incident-response-trainer
Mock scenarios · Rule-based grading
CatalogOverviewSnapshot
← Back to catalog
Cyber × Network FusionhardTri-Domain: Identity → Routing → Cloud PivotHigh asset
Scenario

Federated sign-in with no upstream login, a route that should not exist, and a cloud admin role assumed across the gap

A hard Cyber × Network Fusion scenario on Tri-Domain: Identity → Routing → Cloud Pivot.

Practice this scenario

Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.

Launches this exact scenario. One of 4 templates in this Track + Difficulty pool.

catalog id · fusion-tri-domain-identity-routing-cloud-pivot

Training alignment

What this scenario practices, mapped to recognized frameworks.

Educational mapping only. Not a compliance attestation.

What this trains
  • Identity→routing→cloud correlated triage
  • Cross-domain containment without a blanket SSO or network outage
MITRE ATT&CKmitre-attack
  • Forge Web Credentials · Credential AccessT1606 · TA0006
    MappedHigh confidence

    Trains recognition of a federated session valid downstream with no matching upstream identity-provider login.

  • Remote Services · Lateral MovementT1021 · TA0008
    MappedMedium confidence

    Trains scoping a cross-segment pivot that a routing/segmentation gap should have prevented.

  • Valid Accounts: Cloud Accounts · Privilege EscalationT1078.004 · TA0004
    MappedHigh confidence

    Trains response to a federated identity assuming a higher-privilege cloud control-plane role.

MITRE D3FENDmitre-d3fend
  • Network Traffic AnalysisD3-NTA
    MappedHigh confidence

    Trains correlating the unexpected route and cross-segment flow with the anomalous federated sign-in.

  • User Account ContainmentD3-UAC
    MappedHigh confidence

    Trains revoking the federated session and the assumed-role session to stop the pivot.

  • User Account PermissionsD3-UAP
    MappedMedium confidence

    Trains scoping the role and route so the identity can no longer reach the management path.

NIST CSF 2.0nist-csf-2
  • Continuous Monitoring · DetectDE.CM · DE
    MappedHigh confidence

    Trains detection from the gap between downstream sign-ins and the on-prem identity-provider log.

  • Mitigation · RespondRS.MI · RS
    MappedHigh confidence

    Trains paired identity and routing containment without a blanket SSO or network outage.

NIST SP 800-61r3nist-sp-800-61r3
  • IR lifecycle phaseDetection & Analysis
    MappedHigh confidence

    Trains correlating identity, routing, and cloud telemetry into one campaign timeline.

  • IR lifecycle phaseContainment, Eradication & Recovery
    MappedHigh confidence

    Trains scoped session revocation, route removal, and role containment together.

CISA Cybersecurity Performance Goalscisa-cpg
  • Phishing-Resistant MFA2.E
    PartialLow confidence

    Trains the identity-assurance baseline that complements short-lived credentials.

  • Detecting Relevant Threats and TTPs3.A
    MappedMedium confidence

    Trains the detection baseline that surfaces a sign-in with no upstream login.

CIS Controls v8cis-controls
  • Access Control ManagementControl 6
    MappedHigh confidence

    Trains federated access-control response when a session reaches cloud roles without an upstream login.

  • Network Infrastructure ManagementControl 12
    MappedHigh confidence

    Trains the routing and segmentation hygiene the unexpected route violated.