Should we distinguish between information disclosure (attacker learns information it should not have) vs attacker obtains control of a credential that it can use to impersonate a workload, perform lateral moves or elevate privelage.
I think so. There is an intersection between lateral movement capability and information disclosure, but they are not the same thing and its probably imprortant to differentiate the different outcomes.
Should we distinguish between information disclosure (attacker learns information it should not have) vs attacker obtains control of a credential that it can use to impersonate a workload, perform lateral moves or elevate privelage.