Deconstructing The Cyber Kill Chain

If you must use the Chain model, zero in on No. 7. Focus on detecting ongoing attacks — attackers that have already breached your perimeter — before the damage is done. Instead of analyzing old malware, deploy a breach detection system that automatically detects and analyzes the changes in user and computer behavior that indicate a breach. These subtle changes are usually low-key and slow, and affect only a small number of computers, but the right analysis and context can flag them as malicious.