The step that is missing here is what happens, following the breach and the subsequent cleanup of the mess. When a breach occurs, the cold hearted truth here, the part where I say the quiet part out loud, is that preparations failed as a result of People, Process, or Technology. Perhaps because the Risk Assessment wasn't done correctly (or at all). Perhaps there was a modicum of incompetence in the practitioners or in the organizational leadership complaining of a strained budget, thus, skimping on resources. Whatever the cause, the problem here is that someone screwed up.
The after action review needs to immediately follow that needs to show what went wrong, with the accountability necessary to remove the people, processes and technology that failed, followed immediately by the corrective actions to all three of these.
I maintain that the feel-good-ism, don't-offend-people, that permeates the workplace these days has no place in the security department. Emotional feelings and "understanding" often hide the real problem - someone at BeyondTrust and/or the Treasury royally screwed up and needs to pay the price. Unfortunately, we will probably never know, if at all, what the outcome of this was.
Very rarely does a zero-day occur that is so completely unconventional that it takes people by surprise. This is why I have zero sympathy here - because the government trusted an organization that turned out to be incompetent and/or not vigilant enough to see what was coming.
/r
