"...Rob Joyce, the head of the NSA’s Tailored Access Operations (TAO) group—basically the country’s chief hacker—gave a rare public talk at a conference in January. In essence, he said that zero-day vulnerabilities are overrated, and credential stealing is how he gets into networks: “A lot of people think that nation states are running their operations on zero days, but it’s not that common. For big corporate networks, persistence and focus will get you in without a zero day; there are so many more vectors that are easier, less risky, and more productive..."
Quote from, Bruce Schneier, https://www.schneier.com/blog/archives/2016/05/credential_stea.html
BOTTOM LINE UP FRONT
An effective Cyber Security Program is all about risk mitigation and resources are a factor, budget and labor dollars are always being scrutinized by the Business.
Sadly these same Business folks read... they read Cyber Security FUD [Fear, Uncertainty and Doubt] and they love to give you advice!
Ensure that your Enterprise Risk Register is a well discussed topic at your Steering Committee Meetings!
Here are a few excellent reference on "Credential Harvesting", add this as a high priority on your Cyber Security Project Roadmap for next quarter.
SOME EXCELLENT REFERENCES:
Windows Credential Manager Mitigations
Windows Credential Harvesting Quick Guide
Adventures in Windows Credential Harvesting
