incident-response-trainer
Mock scenarios · Rule-based grading
CatalogOverviewSnapshot
← Back to catalog
Cyber × Network Fusionextremely-hardFederation Token Theft + Routing RedirectCritical asset
Scenario

Valid federation tokens with no upstream login + a /32 redirect pulling auth traffic off-path

A extremely-hard Cyber × Network Fusion scenario on Federation Token Theft + Routing Redirect.

Practice this scenario

Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.

Launches this exact scenario. One of 4 templates in this Track + Difficulty pool.

catalog id · fusion-federation-token-routing-redirect

Training alignment

What this scenario practices, mapped to recognized frameworks.

Educational mapping only. Not a compliance attestation.

What this trains
  • Forged-token + routing-redirect correlated triage
  • Signing-key rotation with scoped network rollback
MITRE ATT&CKmitre-attack
  • Forge Web Credentials · Credential AccessT1606 · TA0006
    MappedHigh confidence

    Trains recognition of valid federation tokens issued with no upstream authentication event.

  • Adversary-in-the-Middle · Credential AccessT1557 · TA0006
    MappedMedium confidence

    Trains scoping when a routing/DNS redirect places the token-signing path under interception.

MITRE D3FENDmitre-d3fend
  • Network Traffic AnalysisD3-NTA
    MappedHigh confidence

    Trains correlation of the redirect flow with anomalous federated sign-ins.

  • Multi-factor AuthenticationD3-MFA
    PartialLow confidence

    Trains why MFA alone does not stop forged assertions, only complements key rotation.

NIST CSF 2.0nist-csf-2
  • Continuous Monitoring · DetectDE.CM · DE
    MappedHigh confidence

    Trains detection from the gap between cloud sign-ins and on-prem IdP events.

  • Mitigation · RespondRS.MI · RS
    MappedHigh confidence

    Trains signing-key rotation plus scoped route/DNS rollback as paired mitigation.

NIST SP 800-61r3nist-sp-800-61r3
  • IR lifecycle phaseDetection & Analysis
    MappedHigh confidence

    Trains correlation of identity, routing, and DNS telemetry into one campaign.

  • IR lifecycle phaseContainment, Eradication & Recovery
    MappedHigh confidence

    Trains parallel identity and network containment without a blanket SSO outage.

CISA Cybersecurity Performance Goalscisa-cpg
  • Phishing-Resistant MFA2.E
    PartialLow confidence

    Trains the identity-assurance baseline that complements signing-key rotation.

  • Detecting Relevant Threats and TTPs3.A
    MappedMedium confidence

    Trains the detection baseline that surfaces forged-token use.

CIS Controls v8cis-controls
  • Access Control ManagementControl 6
    MappedHigh confidence

    Trains federated access-control response under a signing-path compromise.

  • Network Infrastructure ManagementControl 12
    MappedHigh confidence

    Trains the route/DNS hygiene that prevents redirect of a trust-critical endpoint.