General Indicators of Malicious Activity (Domain 2)
In this episode, we are wrapping up our coverage of network and system threat indicators by exploring general signs of malicious activity. These aren’t always tied to a specific type of malware or attack vector, but they often appear when something suspicious or unauthorized is occurring. By recognizing these warning signs early, organizations can detect breaches, stop attackers in their tracks, and contain damage before it spreads.
Let’s begin with account lockouts and concurrent sessions. An account lockout occurs when a user exceeds the allowed number of failed login attempts. While this could simply mean someone forgot their password, repeated lockouts—especially across multiple accounts—often indicate an active attack, such as brute force or password spraying.
Even more concerning is the presence of concurrent sessions. This happens when the same user account is logged in from multiple devices or locations at the same time. If your logs show the same account being used in two different places—especially in different time zones or from unfamiliar IP addresses—that’s a strong indicator of credential compromise.
Monitoring tools should alert on these events and correlate them with login history, geolocation data, and time stamps. Account lockout logs, session tracking, and authentication histories are critical sources of information when investigating possible intrusions.
Next, let’s discuss blocked content and impossible travel. Content blocking is often the result of web filters or firewall policies that prevent users from accessing suspicious or unauthorized websites. When content is blocked repeatedly—especially from the same user or system—it may signal that malware is trying to reach a command-and-control server or that an insider is attempting to bypass security policies.
Impossible travel refers to login activity that cannot be explained based on physical limitations. For example, if a user logs in from Chicago at 8:00 AM and then appears to log in from Singapore twenty minutes later, that’s not physically possible. Unless that user is using a virtual private network or remote desktop session, the login is almost certainly fraudulent.
Security platforms often use geolocation data and behavioral analytics to flag these kinds of events. When triggered, they may block access, prompt for multi-factor authentication, or alert administrators. While not all impossible travel is malicious, it should always be investigated to confirm the source.
Now let’s move on to resource consumption and inaccessibility. When an attacker gains access to a system, they often consume significant resources—whether it’s CPU cycles for cryptocurrency mining, memory for malware execution, or bandwidth for data exfiltration. Signs of this include slow system performance, unusually high processor or memory usage, and spikes in network activity.
Inaccessibility of systems or services is another potential warning sign. A file server that suddenly goes offline or a service that becomes unavailable for no clear reason may have been taken down intentionally—either as part of a denial-of-service attack or to conceal malicious behavior. These events should trigger immediate investigation, especially if they involve systems with high security value.
Administrators should use resource monitoring tools to establish performance baselines and alert on unusual behavior. A sudden change in resource usage patterns may indicate a breach in progress, a misconfiguration, or a rogue process operating outside of normal business use.
Finally, let’s examine logging anomalies. Logs are essential for detecting and responding to threats. When logs themselves show signs of tampering or inconsistency, it often indicates that someone is trying to cover their tracks.
One common anomaly is out-of-cycle logging. This refers to log activity that occurs outside expected business hours or in time frames where no users should be active. While this can occasionally result from scheduled maintenance, repeated off-hours activity is a red flag—especially if it comes from administrative accounts or targets sensitive systems.
Missing logs are another serious concern. If audit trails are incomplete, or if entire blocks of logs are missing from critical systems, it could mean that an attacker has gained privileged access and is trying to erase their footprint. Sudden gaps in logging, unusual formatting, or mismatched timestamps all point to potential manipulation.
Documented anomalies—like log entries that show actions that shouldn’t be possible or that contradict other system records—are also signs of compromise. For example, a log might say a user logged in but never logged out, or show file access from a session that doesn’t exist anywhere else.
To detect these issues, organizations should implement centralized log management systems with tamper-resistant storage. Logs should be time-synchronized and monitored using automated tools that alert on deviations from expected patterns. Daily review of high-value system logs—combined with long-term retention policies—helps preserve evidence and improve threat visibility.
As you prepare for the Security Plus exam, keep in mind that not all threat indicators are obvious. General signs like account lockouts, impossible travel, resource exhaustion, or logging irregularities may be the first and only signs that something is wrong. You may be asked to analyze a scenario involving suspicious behavior or to recommend actions based on unusual patterns in logs or system performance. Focus on anomaly detection, session monitoring, and system baselines as your primary defenses in these situations.
