Patching is generally a good thing, but if a system is inexplicably patched without reason, that could be the sign that an attacker is locking down a system so that other bad guys can't use it for other criminal activity.
"Most attackers are in the business of making money from your data -- they certainly don't want to share the profits with anyone else," Webb says. "It sometimes does pay to look security gift horses in the mouth."
12. Mobile Device Profile Changes
As attackers migrate to mobile platforms, enterprises should keep an eye on unusual changes to mobile users' device settings. They also should watch for replacement of normal apps with hostile ones that can carry out man-in-the-middle attacks or trick users into giving up their enterprise credentials.
"If a managed mobile device gains a new configuration profile that was not provided by the enterprise, this may indicate a compromise of the user's device and, from there, their enterprise credentials," says Dave Jevans, founder and CTO of Marble Security. "These hostile profiles can be installed on a device through a phishing or spear-phishing attack."
13. Bundles Of Data In The Wrong Places
According to EventTracker's Ananth, attackers frequently aggregate data at collection points in a system before attempting exfiltration.
"If you suddenly see large gigabytes of information and data where they should not exist, particularly compressed in archive formats your company doesn't' use, this is a telltale sign of an attack," he says.
In general, files sitting around in unusual locations should be scrutinized because they can point to an impending breach, says Matthew Standart, director of threat intelligence at HBGary.
"Files in odd places, like the root folder of the recycle bin, are hard to find looking through Windows, but easy and quick to find with a properly crafted Indicator of Compromise [search]," Standart says. "Executable files in the temp folder is another one, often used during privilege escalation, which rarely has a legitimate existence outside of attacker activity."
14. Web Traffic With Unhuman Behavior
Web traffic that doesn't match up with normal human behavior shouldn't pass the sniff test, says Andrew Brandt, director of threat research for Blue Coat.
"How often do you open 20 or 30 browser windows to different sites simultaneously? Computers infected with a number of different click-fraud malware families may generate noisy volumes of Web traffic in short bursts," he says." Or, for instance, on a corporate network with a locked-down software policy, where everyone is supposed to be using one type of browser, an analyst might see a Web session in which the user-agent string which identifies the browser to the Web server indicates the use of a browser that's far removed from the standard corporate image, or maybe a version that doesn't even exist."
15. Signs Of DDoS Activity
Distributed denial-of-service attacks (DDoS) are frequently used as smokescreens to camouflage other more pernicious attacks. If an organization experiences signs of DDoS, such as slow network performance, unavailability of websites, firewall failover, or back-end systems working at max capacity for unknown reasons, they shouldn't just worry about those immediate problems.
"In addition to overloading mainstream services, it is not unusual for DDoS attacks to overwhelm security reporting systems, such as IPS/IDS or SIEM solutions," says Ashley Stephenson, CEO at Corero Network Security. "This presents new opportunities for cybercriminals to plant malware or steal sensitive data. As a result, any DDoS attack should also be reviewed for related data breach activity."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.