In many cases, attackers take control of multiple systems and multiple accounts once they get into a network. They can drop multiple malware packets, each carrying a different payload. They also often disguise themselves to appear as legitimate users on the network and often delete log files or put in fake logs to throw administrators off their trail.
"If you suddenly take a subset of host systems offline, they are just going to switch their MO midstream," Carey said. "They will change their attack vector. They will drop multiple different toolkits. They'll even throw stuff out there that they'll want you to find so you think you have found them.
"It's no surprise at all that some of these big companies are taking weeks to find out what's going on," he added.
Sign up for MIS Asia eNewsletters.