13.14 Lessons Learned

2–3 hours · Module 13

Lessons Learned

The formal post-incident review. Every incident should produce a lessons learned document that answers: what went well, what could be improved, and what specific actions will be taken.

What went well

Detection time: 23 minutes from email delivery to first alert (ZAP verdict change). Within expected parameters for a novel AiTM URL.
Containment time: 8 minutes from triage start to full containment. Pre-built investigation queries and a clear playbook enabled rapid response.
Campaign tracking: Detection maturity improved from reactive (Wave 1) to preventive (Waves 4-5) within 48 hours.
Zero successful replays in Waves 2-5. Each wave was detected and contained before any credential replay occurred.
Cross-product correlation: Defender XDR correctly correlated the phishing email alert with the suspicious sign-in alert into a single incident.

What could be improved

23-minute detection gap. ZAP removed the email from 4 mailboxes, but 19 were accessible for 23 minutes. During this window, 7 users clicked and 5 reached the proxy page. Faster URL detonation or Safe Links block mode (instead of warn mode) would reduce this window.
No device compliance requirement. The conditional access gap that allowed the token replay was known but not addressed before the incident. The gap existed for 6 months on the security roadmap without implementation.
MFA method. Authenticator app push is vulnerable to AiTM. FIDO2 deployment had been deprioritised due to hardware cost.
User behaviour. 5 of 7 users who saw the Safe Links warning clicked through anyway. Security awareness training on Safe Links warnings was not part of the regular training programme.

Improvement actions

Action	Owner	Deadline	Status
Deploy device compliance CA policy for Exchange/SharePoint	Security team	Deployed during incident	Complete
Block legacy authentication	Security team	Deployed during incident	Complete
FIDO2 Phase 1 (admins)	IT + Security	2 weeks	In progress
FIDO2 Phase 2 (executives + finance)	IT + Security	6 weeks	Procurement
Safe Links: evaluate block mode vs warn mode	Security team	4 weeks	Planned
Targeted phishing awareness training (finance)	HR + Security	4 weeks	Planned
Quarterly phishing simulation programme	Security team	8 weeks	Planned
Review and close all overdue security roadmap items	CISO	2 weeks	Planned

The most important lesson

The conditional access gap that allowed this attack was known for 6 months. It was on the security roadmap. It was not implemented because it was not prioritised. This incident cost 40+ hours of analyst time, a regulatory assessment, management reporting, and emergency hardware procurement. The configuration change took 15 minutes. Known gaps that are not remediated are not gaps — they are accepted risks. Make sure someone is explicitly accepting them.

Check your understanding

1. The device compliance policy had been on the security roadmap for 6 months but was not implemented. What organisational change would prevent this from happening again?

Hire more security staff

Implement all recommendations immediately

Require explicit risk acceptance from the CISO or CTO for any security roadmap item that is overdue by more than 90 days. This creates accountability — someone must sign off on the decision to delay, rather than items silently ageing on a backlog.

Accountability closes the gap between knowing about a risk and acting on it. If a roadmap item requires explicit sign-off to delay, the decision-maker must consciously accept the residual risk. This changes the dynamic from "we will get to it eventually" to "I am personally accepting this risk."

← 13.15 Module Assessment 13.13 Detection Engineering →