* Identify the compromise: This could prove to be the most challenging of the steps as there is a small window of opportunity to spot the behaviors of an attacker between the point when the infection is first established and the point when the attacker finds its "hiding spots" within the network. As with most things, if you can detect the adversary's analysis of the network before the real damage is done, you are ahead of the game. The challenge: spotting it in time, if you can even spot it at all.

(SIEM) systems play an important role in this process, but historically haven't collected enough data in terms of both depth and speed in order to see these latent, stealthy attackers in the environment. While the SIEM system may bring in a better view of what may be happening on the network, the only real chance a company has for getting the data required is to leverage systems, processes and, of course ... big data feeds.

"Most organizations watch their network traffic for call-outs being made to the malware's command-and-control-center (CNC)," Cianfrocca said. "The problem with this method of detection is that the attackers space their communications out over time, making them nearly impossible to spot in the midst of other mounds of data."

So, if this method doesn't work well, what other options do we have? The answer may lie in the apps, more so than in the network.

Most of the nastiest and stealthiest malware will try to covertly figure out which app servers are vulnerable -- this is the activity organizations should be monitoring. The challenge here, of course, is that the attackers will instruct their code to use patterns of access crafted to look like normal activity of authorized users -- but the attackers are actually accessing these in subtly different ways.