incident-response-trainer
Mock scenarios · Rule-based grading
CatalogOverviewSnapshot
← Back to catalog
Cloud Infrastructureextremely-hardCloud Backup-Tamper Recovery CrisisCritical asset
Scenario

Destructive cloud incident — objects deleted and snapshot/backup lifecycle tampered, recovery source must be trusted

A extremely-hard Cloud Infrastructure scenario on Cloud Backup-Tamper Recovery Crisis.

Practice this scenario

Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.

Launches this exact scenario. One of 2 templates in this Track + Difficulty pool.

catalog id · cloud-backup-tamper-recovery-crisis

Training alignment

What this scenario practices, mapped to recognized frameworks.

Educational mapping only. Not a compliance attestation.

What this trains
  • Contain active cloud data destruction and backup tampering
  • Validate a provably-clean recovery source and harden backups
MITRE ATT&CKmitre-attack
  • Data Destruction · ImpactT1485 · TA0040
    MappedHigh confidence

    Trains response to active bulk deletion of production objects by a compromised automation identity.

  • Inhibit System Recovery · ImpactT1490 · TA0040
    MappedHigh confidence

    Trains response to snapshot/backup-lifecycle tampering that undermines recovery integrity.

MITRE D3FENDmitre-d3fend
  • User Account ContainmentD3-UAC
    MappedHigh confidence

    Trains isolating the compromised automation identity to stop the ongoing destruction.

  • Resource Access Policy AuditingD3-RAPA
    MappedMedium confidence

    Trains auditing the tampered lifecycle, retention, and vault-share changes.

NIST CSF 2.0nist-csf-2
  • Data Security · ProtectPR.DS · PR
    MappedHigh confidence

    Trains protecting production data and the backups that secure it.

  • Incident Recovery Plan Execution · RecoverRC.RP · RC
    MappedHigh confidence

    Trains selecting and validating a provably-clean recovery source when backups are suspect.

NIST SP 800-61r3nist-sp-800-61r3
  • IR lifecycle phaseContainment, Eradication & Recovery
    MappedHigh confidence

    Trains stopping the destruction, isolating the identity, and restoring from a trusted source.

  • IR lifecycle phasePost-Incident Activity
    MappedMedium confidence

    Trains hardening backups to immutable, least-privilege controls so tampering cannot recur.

CISA Cybersecurity Performance Goalscisa-cpg
  • System Backups2.O
    MappedHigh confidence

    Trains the backup-integrity baseline the tampering violated and the response restores.

  • Secure Sensitive Data2.I
    MappedMedium confidence

    Trains protecting the production data held in the affected storage and backups.

CIS Controls v8cis-controls
  • Data RecoveryControl 11
    MappedHigh confidence

    Trains the data-recovery control behind proving and using a clean recovery source.

  • Data ProtectionControl 3
    MappedMedium confidence

    Trains the data-protection control the destructive activity exercises.