Lessons learned
Every time an incident comes to its closure, you should not only document each step that was done during the investigation but also make sure that you identify key aspects of the investigation that need to be reviewed to either be improved or fixed if they didn’t work so well. The lessons learned are crucial for the continuous improvement of the process, and to avoid making the same mistakes again.
In both cases presented in this chapter, a credential theft tool was used to gain access to a user’s credentials and escalate privileges. Attacks against a user’s credentials are a growing threat and the solution is not based on a silver bullet product; instead, it is an aggregation of tasks, such as:
- Reducing the number of administrative-level accounts and eliminating administrative accounts in local computers. Regular users shouldn’t be administrators on their own workstations.
- Using multifactor authentication as much as...