Incident Responder Credentials Compromised

The attacker has compromised credentials belonging to a member of the incident response team or to privileged tooling used for the response (EDR console, SIEM, forensic-evidence storage). This is a worst-case blocker: the adversary may be monitoring the response in real time and can exfiltrate evidence or alter it.

Signals

•Unexpected sign-ins to IR tooling consoles from unusual locations or devices
•IR-team member receives MFA prompts they did not initiate
•Evidence store access logs show access by accounts that should not be accessing it
•Attacker activity shifts immediately after internal IR-team communications

Pivot Actions

1.Immediately provision break-glass replacement identities for affected IR staff on a completely separate identity store (out-of-band, not connected to the compromised directory)
2.Move incident communications to out-of-band channels (e.g., Signal/dedicated phones, separate M365 tenant) that the adversary cannot monitor
3.Revoke all sessions and rotate credentials for the affected IR accounts; review their activity during the compromise window for evidence tampering or exfiltration
4.Assume the adversary has read prior incident communications; reassess sensitive decisions (containment timing, notification content) on that basis
5.Alert incident tooling vendors (EDR, SIEM) for assistance with privileged-account activity review

Alternate Evidence Sources

•Out-of-band communication channels (dedicated phones, Signal, separate cloud tenant)
•Break-glass identities on independent identity infrastructure
•Third-party IR provider accounts separate from the compromised internal identities

Related Procedures

Credential and Account Lockdown

contain

Mass Credential Reset and Session Invalidation

eradicate

Document Chain of Custody for All Collected Evidence

preserve