Many entities that are compromised by APT remain so even after they’ve instituted measures to rid themselves of the intruders, Mandia says. If they do manage to eradicate the intruders, the most they can hope for is a three- to six-month respite before the attackers return.
The worst thing a company can do, when it discovers a breach, is to shut down an infected system or remove it from the internet before understanding the extent of the breach. Otherwise, the attackers just switch tactics and focus on other parts of the network.
“If you do a remediation effort that fails, the sophistication of the next wave you deal with is higher,” Mandia says.
(Yeah, I know Clay Shirky says we should call it filter failure). But really. If only they had enough resources everyone would have this stuff on their machines.