incident-response-trainer
Mock scenarios · Rule-based grading
CatalogOverviewSnapshot
← Back to catalog
Cybersecurityextremely-hardInsider + External Collusion Data TheftCritical asset
Scenario

Departing privileged admin staging data to personal cloud with signs of external coordination — legal hold, do-not-tip-off, chain-of-custody under pressure

A extremely-hard Cybersecurity scenario on Insider + External Collusion Data Theft.

Practice this scenario

Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.

Launches this exact scenario. One of 5 templates in this Track + Difficulty pool.

catalog id · insider-collusion-exfil-departing-admin

Training alignment

What this scenario practices, mapped to recognized frameworks.

Educational mapping only. Not a compliance attestation.

What this trains
  • Evidence-preserving insider-threat response
  • Legal-hold and chain-of-custody discipline
MITRE ATT&CKmitre-attack
  • Exfiltration Over Web Service · ExfiltrationT1567 · TA0010
    MappedHigh confidence

    Trains scoping of insider uploads to personal cloud storage.

  • Exfiltration Over Physical Medium · ExfiltrationT1052 · TA0010
    MappedMedium confidence

    Trains scoping of the USB-SSD copy channel.

MITRE D3FENDmitre-d3fend
  • User Behavior AnalysisD3-UBA
    MappedHigh confidence

    Trains behavior-baseline detection of abnormal bulk DB exports.

  • User Account PermissionsD3-UAP
    MappedMedium confidence

    Trains least-privilege scoping for a departing privileged DBA.

NIST CSF 2.0nist-csf-2
  • Data Security · ProtectPR.DS · PR
    MappedHigh confidence

    Trains the data-security lens on crown-jewel exfiltration.

  • Continuous Monitoring · DetectDE.CM · DE
    MappedHigh confidence

    Trains detection from DB-export and DLP telemetry.

NIST SP 800-61r3nist-sp-800-61r3
  • IR lifecycle phaseDetection & Analysis
    MappedHigh confidence

    Trains evidence-preserving, legally-aware insider triage.

  • IR lifecycle phasePost-Incident Activity
    MappedMedium confidence

    Trains HR/Legal coordination and offboarding lessons-learned.

CISA Cybersecurity Performance Goalscisa-cpg
  • Revoking Credentials for Departing Employees2.D
    MappedHigh confidence

    Trains the departing-credentials baseline central to this case.

  • Secure Sensitive Data2.I
    MappedMedium confidence

    Trains the sensitive-data control under insider pressure.

CIS Controls v8cis-controls
  • Data ProtectionControl 3
    MappedHigh confidence

    Trains the data-protection control the exfil exercises.

  • Account ManagementControl 5
    MappedHigh confidence

    Trains the privileged-account lifecycle around separation.