This recent post by Brian Krebs is an interesting read for everyone, but security analysts, sysadmins, and other network defenders particularly should find this perspective interesting. This article suggests that a great many initial intrusions that lead to data theft could be nipped in the bud if more organizations started looking for the telltale signs of newly-arrived cybercriminals behaving like network tourists and how doing so can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN.

Some food for thought posed in the post:

• Examples we have observed include threat actors performing a ‘show config,’ ‘show interface,’ ‘show route,’ ‘show arp table’ and a ‘show CDP neighbor'
• This fundamental reality about modern cyberattacks — that cybercriminals almost always orient themselves by “looking up” who and where they are upon entering a foreign network for the first time
• There are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage)

For more considerations and which alerts to configure for detecting unwanted network tourists, visit KrebsOnSecurity.