The cybersecurity business has spent the final a number of years chasing refined threats like zero-days, provide chain compromises, and AI-generated exploits. Nevertheless, essentially the most dependable entry level for attackers nonetheless hasn’t modified: stolen credentials.
Identification-based assaults stay a dominant preliminary entry vector in breaches immediately. Attackers receive legitimate credentials by means of credential stuffing from prior breach databases, password spraying towards uncovered companies, or phishing campaigns — and use them to stroll by means of the entrance door. No exploits wanted. Only a legitimate username and password.
What makes this tough to defend towards is how unremarkable the preliminary entry seems. A profitable login from a reputable credential would not set off the identical alarms as a port scan or a malware callback. The attacker seems like an worker. As soon as inside, they dump and crack extra passwords, reuse these credentials to maneuver laterally, and broaden their foothold throughout the setting. For ransomware crews, this chain results in encryption and extortion inside hours. For nation-state actors, the identical entry level helps long-term persistence and intelligence gathering.
AI Is Accelerating What Already Works
The basic assault sample right here hasn’t modified a lot. However what has modified is the pace and polish with which it will get executed. Attackers are leveraging AI to scale their operations by automating credential testing throughout bigger goal units, writing customized tooling quicker, and crafting phishing emails which are materially tougher to differentiate from reputable communications.
This acceleration places extra stress on already-stretched defenders. Breaches are unfolding quicker, spreading additional and touching extra of the setting, from identification methods to cloud infrastructure to endpoints. IR groups constructed for a slower tempo of engagement are discovering that their present processes cannot hold tempo.
A Dynamic Strategy to Incident Response
That is the place the best way groups take into consideration incident response issues as a lot because the technical controls they deploy. In SEC504, we educate the Dynamic Strategy to Incident Response, or DAIR — a mannequin designed to deal with incidents of any dimension and form extra successfully than the standard linear strategy.
The traditional mannequin treats the method as a sequence: put together, establish, include, eradicate, get well, debrief. The issue is not the speculation, it is that actual incidents do not unfold in a straight line. New information surfaces throughout containment that modifications what you thought the scope was. Proof collected throughout eradication reveals attacker techniques you did not learn about throughout preliminary detection. The scope virtually all the time grows — it not often shrinks.
DAIR accounts for this actuality. After detecting and verifying an incident, response groups enter a loop: scoping the compromise, containing affected methods, eradicating the menace, and recovering operations. That loop repeats as new data emerges. Take into account a credential-based compromise the place preliminary scoping identifies a single affected workstation. Throughout containment, forensic evaluation reveals a registry-based persistence mechanism. That discovering sends the group again to scoping — now looking out your complete enterprise for a similar indicator on different methods. A confirmed attacker IP tackle uncovered throughout that sweep triggers one other cross by means of containment and eradication. Every cycle produces higher intelligence, which feeds the subsequent spherical of response actions.
The response retains biking till the group and organizational decision-makers decide the incident is absolutely addressed. That is what separates DAIR from the standard mannequin: it treats the messy, iterative nature of real-world investigations as a function of the method, not a deviation from it.
Communication Comes First
When a number of groups converge on an incident — spanning SOC analysts, cloud engineers, IR leads, and system directors — sustaining alignment will be tough. Most organizations aren’t completely aligned throughout these capabilities earlier than an incident hits. What you may management is how nicely you talk as soon as the response is underway.
Communication is the one most necessary issue right here in efficient incident response. It determines whether or not scoping information reaches the appropriate individuals, whether or not containment actions are coordinated or contradictory, and whether or not decision-makers have correct data to information priorities. Past communication, constant apply and rehearsal are important. And the technical capabilities of your group nonetheless matter enormously. As AI turns into more and more a part of the defensive toolkit, it takes sharp practitioners to configure and direct these capabilities successfully.
Constructing Expertise That Matter
The organizations that deal with identity-based assaults nicely are those that invested of their individuals earlier than the incident began. They’ve educated their groups on how attackers truly function — not simply in idea, however by means of hands-on apply towards the identical instruments and strategies utilized in actual compromises. Executing the DAIR response loop successfully requires practitioners who perceive each side of the engagement: how attackers acquire entry, transfer laterally, and persist — and easy methods to examine the proof they depart behind at every stage.
Register for SANS Chicago 2026 here.
Note: This article has been expertly written and contributed by Jon Gorenflo, SANS Instructor, SEC504: Hacker Tools, Techniques, and Incident Handling
