One of my three basic security principles is advanced intruders are unpredictable. Believing you can predict what intruders are going to do next results in soccer-goal security. As I said in Pescatore on Security Trends, advanced attackers are digital innovators. I think I will start calling advanced intruders intrupreneurs.
I just read and watched great examples of this principle in action courtesy of pdp at CITRIX: Owning the Legitimate Backdoor. I recommend reading the post and watching the two videos. If you are practicing Network Security Monitoring I recommend querying your session data for all incoming Citrix traffic, for as far back as you have stored, for unusual or unexpected activity. If you are not practicing NSM already I suggest beginning emergency NSM to watch your Citrix servers.
It's important to realize that you may not even know you have certain Citrix servers active on your network. The flip side of the intruders are unpredictable principle is that your network is probably unpredictable too! In other words, you could be happy thinking "we have no Citrix servers," but after looking via NSM you find you do. It's probable a bad guy found them before you did, but courtesy of NSM you have data about what happened. More often than not, that's the best you can do with your time and resources.