These are the recommendations carried out of the engagement for a production version of this estate, ordered by horizon. Each one traces to something this engagement actually demonstrated.
- Adopt a managed password vault. The single highest-impact day-one finding was one password reused across the entire estate. A shared vault removes the reuse pattern at the root.
- Enable multi-factor authentication on every administrative and domain account. None had it.
- Deploy LAPS (Local Administrator Password Solution) so local administrator passwords are randomized per host and centrally managed.
- Alert on telemetry agents going offline. In SO-2 the red team deleted the Security Onion agent to blind the SIEM, and the silence was misread as calm. An agent going dark must itself raise an alert.
- Establish a patch cadence - monthly cumulative patching plus emergency patches within 72 hours of a relevant CVE. The estate carried roughly 17,600 vulnerability instances and multiple end-of-life operating systems on day one.
- Enforce DMZ-to-LAN segmentation with explicit allow rules. The flat topology meant a single web-application compromise had unrestricted reach into the internal network.
- Apply egress filtering. The reverse shell in SO-2 depended on an outbound callback to a command-and-control host; an egress allow-list would have broken the attack at that point.
- Remove world-writable upload directories and validate file uploads. The red team's initial foothold was a web shell dropped into a world-writable directory.
- Deploy behavioral EDR on every host, for detection beyond signature matching.
- Maintain an auto-discovered asset inventory. The deployed estate did not match the paperwork - addressing, segmentation, and host count all differed. An inventory sourced from discovery rather than manual entry keeps that gap from reopening.
- Run continuous vulnerability management. The configuration assessment and vulnerability scanner gave excellent visibility during the engagement; automated, tracked remediation is the missing half.
- Keep incident-response runbooks and rehearse them. Response under time pressure is a perishable skill. The unplanned domain-controller recovery on Day 3 went smoothly only because the change registry made it a rehearsed replay rather than an improvisation.
The pattern across all twelve is the same: the engagement won where a control was in place before it was needed - the pre-cached blocklist, the rotated credentials, the detection layer, the change registry - and lost time wherever a control was reactive. Every recommendation above is a way of moving one more control from reactive to ready.
← Previous: Outcome and Forensics | Contents | Next: Appendix A - Change Log →