incident-response-trainer
Mock scenarios · Rule-based grading
CatalogOverviewSnapshot
← Back to catalog
Cybersecurityextremely-hardThird-Party Vendor Breach PivotCritical asset
Scenario

Trusted MSP's RMM agent pushing unexpected commands across managed hosts — pivot from a compromised provider, ambiguous legit-maintenance vs malicious, cross-org coordination

A extremely-hard Cybersecurity scenario on Third-Party Vendor Breach Pivot.

Practice this scenario

Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.

Launches this exact scenario. One of 5 templates in this Track + Difficulty pool.

catalog id · vendor-rmm-pivot-msp-compromise

Training alignment

What this scenario practices, mapped to recognized frameworks.

Educational mapping only. Not a compliance attestation.

What this trains
  • Trusted-vendor (MSP) pivot containment
  • Cross-org coordination without over-trusting the partner
MITRE ATT&CKmitre-attack
  • Trusted Relationship · Initial AccessT1199 · TA0001
    MappedHigh confidence

    Trains triage of a pivot arriving through a trusted MSP channel.

  • Remote Access Software · Command and ControlT1219 · TA0011
    MappedHigh confidence

    Trains reasoning about abuse of a legitimate RMM agent.

MITRE D3FENDmitre-d3fend
  • Network Traffic AnalysisD3-NTA
    MappedMedium confidence

    Trains scoping of what the RMM channel reached, including backups.

  • User Account ContainmentD3-UAC
    MappedHigh confidence

    Trains constraint of the MSP technician account and rogue admins.

NIST CSF 2.0nist-csf-2
  • Continuous Monitoring · DetectDE.CM · DE
    MappedHigh confidence

    Trains detection of vendor-driven recon and admin creation.

  • Supply Chain Risk Management · IdentifyID.SC · ID
    MappedHigh confidence

    Trains the third-party-risk lens on the MSP relationship.

NIST SP 800-61r3nist-sp-800-61r3
  • IR lifecycle phaseDetection & Analysis
    MappedHigh confidence

    Trains legit-maintenance-vs-malicious disambiguation across orgs.

  • IR lifecycle phaseContainment, Eradication & Recovery
    MappedHigh confidence

    Trains targeted, coordinated containment of a trusted channel.

CISA Cybersecurity Performance Goalscisa-cpg
  • Vendor/Supplier Cybersecurity Requirements2.R
    MappedHigh confidence

    Trains the third-party security-requirements baseline for MSP access.

  • Detecting Relevant Threats and TTPs3.A
    MappedMedium confidence

    Trains detection of vendor-channel recon and admin creation.

CIS Controls v8cis-controls
  • Service Provider ManagementControl 15
    MappedHigh confidence

    Trains the service-provider control the incident exercises.

  • Network Monitoring and DefenseControl 13
    MappedMedium confidence

    Trains the segmentation that keeps the vendor channel off backups.