Start by improving prevention before investing in detection and hunting. You can best do this by building on best practices in the community. You can use NIST CSF to help you define, implement and monitor your entire security strategy. You can use guidance from the Centre for Internet Security or the Australian Signals Directorate to help you set up and maintain critical controls. And have a look at the MITRE ATT&CK Framework to capture the latest insights on techniques used by your adversaries.

In terms of gaining visibility on what happens in your infrastructure I would advise to start by setting up external passive monitoring before investing in SIEMs, sensors and sophisticated log collection and correlation systems. You can learn a lot about your infrastructure by looking at it from the outside. This might seem obvious but is often forgotten.

Compromised machines in your infrastructure are probably calling out to their command-and-control servers and if these are known by the community they can be taken down or sink-holed, and confirmed victims can be alerted. When your webpages are infected with malware this will probably be picked up by the search engines scraping them to fill update their search indices. And the owners of the webpages can be alerted about these compromised pages.

When your users compromise their corporate credentials by using them in internet services or social media, and they get hacked, you could learn about it by using a credential leak service. When your internet-facing-services are misconfigured or vulnerable, you can learn about it by using an external scanner.

All these information and alerting services exist and they don’t require any modification of your internal infrastructure. However, most organizations are not aware of their existence, they are not always easy to configure, and their alerts come in different formats and are not always adapted to your internal response mechanisms.

And this is where the products of Arctic Security come in. They make it easy to find those alert services. And, provided you know your infrastructure (IP and domain ranges), they make it frictionless to subscribe to them and link them to your internal response mechanisms with little or no human intervention.