Talk With an Expert

Log for Normal to Find Evil: Lessons from Real Crimes and Cyberattacks

Authored byHeather Barnhart
Heather Barnhart

From the spring of 2023 to July 2025, I was part of the forensic investigation for the widely publicized University of Idaho murders case, working to piece together one of the hardest digital crime scenes of my career. At the top of that challenge was a surprisingly small digital footprint left behind by the suspect Brian Kohlberger (BK).

When we examined the laptop and Android phone belonging to BK, we didn’t find the incriminating data trail most people would expect from a homicide case like this. Why? Because he worked hard to make sure it didn’t exist before, during, and after the crime. He used VPNs, deleted history, disabled Wi-Fi, and powered down devices that were fully charged, all of which broke his usual pattern of life. The absence of data during this critical window spoke volumes about his actions that night.

In any criminal investigation, sometimes silence is the loudest clue.

That aspect of the case mirrored an emerging reality across the cyber threat landscape today. Modern threat actors are perfecting tactics, techniques, and procedures (TTPs) that erase or prevent the creation of digital forensic artifacts, a shift that is making post-attack investigation slower, murkier, and less reliable. Some of these methods are taught and enabled by artificial intelligence (AI).

I presented on this shift to a room full of security leaders during the SANS keynote session at RSAC 2025. Now six months later, adversaries are still exploiting silence. They will only continue doing so until organizations take action to stop them.

The Dark Period Problem

Imagine this: Your company’s network has been breached in a cyberattack. Money is draining from your accounts. You can’t access your systems. You bring in the best incident responders in the world, but they tell you there’s nothing they can do. No answers. No traces. Just darkness.

That isn’t a hypothetical scare-tactic scenario. It’s a real-world example of the risk posed by dark periods, which are any gaps in logging or digital evidence that leaves you blind during an investigation. Sometimes these gaps occur due to negligence: logging wasn’t enabled, high storage costs, low storage space, or systems were taken offline without proper coverage. But other times, they’re intentional. When there’s no data, there’s no story to tell. You can’t prove what happened, when it happened, or who was responsible. For adversaries, that represents a golden opportunity to inflict untraceable damage.

  • Covering Tracks: Attackers will clear event logs, disable auditing, or tamper with timestamps to hide their presence and complicate attribution.
  • Delaying Detection: If no alerts fire and no forensic trails exist, defenders may not realize a breach happened until far later, often only after data is exfiltrated or extortion begins.
  • Disrupting Investigations: By removing digital artifacts, attackers make it much harder for responders to understand initial access, lateral movement, or what data was touched. That in turn reduces the chance of effective remediation.
  • Mimicking Normal Behavior: Some advanced actors don’t just delete logs — they manipulate them to insert false “normal” activity, further throwing investigators off.
  • Pre-Emptive Hardening by Criminals: Ransomware groups, APTs, and insiders may intentionally shut off logging or force systems into low-visibility modes before launching their attack, ensuring little to no forensic evidence exists in the first place.

When defenders are left with no logs, traces, or reliable artifacts, the investigation may be over before it begins. That’s the power of a dark period, and why adversaries work so hard to create them. Every minute they can keep responders in the dark is another minute to steal, destroy, or extort without consequence. Closing that gap requires more than just logging to catch “bad” activity. It demands a shift in mindset toward building and protecting a baseline of what normal really looks like.

Why Logging for Normal Works

The velocity of modern cyber threats heightens the importance of logging for normal – a term used to describe best-practice logging that is comprehensive, correlated, protected, and retained.

  • Comprehensive logging means capturing activity from every layer of the environment (endpoints, servers, applications, cloud services and more) so investigators have a full record to work from. The amount of logging needed to be comprehensive differs across companies.
  • Correlated logging ensures those records aren’t isolated; events are linked across systems so that seemingly minor actions can be traced into broader patterns.
  • Protected logging keeps those records intact by defending them against tampering, deletion, or manipulation, denying adversaries the chance to erase their trail.
  • Retained logging recognizes that breaches often go undetected for months, so data must be stored long enough to reconstruct events whenever they finally surface.

Together, these practices build a clear picture of all baseline activity across your environment that makes even the slightest deviations easier to spot and investigate.

Most security teams only log with the goal of catching bad activity, but that leaves them blind to the subtle techniques adversaries rely on to stay hidden. The recent Bybit cryptocurrency exchange attack carried out by the North Korea-linked APT38 group is a perfect example. Bybit leveraged AI-based detection methods to monitor abnormal behavior, but the attackers remained anonymous. Why? They likely studied Bybit’s operational patterns and made their fraudulent transfers look like routine transactions to avoid detection. The blind spot wasn’t just in the AI detection. It was in the logs themselves. Because APT38 shaped their activity to blend in with expected system behavior, they didn’t generate signals of compromise that typical logging infrastructure would have flagged.

That’s exactly the kind of gap “logging for normal” is designed to prevent. By preserving a complete record of baseline activity, defenders gain the context they need to spot actions that only appear routine. Small anomalies that would otherwise blend into normal operations become visible when measured against a trusted baseline. With that visibility, attackers can’t rely on silence to hide their movements. Every deviation tells a story.

The Role of AI and Leadership

AI has great potential to sharpen detection, but it can only be as effective as the data we feed it. Adversaries already understand this. They are actively training themselves to “look normal” so that their activity blends seamlessly into existing logs and bypasses automated defenses.

That means quality logging must be the foundation of your AI strategy. If data streams are incomplete, biased, or unprotected, the AI built on top of them will inherit the same blind spots. To be effective, AI tools must be treated like a junior analyst: it needs diverse data sources so attackers can’t hide in one stream, alerts that fire when data goes missing — not just when something looks unusual, and constant red-team testing to expose weaknesses. Most importantly, it requires human oversight as a senior would oversee the junior’s work. AI can accelerate analysis, but it cannot replace judgment, especially when attackers are evolving faster than the models themselves.

However, technology alone is not enough. The other side of this challenge is leadership. Executives must create an environment where defenders' concerns about logging gaps or detection weaknesses are heard and acted upon. A missing log is not a technical nuisance. It can mean millions lost in data theft, regulatory fines, and reputational damage. Leaders must fund and enforce best practices, empower their teams with the authority to close gaps, and treat logging as a strategic asset rather than an operational afterthought.

Log for Normal to Find Evil

The Idaho murders case taught me that absence can be as revealing as presence. The Bybit breach showed how attackers are getting better at hiding in plain sight. The bottom line is simple: fear the dark. Log for normal so you can find evil, and don’t wait until you’re standing in the dark wishing you had.

For a deeper dive on this topic, download my SANS RSAC whitepaper here.