The majority of large companies have experienced a breach over the past twelve months, but almost a quarter, 23 percent, of firms do not know how the hackers got in, according to a new survey.
"That was pretty eye-opening," said Tim Helming, director of product management at DomainTools, the company that sponsored the research. "If you don't know how it got onto your network, you can't protect against it."
Of the firms who did know how the attackers got in, 67 percent said that malware had infiltrated their networks through email, 63 percent named web surfing as a vector of infection, 12 percent cited cloud apps or social media, and 4 percent pointed to instant messaging.
Helming said that there are things companies can do to analyze malware in a secure lab environment.
"You can intentionally take apart the malware and look inside and it and find information like domains in there that you can use to continue your investigation," he said.
One reason that so many companies could not spot the channel through which malware got into their network was that almost half, or 46 percent, of all organizations surveyed did not have a threat intelligence solution in place.
The most frequent reason sited was that the cyberthreats they had experienced have not been serious enough, according to an Osterman Research survey of 120 security and business executives at large companies.
Another 36 percent said that the cost of the technology is too high.
But threat intelligence is a broad category, said DomainTools CEO Tim Chen. It covers everything from free Web-based, open-sourced data that's available to anyone who can find it to threat intelligence platforms that are sold independently or are embedded in bigger solutions or SIEM products.
"When people complain that it's expensive and they can't afford it, they're talking about some of these more sophisticated platforms," said Chen.
But even free or low-cost resources can be useful for investigators trying to analyze a threat.
For example, according to Helming, identifying a piece of malware can tell a company about who the attackers are.
"Then often you can find information about what their MO is," he said. "Such as, this attack group spreads malware through phishing attacks. Or this group tries to send downloadable malware files as email attachments."
That can help a company zero in on the attackers' access point.
A toe-hold can start with something as small as a domain name, he said.
Using online domain lookup tools, investigators can often tell if it's a legitimate domain hijacked by criminals, or a domain associated with other nefarious organizations and activities.
"That can help close that visibility gap," he said.
According to the Osterman report, this kind of painstaking manual investigation can take weeks -- and isn't worth the hassle for smaller incursions.
And that could be be a problem.
"We've all seen that the leading edge of a very serious breach might look like something that's not a big deal," said Chen.
"However, current-generation tools make the process of attack attribution much more cost effective," said the report.
Security researchers understand the value of threat intelligence, Helming said.
According to the survey, 82 percent said they would use it all the time if it was available to them.