The silent threat of stolen credentials and the DAIR cycle that redefines the response to incidents

In recent years public conversation on cybersecurity has focused on striking threats: zero-day vulnerabilities, supply chain commitments and artificial intelligence-powered exploits. However, the entrance door that remains the most reliable for the attackers has not changed: stolen credentials. A valid username and password, obtained from previous databases, by means of credentials-filling attacks or well-designed phishing campaigns, allow an attacker to enter without the need to exploit a technical failure.

What makes this vector so difficult to detect is how unspectacular initial access is. A successful login with legitimate credentials does not trigger the same alarms as a port scan or malware communication. In the eyes of many detection systems, the intruder looks like one more employee. With that costume, the attacker can collect more passwords, reuse them to move laterally and expand their control within the environment.

The impact of this pattern is clear: Ransomware teams can encrypt and extort within hours; actors with state support turn access into long-term persistence and intelligence collection. The fundamental phases of the attack - access, escalation, lateral movement and persistence - remain the same, but what has changed is the speed and sophistication with which they are executed.

Artificial intelligence has accelerated and polished the work of the attackers. It automates mass verification of credentials, generates tools to measure quickly and produces phishing emails that, today, are much more difficult to distinguish from legitimate communications. This acceleration forces defenders with limited resources to react at a rate that many organizations are not equipped to sustain.

In the face of incidents that develop at higher speed and affect more layers - identities, clouds, endpoints - response teams cannot rely only on linear and rigid processes. The old recipe to prepare, identify, contain, eradicate, recover and review works as a theory, but field practice is rarely so orderly. That is why an iterative approach that recognizes the changing and chaotic nature of a real research becomes meaningful.

The DAIR model - Dynamic Approach to Incident Response - proposes precisely that: after detecting and verifying an incident, the team enters a continuous cycle of scoping (define scope), containment, eradication and recovery. Each cycle pass incorporates new evidence that can expand the perimeter of the engagement and redefine the necessary actions. This loop is repeated until technical and executive officials agree that the situation is under control.

Imagine a case caused by committed credentials: at first the scope seems limited to a working team. During the containment actions there is a mechanism of persistence in the register that was not initially detected. That track again pushes the team to scan the entire organization for the same footprint. If a confirmed command and control IP appears during this tracking, it will be re-contained and eradicated. Each iteration refines the intelligence and improves the tactical decisions of the next cycle.

This approach incorporates uncertainty as part of the process, not as a deviation. But for it to work, a good method is not enough: communication between teams is decisive. When SOC analysts, cloud engineers, response leaders and system managers converge, actions must be synchronized. A clear and timely communication is the factor that determines whether containment actions are coordinated or contradicted and whether decision-makers receive useful information to prioritize.

Beyond communication, repeated practice is essential. It is not just about documenting procedures, but about testing with realistic exercises that test coordination, tools and response times. And while the IA is increasingly incorporated into defensive tools, sharp professionals are still needed to configure those systems, interpret their outputs and direct them in an operational context.

The organizations that best resist identity-based attacks are the ones that invested in their people before the crisis came. Teams trained in the real techniques of the attackers - not only in theory, but practicing with the same tools and tactics that the offensors use - respond better. Effective execution of the DAIR cycle requires experts who understand both sides of the game: how access is gained and how to investigate the evidence that occurs at each stage.

If you want to deepen this whole life cycle of attack and response - from initial obtaining of credentials to lateral movement, persistence and research techniques - there are courses that combine offensive perspective with practical defence skills. For those who seek to improve both their understanding of the attackers and their ability to respond, a recognized option is SEC504: Hacker Tools, Techniques, and Incident Handling. This June I will be training in SANS Chicago 2026 where we approach the DAIR model applied to real incidents.

If you want to base your decisions on data and reference frameworks, reports like the Verizon Data Breach Investigations Report or the recommendations of entities such as CISA are useful readings to understand current trends and tactics. For technical frameworks on identity, NIST SP 800-63 offers criteria and good practices that help design more robust controls.

The key lesson is double and simple: the threats evolve, and the response must also do so. Better tools are not enough; adaptive processes, effective communication and trained professionals are needed to apply the dynamic model of incident response. If you reinforce those pillars, you reduce the advantage of the speed and scale of the attackers today.

Note: This article has been written and contributed by Jon Gorenflo, SANS instructor in SEC504: Hacker Tools, Techniques, and Incident Handling.