If availability, accuracy, or confidentiality is compromised it's a security incident
Without active system monitoring in place, unlikely to detect an intruder.
Administration's greatest advantage over attacker is knowledge of normal behavior of the system.
Indicators: possible (unusual things, might be incident), probable (things that could not occur without someone doing them), definite [positively]
unfamiliar files: esp. in system/config directories. source, purpose? compare with previously generated list of files.
unknown processes: rogue SW installed by attacker to exploit vulnerability or to monitor system.
consumption of resources: (CPU, RAM, network) that's unexpected.
system crashes: exploits often system-specific, will crash even slightly different configuration.
activities at unexpected times. investigate anomalies.
presence of new accounts
reported attack by a user or attacker
use of dormant accounts
changes to logs
presence of hacker tools
notification by partner that "you" are attacking them
notification by hacker