IR-8 / A.16.1.5 / CIS-17.9 NIST SP 800-61 Rev 2

Do you have a written runbook for "user clicked / entered credentials on a phish"?

Demonstrate that the organization maintains a documented, current runbook detailing prescribed response actions when users report credential entry or interaction with phishing attempts, and that this runbook is accessible to incident responders.

Description

What this control does

This control requires the organization to maintain a documented, step-by-step runbook that defines the immediate response procedures when an employee reports clicking a phishing link or submitting credentials to a suspected phishing site. The runbook should specify technical containment actions (account lockouts, session terminations, credential resets), investigative steps (examining logs, identifying scope), communication protocols (notifying security teams, legal, affected users), and recovery procedures. A well-crafted runbook ensures consistent, rapid response that minimizes credential compromise impact and reduces attacker dwell time.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Delayed credential reset allowing attackers to maintain persistent access using compromised credentials
Inconsistent response actions across incidents leading to incomplete containment and lateral movement
Failure to terminate active sessions enabling immediate account takeover despite password changes
Inadequate log collection or preservation preventing forensic analysis of attacker actions post-compromise
Lack of defined escalation paths delaying notification to affected business units and regulatory bodies
Omission of MFA enforcement checks allowing attackers to bypass secondary authentication factors
Insufficient coordination with identity providers resulting in failure to revoke federated access tokens

Testing procedure

How an auditor verifies this control

Request the current phishing response runbook from the security operations or incident response team
Verify the runbook includes explicit procedures for immediate credential reset and forced session termination
Confirm the runbook specifies log collection requirements including authentication logs, VPN access logs, email gateway logs, and endpoint detection telemetry
Review the documented communication flow to confirm it defines notification requirements for security teams, help desk, affected users, and management
Validate the runbook addresses investigation steps including scope determination, lateral movement analysis, and data access review
Check that the runbook defines rollback or recovery procedures such as restoring accounts, re-enabling services, and user notification
Interview two incident response team members to confirm awareness of the runbook location and content
Examine incident records from the past 12 months to verify the runbook was followed in at least two documented phishing credential compromise cases

Evidence required The auditor collects the current version of the phishing credential compromise runbook (PDF or wiki export with version number and last-updated timestamp), incident tickets or case files demonstrating runbook usage, and interview notes or attestation forms from incident response personnel confirming familiarity with procedures. Screenshots of the runbook repository location and access permissions may supplement documentation.

Pass criteria A written runbook exists, is version-controlled with a review date within the past 12 months, covers credential reset, session termination, log collection, communication, investigation, and recovery steps, is accessible to incident responders, and demonstrates evidence of use in actual phishing incidents.