Anomalous Account Activity
Once a criminal establishes a presence on a system the next move typically is to elevate system privileges or move laterally to users with higher privileges. System monitoring can establish a baseline for the type of systems accessed regularly along with information such as when and which files were accessed and altered.
Trustwave said the suspicious activity should prompt an investigation, account disabling or removal of rogue accounts. Two-factor authentication and more-complex passwords can thwart an attacker or extend the time it takes for a determined criminal to break into an account, increasing the chance the attack will be spotted.