Incident Response + Hardening
After Account Takeover Attempts
Consumer web platform (confidential)
3 weeks (stabilize), plus follow-on monitoring
Security lead, Backend engineer, DevOps
Situation
The client saw a surge in suspicious login traffic and unauthorized access attempts. Engineering lacked the telemetry to confidently answer "What happened?"
Objectives
- Contain active abuse quickly
- Improve detection and response capability
- Reduce likelihood of repeat attacks (without harming real user logins)
What We Did
Aligned response to NIST incident response guidance (Rev. 3) and mapped behaviors to MITRE ATT&CK techniques.
Implemented rate limits, IP/ASN anomaly rules, credential stuffing defenses, and forced resets for suspicious accounts.
Improved logs (auth events, session anomalies), rolled out MFA plans, better password policies, and safer session invalidation.
Challenges & Solutions
Incomplete logs
Solution: Prioritized "future-proof" telemetry first, then retro analysis.
False positives
Solution: Staged controls carefully, monitored impact, and tuned with support feedback.
Coordination
Solution: Set a single incident channel and a short decision log.
- Reduced automated login abuse by 95% within days
- Restored user trust with clear comms
- Built a repeatable incident workflow aligned to NIST guidance
Deliverables
- Incident report (timeline, scope, root causes, actions)
- Hardened auth controls + monitoring rules
- Post-incident playbook