Credential exposure drill
Tabletop for the moment you discover a privileged credential is in the wrong hands. Run this with your team before you need it. The drill is where you find out whether your revocation story is real.
A credential is in the wrong hands. You have minutes to revoke it before it is used, or hours to figure out what it touched after it was. Either path is faster if you have walked it before.
Most teams discover during the drill that their revocation story is partly fiction. Disabling the user in the IdP does not always revoke active sessions. Rotating the API token does not always invalidate the cached one in the build cluster. Revoking the OAuth grant does not always reach every connected app. The drill is where you find that out, on a quiet afternoon, with coffee, instead of at 02:00 with the bridge already running.
Drill the scenarios at least once a quarter. Use the clock. Note where you lose time and what is unclear. The point is not to feel good about your controls. The point is to find the gaps while they are still cheap.
Write down what worked and what did not. Ticket the gaps. Walk it again next quarter. Any unchecked critical item is an accepted operational risk. Make sure someone senior is consciously accepting it.
Checklist
Inventory you need ready
- List of all privileged accounts and who owns them is currentCritical
- Service accounts are mapped to systems they can touch
- Shared secrets (SSH keys, API tokens, signing keys) are inventoried
- Third-party and vendor access paths are catalogued
- Cloud admin roles, federation paths, and OAuth grants are mapped per platformCritical
- Break-glass accounts and their custodians are known to the whole responder poolCritical
- CI/CD and build-system credentials are inventoried (deploy keys, registry tokens, signing keys)Critical
- SaaS app grants and machine-to-machine integrations are inventoried per tenant
Rapid-revoke capability
- Time to disable a user in the IdP is under 5 minutes from any deviceCritical
- You know how to revoke active sessions, not just disable the accountCritical
- API tokens can be rotated without a full deployment
- SSH key rotation is automated or has a single documented process
- Code-signing or release-signing key compromise has a written procedureCritical
- You can revoke a federated identity provider trust in minutes if it is compromisedCritical
- You can revoke OAuth grants and refresh tokens estate-wide for a compromised accountCritical
Detection signals
- Impossible-travel alerts are active for privileged accounts
- New-device alerts route to the user and to security
- Token misuse alerts (unusual scope, geo, or rate) are active
- Credential leak monitoring is active and reviewed weekly
- Secret scanning is active across source repositories, build logs, and chat channelsMaturity
Walk-through
- Walked the "engineer laptop stolen at airport" scenarioCriticalTime the team. Where did you lose minutes?
- Walked the "vendor support token posted in public Slack" scenarioCritical
- Walked the "ex-employee credential still works on day 7" scenarioCritical
- Walked the "CI deploy token leaked to a public fork" scenario
- Walked the "rogue OAuth app with mail-read scope" scenario
- Drill ran against a clock and elapsed time was visible to the teamCritical
- Gaps from the walk-through are ticketed and assignedCritical
What actually breaks
- The drill actually ran this quarter. It was not skipped because there was no incident.CriticalDrills that only happen after the incident are not drills.
- The leaders who would be in the room during a real incident were in the room for the drillCritical
- The team running the drill did not know the scenario in advance
- The clock did not pause when the drill got uncomfortable
- Gaps from the last drill have a status. Open ones are escalated, not parked.Critical
- Drill outcomes are shared upward, including the gaps you have not closed