Isolated Communication Platforms for Security Teams
I fail to understand why it hasn't become best (or even common) practise for security teams to utilise an isolated communications platform that is not tied to their organisation's Active Directory (AD) infrastructure for its auth(z).
Refer to slide 80 for more explanation.
As things have advanced, so too have our security boundaries shifted.
Instead of solely defending the network perimeter, blue teams now focus on defending assets (often in some order of priority).
Regardless, domain (and enterprise) administrator privileges remain the most targeted due to versatility.
In the likelihood that the organisation's AD is compromised, all corporate services (including Email) would need to be considered compromised as well.
Most pentesters have at least one war story where acquired privileges were also used to monitor blue team members in order to remain 'one step ahead'.
With full control of all IT assets now shared with their attackers, how could discussing incident details (or worse yet, tricky security mechanisms) over a compromised channel (e.g. Corporate Email) be anything but a disservice to the blue team's efforts of reclaiming their organisation and network?!?