persistence becomes harder and noisier.
That is how you turn a frightening headline into a set of boundaries that protect your own environment.