Posted: Mon Jan 22, 2018 7:29 am
Data breach attackers not being caught: there are a lot of reasons including:
1) Law enforcement focus/resources. The FBI has 600 technical agents worldwide; there just aren't enough of them to look at any but the largest cases, in general.
2) IT and forensic screwups. IT, even when they're not directly involved, have hosed many, many sets of evidence. And our personal experience is that IT is involved in a significant number of cases. We've also seen Big Four consultancies hose up evidence; we had a large case in 2016 where the Big Four firm literally lost 6 of 30 PC evidence images, and another 7 were contaminated in some way: image was truncated, a 2nd image was put on the storage medium (integrity), file dates were showing activity 6 months after acquisition date (breaking chain of custody), and mismatches between chain of custody docs and hardware (labeling wrong, serial number wrong, etc).
3) Failure to log. Cloud is great, but cloud with no preservation of logging after VMs are terminated is not so great.
If you look at a number of the breaches, however, oftentimes the failures occurred much earlier.
Experian, for example. While failure to identify and patch the Struts vuln was the proximate cause for that breach, the true failure was the organizational failure to segment that customer service database. It is pure laziness that permitted decades of customer service calls to be stored in the active customer service database - which is why that breach was so large.