Are you doing threat hunting? If not, you really should be.
Become a threat hunter today...
As attackers use more sophisticated techniques that are designed to bypass your controls and blend in with normal activity, they get harder to spot. If you have done the basics around security, you now need to look at threat hunting.
The idea being that you formulate a plan to go looking for anomalous indicators. An example place to start might be to whittle down your software list to find unusual .exe files, maybe a file that has a common name but its signature appears on only one or two laptops. You need the data about your systems to do this, maybe from a central database of devices/software (like Microsoft SCCM).
One very useful resource is Mitre, here are the links:
I am just starting to stand up my threat hunting program here. We are doing it manually to start with in order to slowly build capacity. Security does not have a budget (comingled with IT) so we have to prove worth first before we can get increases in staff. We used to just remediate and react to alerts such as virus warnings and risky sign-ins from O365. However the alerts were not always timely or correct. By parsing through logs and reports we have been able to discover threats that were hiding but not revealing themselves. These threats had gained access but not triggered any of the tripwires. We kicked them out and now we watch for their next move. We are really just beginning our work and have lots to learn. Is MITRE a free tool or are there other tools you recommend for threat hunting? What about methods, etc. Anything you can share would be appreciated.
I agree about getting the threat hunting started. Security used to be more passive and reactive and now we need to switch to a more active and proactive role in finding the threats.
Good to hear you are getting a capability up and running...
The MITRE links I included are free information, definitely worth reading the wiki pages. This is a great source and is used by red teams etc. As a starting point I would pick one exploit from the MITRE list and see how you would find out if it has been used or is possible to be used, if that makes sense. The key is to gather as much information about your network as possible from existing or new feeds, you need the data to analyse. This might be from existing security tools, central logs, Active Directory, sysmon logs, deployment tool logs like SCCM, etc.
I noticed that some vendors are starting to offer this as a service and tools for the purpose, but take your point on budget. Luckily there is lots of open source stuff out there.