Compromised Credential Management

Credential compromise is a common attack vector. A fast, comprehensive response minimizes the exploitation window and prevents continued unauthorized access.

Types of Compromise

Phishing: A user enters credentials on a fake page. The compromise is usually detected through anomalous access attempts.

Credential Stuffing: An attacker uses credentials leaked from other services. It affects users who reuse passwords.

Malware/Keylogger: Malware captures credentials during typing or from local storage.

Data Breach: Credentials are exposed in a database leak. It can affect thousands of users at once.

Insider Threat: A malicious employee shares or sells credentials.

Detecting Compromise

Impossible Travel: Logins from geographically impossible locations within a short period (e.g., São Paulo and Tokyo within 1 hour).

Anomalous Access Patterns: Access outside usual hours, from unknown IPs, to resources uncommon for the user.

Multiple Failed Attempts: Repeated login attempts before success may indicate credential stuffing.

New Device/Browser: A login from a device or browser never used before, especially with suspicious geolocation.

Threat Intelligence: The organization's credentials appear in pastes, underground forums, or leaked databases.

Immediate Response

1. Disable the Account: Immediately suspend the compromised account to prevent further access. Balance urgency against operational impact.

2. Revoke Active Sessions: Terminate all of the user's active sessions across every system (SSO, VPN, applications).

3. Revoke Tokens: Invalidate API tokens, OAuth tokens, and mobile app tokens associated with the account.

4. Notify the User: Inform the user immediately about the compromise and provide instructions for next steps.

5. Investigate Activity: Analyze logs to identify which systems were accessed, which data was viewed, and which actions were performed.

Credential Rotation

User Accounts: Force a password reset via self-service or assisted process. Temporarily enforce stricter strong-password requirements.

Service Accounts: Rotate service account passwords, especially those with elevated privileges or access to critical systems.

API Keys: Revoke and reissue compromised API keys. Coordinate with development teams to update applications.

Certificates: If certificates are compromised, revoke them via CRL/OCSP and issue new certificates.

Secrets Management: Rotate secrets in vaults (HashiCorp Vault, AWS Secrets Manager) that may have been accessed.

Emergency MFA

If MFA was not enabled, implement it on an emergency basis:

Forced Enrollment: Require MFA configuration before allowing a new login after a password reset.

Prioritization: Implement first for privileged accounts, then accounts with access to sensitive data, and finally all users.

Secure Methods: Prefer authenticator apps (Google Authenticator, Microsoft Authenticator) or hardware tokens (YubiKey) over SMS, which is vulnerable to SIM swapping.

Identity Verification

Before re-enabling a compromised account, verify the user's identity:

Multi-Channel Verification: Confirm identity through multiple channels (corporate email, registered phone, in-person/video verification).

Knowledge-Based Authentication: Questions that only the legitimate user would know (not easily discoverable information).

Manager Approval: For sensitive accounts, require approval from the direct manager before reactivation.

Scope of Compromise

Assess the extent of the compromise:

Systems Accessed: List every system the account had permission to access and review access logs during the compromise period.

Data Viewed: Identify which sensitive data the attacker may have viewed or exfiltrated.

Changes Made: Look for data modifications, creation of backdoors, privilege escalation, and addition of new accounts.

Lateral Movement: Check whether credentials were used to access other systems or accounts (pass-the-hash, pass-the-ticket).

Access Re-certification

Use the incident as an opportunity to review access:

Access Review: Review the compromised account's permissions - remove unnecessary access before reactivation.

Least Privilege: Apply the principle of least privilege - the user should have only the access needed for their role.

Role-Based Access: Transition from ad-hoc permissions to well-defined roles.

Periodic Re-certification: Establish a process for periodic access re-certification (quarterly/semi-annually).

Privileged Accounts

Compromise of privileged accounts requires a more aggressive response:

Mass Rotation: Consider rotating all privileged credentials in the environment, not just the compromised one.

PAM (Privileged Access Management): Implement a PAM solution to manage, rotate, and audit the use of privileged credentials.

Just-in-Time Access: Transition to a JIT model where privileges are granted temporarily when needed.

Break-Glass Procedures: Maintain documented break-glass procedures for emergency access if administrative accounts are compromised.

Communication

Affected User: Notify clearly and quickly. Explain what happened, the risks, next steps, and how to get support.

IT Team: Alert technical teams about the compromise for monitoring of related activity.

Management: Inform management about the compromise of sensitive or at-scale accounts.

DPO/Legal: Involve the DPO and legal team if personal data may have been accessed (LGPD obligations).

Post-Incident Monitoring

After remediation, monitor closely:

Enhanced Logging: Temporarily increase the logging level for the affected account.

Dedicated Alerts: Create specific alerts for the account's activity to detect reinfection quickly.

Behavioral Analysis: Use UEBA to detect deviations from normal behavior even after remediation.

Future Prevention

Universal MFA: Implement MFA for all accounts, not just privileged ones.

Phishing Training: Regular anti-phishing training for all employees with simulations.

Password Managers: Encourage the use of password managers to generate and store unique, complex passwords.

Credential Monitoring: Services that monitor pastes and leaked databases for the organization's credentials (Have I Been Pwned Enterprise, SpyCloud).

Conditional Access: Risk-based conditional access policies (location, device, behavior).

Tools and Technologies

IAM Platforms: Azure AD, Okta, Auth0 with anomaly detection and response capabilities.

PAM Solutions: CyberArk, BeyondTrust, Thycotic for managing privileged credentials.

Password Managers: 1Password, LastPass, Bitwarden for enterprise use.

UEBA: Microsoft Sentinel, Exabeam, Splunk UBA for behavioral detection.

Legal Aspects

LGPD: If compromised credentials allow access to personal data, assess the need to notify the ANPD and data subjects.

Compliance: Frameworks such as PCI-DSS and HIPAA have specific requirements for credential management and compromise notification.

Evidence: Preserve logs and evidence of the compromise for potential legal or regulatory investigation.

Final Recommendations

Compromised credentials are a gateway to larger attacks. A fast response, comprehensive rotation, and MFA implementation minimize the exploitation window. Investing in prevention - training, password managers, continuous monitoring - significantly reduces the risk of future compromise.