Having an active defense posture, where the defenders actively use threat intelligence and their own environment telemetry to uncover potential compromises, is the next stage in the cyber security maturity road. Instead of waiting for detections to trigger, defenders can take initiative and hunt down threat actors inside their environment, putting a halt to their malicious activities before they can fully accomplish their goals.
Ransomware compromises, which usually involve data exfiltration, are not fast nor swift. Attackers need time to find their way in the network, including identifying the databases with the relevant information they are seeking, to exfiltrate the information and finally to deploy the ransomware.
Source: Cisco Talos