incident-response-trainer
Mock scenarios · Rule-based grading
CatalogOverviewSnapshot
← Back to catalog
Cybersecurityextremely-hardIdentity Federation Token TheftCritical asset
Scenario

Cloud sign-ins succeeding with valid SAML tokens but no matching IdP auth or MFA events — suspected token-signing key compromise

A extremely-hard Cybersecurity scenario on Identity Federation Token Theft.

Practice this scenario

Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.

Launches this exact scenario. One of 5 templates in this Track + Difficulty pool.

catalog id · federation-token-theft-golden-saml

Training alignment

What this scenario practices, mapped to recognized frameworks.

Educational mapping only. Not a compliance attestation.

What this trains
  • Forged-token (Golden SAML-style) recognition
  • Signing-key rotation as root-cause containment
MITRE ATT&CKmitre-attack
  • Forge Web Credentials · Credential AccessT1606 · TA0006
    MappedHigh confidence

    Trains recognition of forged federation tokens issued without an upstream authentication event.

  • Use Alternate Authentication Material · Defense EvasionT1550 · TA0005
    PartialMedium confidence

    Trains reasoning about token-based access that bypasses passwords and MFA.

MITRE D3FENDmitre-d3fend
  • User Account PermissionsD3-UAP
    MappedHigh confidence

    Trains scoping of which identities a forged-token capability can impersonate.

  • Multi-factor AuthenticationD3-MFA
    PartialLow confidence

    Trains why MFA alone does not stop forged assertions, only complements key rotation.

NIST CSF 2.0nist-csf-2
  • Continuous Monitoring · DetectDE.CM · DE
    MappedHigh confidence

    Trains detection from the cloud-vs-IdP authentication-log gap.

  • Mitigation · RespondRS.MI · RS
    MappedHigh confidence

    Trains signing-key rotation as the root-cause mitigation.

NIST SP 800-61r3nist-sp-800-61r3
  • IR lifecycle phaseDetection & Analysis
    MappedHigh confidence

    Trains correlation of valid tokens against missing upstream IdP events.

  • IR lifecycle phaseContainment, Eradication & Recovery
    MappedHigh confidence

    Trains double signing-key rotation, token revocation, and IdP rebuild.

CISA Cybersecurity Performance Goalscisa-cpg
  • Phishing-Resistant MFA2.E
    PartialLow confidence

    Trains the identity-assurance baseline that complements key rotation.

  • Detecting Relevant Threats and TTPs3.A
    MappedMedium confidence

    Trains the detection baseline that surfaces forged-token use.

CIS Controls v8cis-controls
  • Access Control ManagementControl 6
    MappedHigh confidence

    Trains federated access-control response to a signing-key compromise.

  • Audit Log ManagementControl 8
    MappedMedium confidence

    Trains the audit-log correlation the detection depends on.