incident-response-trainer
Mock scenarios · Rule-based grading
CatalogOverviewSnapshot
← Back to catalog
Cloud Infrastructureextremely-hardCloud Control-Plane Identity PivotCritical asset
Scenario

Cloud control-plane intrusion — leaked CI credential pivots across IAM roles while audit logging is partially blind

A extremely-hard Cloud Infrastructure scenario on Cloud Control-Plane Identity Pivot.

Practice this scenario

Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.

Launches this exact scenario. One of 2 templates in this Track + Difficulty pool.

catalog id · cloud-control-plane-identity-pivot

Training alignment

What this scenario practices, mapped to recognized frameworks.

Educational mapping only. Not a compliance attestation.

What this trains
  • Contain a cloud control-plane identity pivot under a logging gap
  • Reconstruct a partial timeline and bound cross-account blast radius
MITRE ATT&CKmitre-attack
  • Valid Accounts: Cloud Accounts · Privilege EscalationT1078.004 · TA0004
    MappedHigh confidence

    Trains response to a CI identity pivoting into higher-privilege cloud roles via valid-account abuse.

  • Impair Defenses: Disable or Modify Cloud Logs · Defense EvasionT1562.008 · TA0005
    PartialMedium confidence

    Trains the defender side: reconstructing activity that fell inside the partial audit-logging gap.

MITRE D3FENDmitre-d3fend
  • User Account ContainmentD3-UAC
    MappedHigh confidence

    Trains revoking the leaked CI credential and the assumed-role sessions to stop the pivot.

  • User Account PermissionsD3-UAP
    MappedMedium confidence

    Trains tightening break-glass and cross-account trust without widening privilege.

  • Network Traffic AnalysisD3-NTA
    MappedMedium confidence

    Trains using remaining flow telemetry to reconstruct the unlogged window.

NIST CSF 2.0nist-csf-2
  • Identity Management, Authentication, and Access Control · ProtectPR.AA · PR
    MappedHigh confidence

    Trains identity-control response to an over-privileged pivot across roles and accounts.

  • Continuous Monitoring · DetectDE.CM · DE
    MappedHigh confidence

    Trains detection from the anomalous role-assumption chain in the audit log.

NIST SP 800-61r3nist-sp-800-61r3
  • IR lifecycle phaseContainment, Eradication & Recovery
    MappedHigh confidence

    Trains revoke-and-isolate containment of the identity without breaking the production deploy path.

  • IR lifecycle phaseDetection & Analysis
    MappedHigh confidence

    Trains reconstructing the partial timeline and bounding cross-account blast radius.

CISA Cybersecurity Performance Goalscisa-cpg
  • Detecting Relevant Threats and TTPs3.A
    MappedHigh confidence

    Trains the detection baseline that surfaces anomalous control-plane identity use.

  • Phishing-Resistant MFA2.E
    PartialLow confidence

    Trains the move toward short-lived, stronger credentials over long-lived CI keys.

CIS Controls v8cis-controls
  • Account ManagementControl 5
    MappedHigh confidence

    Trains the credential-lifecycle control a long-lived, leaked CI key violated.

  • Audit Log ManagementControl 8
    MappedMedium confidence

    Trains restoring and tamper-proofing the logging the gap removed.