Comment Re:What can reasonably be accomplished in three da (Score 1) 70
Your post suggests you've never done this before. Consider:
1. Spear phishing attack nets the credentials of employee A.
2. A's credentials are used to access sensitive data B. A normally has access to B so this doesn't set off any alarms.
3. A's credentials are used to plant malicious code on an internal web site.
4. Malicious code nets credentials of employee C and D and E (and a dozen others).
5. A separate attacker probes C's access, digs through source code repository.
6. Source code review yields an exploitable vulnerability in an internal system.
7. Staging from D's workstation, internal system F is cracked using discovered vulnerability. This gives them access to credentials that are trusted by system G.
8. Staging from E's workstation, sensitive system G is accessed using credentials stolen from F.
9. An administrator on G notices that something is amiss.
So now that you've discovered the breach, the clock starts.
10. G contacts E to ask what's going on, but E's at home asleep.
11. E's workstation is taken offline and forensics begins.
12. The credentials stolen from F are used on several systems because the developer re-used them, so it takes a while to figure out that F was where they were stolen from. The attackers covered their tracks, but a sharp-eyed engineer found access attempts in an unrelated daemon's logs from D.
13. D is contacted, and has no explanation. It's possible he would have accessed that system, but he can't remember. But your guys are smart, so you check his system for malware just in case.
14. Malware found on D. How did it get there? He exchanges software with a 3rd party all the time, so you spend some time scanning what he's downloaded, turning up nothing, so then you go through his e-mail, and find a short e-mail with a link from a colleague that seems out of place. The URL doesn't look suspicious (the vulnerability was removed by the attackers after it was used), so you set it aside.
15. You get stuck, so you go back to that e-mail again, one item of many presumed false leads, and realize that A didn't remember sending it.
16. Malware found on A, spear phishing e-mail found.
17. Logs of systems scoured for activity from A, sensitive access to B found.
18. A's outbound e-mail checked, e-mail to C (and dozens of others) found that looks similarly suspicious.
19. Logs of systems scoured for activity from C, accesses to source code repository found.
20. The dozens of others also affected are investigated to see what systems they accessed, just in case there's more.
21. What did you miss? Was there anything else? Keep looking. Are you sure that's it? Keep looking.
This is all "best-case" and you haven't even started trying to identify the attackers yet, much less assembling a report.
It's easy to play the armchair security consultant and talk about "proper log handling and log analysis" as though that's the magic bullet. Do you think that every company subject to this law has "proper log handling and log analysis" covering every component of every internal system on their network? Do you think even a majority of companies have this?
Do you think it's typical that every system in this chain of investigation will have all of the logs needed to proceed to the next step? Do you think those doing the investigations will always have easy access to these logs? That they will spot patterns that look like normal accesses but really came from an unauthorized attacker? Do you think they will even have access to the systems in question without having to track down an administrator?
There are companies that have the forethought (or experience) to make such a forensic exercise relatively fast and accurate, but these companies are the exception, not the rule, and even for those that have their shit together, investigations like this could take WEEKS to reach a meaningful conclusion about what data was compromised. You might know *something* after 72 hours, but in many cases this will be far from a "full report".