The recent Iranian Government-Sponsored APT that successfully compromised the Federal Civilian Executive Branch (FCEB) is an excellent case study in how hard it is to defend against motivated and persistent attackers.
There are several key lessons that should be taken away from this, including the importance of ensuring regular vulnerability scanning across the entire estate. Here, this would have identified the initial vector, Log4Shell.
Moreover, hardening EUDs is crucial to help reduce the impact and make lateral movement harder. Servers should also be hardened to reduce the likelihood of compromise or the facilitation of lateral movement.
It is also vital to carefully monitor the creation of new accounts, especially accounts within the “domain admins”. Alongside monitoring account creation, it is equally important to monitor “unusual RDP access” because this can be a tell-tale sign of lateral movement by a threat actor.
Finally, conducting an assumed breach assessment or a purple team can help identify areas that should be focused on, typically around the MITRE ATT&CK framework.