Compromised Credential Management
Credential compromise is a common attack vector. A fast, comprehensive response minimizes the exploitation window and prevents continued unauthorized access.
Types of Compromise
Phishing: A user enters credentials on a fake page. The compromise is usually detected through anomalous access attempts.
Credential Stuffing: An attacker uses credentials leaked from other services. It affects users who reuse passwords.
Malware/Keylogger: Malware captures credentials during typing or from local storage.
Data Breach: Credentials are exposed in a database leak. It can affect thousands of users at once.
Insider Threat: A malicious employee shares or sells credentials.
Detecting Compromise
Impossible Travel: Logins from geographically impossible locations within a short period (e.g., São Paulo and Tokyo within 1 hour).
Anomalous Access Patterns: Access outside usual hours, from unknown IPs, to resources uncommon for the user.
Multiple Failed Attempts: Repeated login attempts before success may indicate credential stuffing.
New Device/Browser: A login from a device or browser never used before, especially with suspicious geolocation.
Threat Intelligence: The organization's credentials appear in pastes, underground forums, or leaked databases.
Immediate Response
1. Disable the Account: Immediately suspend the compromised account to prevent further access. Balance urgency against operational impact.
2. Revoke Active Sessions: Terminate all of the user's active sessions across every system (SSO, VPN, applications).
3. Revoke Tokens: Invalidate API tokens, OAuth tokens, and mobile app tokens associated with the account.
4. Notify the User: Inform the user immediately about the compromise and provide instructions for next steps.
5. Investigate Activity: Analyze logs to identify which systems were accessed, which data was viewed, and which actions were performed.
Credential Rotation
User Accounts: Force a password reset via self-service or assisted process. Temporarily enforce stricter strong-password requirements.
Service Accounts: Rotate service account passwords, especially those with elevated privileges or access to critical systems.
API Keys: Revoke and reissue compromised API keys. Coordinate with development teams to update applications.
Certificates: If certificates are compromised, revoke them via CRL/OCSP and issue new certificates.
Secrets Management: Rotate secrets in vaults (HashiCorp Vault, AWS Secrets Manager) that may have been accessed.
Emergency MFA
If MFA was not enabled, implement it on an emergency basis:
Forced Enrollment: Require MFA configuration before allowing a new login after a password reset.
Prioritization: Implement first for privileged accounts, then accounts with access to sensitive data, and finally all users.
Secure Methods: Prefer authenticator apps (Google Authenticator, Microsoft Authenticator) or hardware tokens (YubiKey) over SMS, which is vulnerable to SIM swapping.
Identity Verification
Before re-enabling a compromised account, verify the user's identity:
Multi-Channel Verification: Confirm identity through multiple channels (corporate email, registered phone, in-person/video verification).
Knowledge-Based Authentication: Questions that only the legitimate user would know (not easily discoverable information).
Manager Approval: For sensitive accounts, require approval from the direct manager before reactivation.
Scope of Compromise
Assess the extent of the compromise:
Systems Accessed: List every system the account had permission to access and review access logs during the compromise period.
Data Viewed: Identify which sensitive data the attacker may have viewed or exfiltrated.
Changes Made: Look for data modifications, creation of backdoors, privilege escalation, and addition of new accounts.
Lateral Movement: Check whether credentials were used to access other systems or accounts (pass-the-hash, pass-the-ticket).
Access Re-certification
Use the incident as an opportunity to review access:
Access Review: Review the compromised account's permissions - remove unnecessary access before reactivation.
Least Privilege: Apply the principle of least privilege - the user should have only the access needed for their role.
Role-Based Access: Transition from ad-hoc permissions to well-defined roles.
Periodic Re-certification: Establish a process for periodic access re-certification (quarterly/semi-annually).
Privileged Accounts
Compromise of privileged accounts requires a more aggressive response:
Mass Rotation: Consider rotating all privileged credentials in the environment, not just the compromised one.
PAM (Privileged Access Management): Implement a PAM solution to manage, rotate, and audit the use of privileged credentials.
Just-in-Time Access: Transition to a JIT model where privileges are granted temporarily when needed.
Break-Glass Procedures: Maintain documented break-glass procedures for emergency access if administrative accounts are compromised.
Communication
Affected User: Notify clearly and quickly. Explain what happened, the risks, next steps, and how to get support.
IT Team: Alert technical teams about the compromise for monitoring of related activity.
Management: Inform management about the compromise of sensitive or at-scale accounts.
DPO/Legal: Involve the DPO and legal team if personal data may have been accessed (LGPD obligations).
Post-Incident Monitoring
After remediation, monitor closely:
Enhanced Logging: Temporarily increase the logging level for the affected account.
Dedicated Alerts: Create specific alerts for the account's activity to detect reinfection quickly.
Behavioral Analysis: Use UEBA to detect deviations from normal behavior even after remediation.
Future Prevention
Universal MFA: Implement MFA for all accounts, not just privileged ones.
Phishing Training: Regular anti-phishing training for all employees with simulations.
Password Managers: Encourage the use of password managers to generate and store unique, complex passwords.
Credential Monitoring: Services that monitor pastes and leaked databases for the organization's credentials (Have I Been Pwned Enterprise, SpyCloud).
Conditional Access: Risk-based conditional access policies (location, device, behavior).
Tools and Technologies
IAM Platforms: Azure AD, Okta, Auth0 with anomaly detection and response capabilities.
PAM Solutions: CyberArk, BeyondTrust, Thycotic for managing privileged credentials.
Password Managers: 1Password, LastPass, Bitwarden for enterprise use.
UEBA: Microsoft Sentinel, Exabeam, Splunk UBA for behavioral detection.
Legal Aspects
LGPD: If compromised credentials allow access to personal data, assess the need to notify the ANPD and data subjects.
Compliance: Frameworks such as PCI-DSS and HIPAA have specific requirements for credential management and compromise notification.
Evidence: Preserve logs and evidence of the compromise for potential legal or regulatory investigation.
Final Recommendations
Compromised credentials are a gateway to larger attacks. A fast response, comprehensive rotation, and MFA implementation minimize the exploitation window. Investing in prevention - training, password managers, continuous monitoring - significantly reduces the risk of future compromise.
