Overview
Incident Response for Identity addresses security events involving compromised credentials, account takeover, privilege escalation, and attacks on identity infrastructure. Identity incidents are particularly challenging because attackers using legitimate credentials blend with normal activity, persistence mechanisms can survive credential resets, and identity infrastructure compromise enables access to the entire environment. Effective identity incident response requires pre-built playbooks, practiced procedures, and the ability to rapidly contain threats while preserving forensic evidence. Good looks like containing identity breaches within hours (not weeks), eradicating all persistence mechanisms, and preventing recurrence through post-incident improvements.
Architecture & Reference Patterns
Pattern 1: Identity Incident Response Integration
Integrate identity incident response with the overall security operations workflow. Identity-specific playbooks are triggered by identity detection systems (ITDR, SIEM) and escalated to the SOC with identity context.
Identity Threat Detection → Alert Generated → SOAR Workflow Triggered
↓
Identity Playbook Selected
↓
Automated Containment (session revoke, account disable)
↓
SOC Investigation (with identity context)
↓
Eradication → Recovery → Lessons Learned
Pattern 2: Tiered Response by Severity
Define response tiers based on incident severity and scope:
- Tier 1 (Single User): Credential compromise, account takeover—automated containment, user notification, credential reset
- Tier 2 (Multiple Users/Systems): Phishing campaign, privilege escalation—SOC investigation, broader containment, threat hunting
- Tier 3 (Identity Infrastructure): AD compromise, IdP breach, federation abuse—full incident response, executive notification, potential business impact
Pattern 3: Continuous Access Evaluation Response
Use CAEP (Continuous Access Evaluation Profile) to enable real-time response across federated applications. When an identity incident is detected, session revocation signals propagate immediately to all connected applications, terminating active sessions enterprise-wide.
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Automated containment scope | Disable account, Revoke sessions, Require MFA, All | Revoke sessions + Require MFA | Full disable may be too disruptive; revoke sessions as first step |
| User notification timing | Immediate, After investigation, Never | Immediate for individual users | Delayed notification for enterprise incidents to avoid tipping off attacker |
| Evidence preservation | Full forensic capture, Log preservation only, Minimal | Log preservation + targeted forensics | Balance investigation needs with operational impact |
| Credential reset scope | Compromised credential only, All credentials for user, Related service accounts | All user credentials + related service accounts | Attackers often have multiple persistence paths |
| Stakeholder notification | SOC only, SOC + IAM, SOC + IAM + Business, Full executive | Tiered by severity | Define RACI matrix in advance |
| Post-incident actions | Password reset only, Full security review, Mandatory training | Full security review | Don't just reset and forget; understand how it happened |
Implementation Approach
Phase 0: Discovery
Inputs: Current incident response procedures, identity security tools, historical incident data, team capabilities Outputs: Identity incident response gap analysis, playbook inventory assessment, tooling evaluation, training needs assessment
Phase 1: Design
Inputs: Gap analysis, tool capabilities, organizational structure, regulatory requirements Outputs: Identity incident response playbooks (by incident type), RACI matrix, communication templates, evidence collection procedures, integration specifications
Phase 2: Build & Integrate
Inputs: Playbook designs, selected tools, integration requirements Outputs: Playbooks implemented in SOAR, containment automation configured, communication workflows established, evidence collection tools deployed, runbooks documented
Phase 3: Rollout
Inputs: Built playbooks, testing plan, training materials Outputs: Tabletop exercises completed, playbooks validated through simulation, SOC team trained, on-call procedures established, documentation finalized
Phase 4: Operate
Inputs: Production playbooks, operational procedures Outputs: Incident response execution, post-incident reviews, playbook refinement based on lessons learned, quarterly exercises, annual maturity assessment
Deliverables
- Identity incident classification and severity matrix
- Identity-specific incident response playbooks (credential compromise, ATO, privilege escalation, infrastructure attack)
- RACI matrix for identity incidents
- Communication templates (user notification, executive briefing, regulatory notification)
- Evidence collection and preservation procedures
- Containment and eradication checklists
- Recovery verification procedures
- Post-incident review template
Risks & Failure Modes
| Risk | Likelihood | Impact | Early Signals | Mitigation |
|---|---|---|---|---|
| Slow response allows attacker persistence | M | H | Long dwell time, attacker returns after remediation | Pre-authorized containment actions, automation, 24/7 coverage |
| Incomplete eradication (persistence missed) | M | H | Re-compromise after incident closure | Thorough persistence hunting, extended monitoring post-incident |
| Evidence destroyed during containment | M | M | Unable to determine root cause, incomplete investigation | Evidence preservation procedures before destructive actions |
| User disruption during response | H | M | Productivity loss, user complaints | Minimize disruption where possible; communicate clearly |
| Regulatory notification missed | L | H | Compliance violations, fines | Notification checklist, legal review for severity |
KPIs / Outcomes
- Mean time to detect (MTTD) identity incidents (target: less than 1 hour)
- Mean time to contain (MTTC) after detection (target: less than 15 minutes for automated, 1 hour for manual)
- Mean time to eradicate (MTTE) persistence (target: less than 24 hours)
- Incident re-occurrence rate (target: less than 5%)
- Playbook coverage for identity incident types (target: 100%)
- Tabletop exercise completion (target: quarterly)
- Post-incident review completion rate (target: 100% for Tier 2+)
