Incident response playbook for credential compromise
Demonstrate that the organization maintains and operationalizes a dedicated incident response playbook for credential compromise that includes detection criteria, containment steps, and defined recovery procedures.
Description
What this control does
This control requires a documented, rehearsed playbook specifically addressing credential compromise scenarios including phishing, password spray attacks, stolen API keys, leaked secrets, and unauthorized access token use. The playbook defines detection triggers, containment procedures (credential revocation, session termination, MFA reset), escalation paths, forensic evidence preservation, and communication protocols. It ensures consistent, rapid response to one of the most common and damaging attack vectors in modern environments.
Control objective
What auditing this proves
Demonstrate that the organization maintains and operationalizes a dedicated incident response playbook for credential compromise that includes detection criteria, containment steps, and defined recovery procedures.
Associated risks
Risks this control addresses
- Delayed detection of credential compromise allowing attackers prolonged unauthorized access to systems and data
- Inconsistent or incomplete response to phished credentials enabling lateral movement within the network
- Failure to revoke compromised API keys or service account credentials resulting in persistent backdoor access
- Inadequate forensic evidence collection preventing root cause analysis and recurrence prevention
- Uncoordinated communication during credential incidents causing regulatory notification failures or reputational damage
- Incomplete session termination leaving active attacker sessions despite password resets
- Lack of automated credential rotation procedures extending exposure windows after compromise detection
Testing procedure
How an auditor verifies this control
- Obtain the current version of the credential compromise incident response playbook and review the version history and approval records
- Verify the playbook contains specific detection triggers for credential compromise scenarios including failed authentication patterns, impossible travel, credential leak monitoring, and honeypot alerts
- Review documented containment procedures to confirm they include immediate credential revocation, active session termination, MFA device reset, and privilege de-escalation steps
- Examine escalation criteria and notification procedures for different credential types including user accounts, service accounts, API keys, database credentials, and privileged access credentials
- Interview incident response team members to validate their familiarity with playbook procedures and confirm access to required tools for credential lifecycle management
- Review evidence preservation procedures specific to credential compromise including authentication log retention, access log collection, and credential usage audit trails
- Examine records of tabletop exercises or simulations conducted in the past 12 months that specifically tested the credential compromise playbook
- Sample three recent credential compromise incidents and verify response actions align with playbook procedures including timelines for detection, containment, and recovery
Where this control is tested