In this video Sandfly founder Craig Rowland discusses the importance of searching for Linux anti-forensic techniques on hosts you are protecting.
Anti-forensics are techniques many intruders and malware use on Linux hosts to conceal their activity. As opposed to searching for exploit signatures that have a short shelf-life, anti-forensic activity is often difficult to hide when you look for it. The irony is that unlike exploit signatures that go stale very fast, anti-forensic tactics do not change frequently and make a great way to look for signs of compromise.
Sandfly looks for a lot of anti-forensic activity because it is so good at helping zero in on attackers without needing to worry about specific attacks they may have used to gain access. This video discusses why you may want to spend more time hunting for anti-forensics vs. traditional exploit signatures.