aa-4 High priority Account Security / Account Security

Credentials are revoked immediately on known or suspected compromise

When credentials are confirmed or suspected to be compromised, every minute they remain active is a window for attacker activity. Organizations need a clear, fast process to force credential rotation and terminate active sessions. This requires both the technical capability to invalidate credentials on demand and the operational awareness to trigger it when a compromise is detected.

2h estimated effort

credential-revocation incident-response account-compromise account-security

Complete first: aa-1

Implementation steps

1

Document and test the credential revocation procedure

Write down the exact steps to revoke credentials when a compromise is suspected: who initiates the revocation, which systems to hit, how to terminate active sessions, and how to verify the revocation took effect. Test this procedure at least annually so the team can execute it quickly under pressure.

okta google-workspace azure-ad
2

Enable detection of credential compromise signals

Subscribe to have I Been Pwned or similar services alert when company email addresses appear in breach databases. Enable your identity provider's risky sign-in detection to flag anomalous authentication attempts. Configure alerts for logins from new countries, impossible travel, or after business hours.

okta azure-ad google-workspace haveibeenpwned
3

Rotate all credentials after any confirmed compromise

After a confirmed credential compromise, rotate not just the specific account but also any service accounts or API keys that may have been accessible to the compromised session. Review access logs to understand what the compromised account accessed and investigate for lateral movement.

okta aws-iam hashicorp-vault