Learning lessons from examining patterns of behaviour is a key aspect of an effective managed threat response. Incident response practitioners (who help clients to investigate, contain, eliminate and remediate against attacks) will often find traces of historic activity within compromised information systems. The knack is to spot those patterns as they are emerging, rather than just after the fact of a successfully executed attack.

As observed in the linked article from  Forbes  here by Adam Bradley from Sophos - which links in to the experiences of our own incident response teams and no doubt many other practitioners gives a run down of the most common 5 early warning signs of an attack.

First - the presence of any unaccounted for network scanning tools. If it is on a server, that is an even bigger tell. This might include tools like AngryIP for example.  Why might they be there is IT / IS had not deployed them for a purpose?

Second - the presence of any unaccounted for, or simply not required, tools that can disable anti-virus or other defensive tools (IObit Uninstaller is a good example). This might be there for a legitimate reason, but if your IT / IS cannot account for it, you must know that it didn't get there on its own!

Third - look out for evidence of any data extraction tools that might be used extract and / or compromise credentials. Common methods used here would be to dump the local security files (lsass.exe) and exfiltrate it or manipulate it in place. Popular tools in this category include one such as MimiKatz. If you spot that tool anywhere - that should be like a flashing alert sign with a siren going off!

Fourth - patterns of behaviour or alerts. Suspicious files that reappear, activities happening regularly that are unexplained etc.

Fifth - if any "practice" attacks are launched and you detect them, make sure you investigate and build an understanding of how. Do this even if the attack itself might appear trivial in terms of impact, as it could (and often is) simply a precursor to an attack.

These indicators are a great way for a security team to observe and monitor for potential future attacks. If you have the resources to devote to this, you will supplement those indicators with your teams experience.

For organisations that don't have the skills or resources internally to deal with this level of monitoring, you should consider working with either a service provider (such as ourselves - 3B Data Security) and deploying Threat Hunting tools and methodologies.