incident-response-trainer
Mock scenarios · Rule-based grading
CatalogOverviewSnapshot
Attempt report

Brute-force on VPN gateway admin account — 1 successful login

CybersecurityBrute ForceDifficulty · Medium

Attempt 1 of 1 · cmook66900001xyo58icts141

← All attempts↻ Retry this scenarioNew scenario
Progress vs previous attempt

This is your first attempt for this scenario. Retry the scenario to generate a side-by-side comparison against your previous response.

Progression · Keep practicing

Stay on Medium · Cybersecurity

5 signals are blocking advancement to Hard. Keep practicing at Medium until those areas stabilize. (Track: Cybersecurity)

Track · Cybersecurity
Medium
Sample · 5 recent attempts1 positive5 blocking

Signals helping

  • Dangerous action frequency. None in recent attempts

Signals blocking advancement

  • Recent average score. 6 / 100 (need ≥ 80)
  • Recent pass rate. 0 of 5 passed (need ≥ 66%)
  • Rubric category coverage. 7% average (need ≥ 60%)
  • Recent retry improvement trend. Score is regressing (-14.2 pts on later attempts)
  • Consistently weak rubric areas. Attack understanding, Prioritization, Recovery
Submission · what was sent and how you responded
Brute ForceDifficulty · mediumCritical asset
[HIGH] 247 failed + 1 successful login on VPN admin account
From
SIEM Alerts <siem-alerts@acme-corp.local>
To
soc@acme-corp.com
Date
2026-04-19 03:58 UTC
Automated alert from SIEM (rule: AUTH-BRUTE-05) Between 03:27 and 03:42 UTC, the account "admin@acme-corp.com" on the corporate VPN gateway (vpn.acme-corp.com) received 247 failed authentication attempts from 185.220.101.34, followed by 1 SUCCESSFUL login at 03:42:11 UTC. After the successful login, the session initiated connections to 10.20.0.0/16 (internal HR subnet). MFA was not enabled on this account — an exception was granted 9 months ago and never reviewed. Please investigate and respond. — SIEM
Evidence
VPN gateway auth log (abbreviated)
Apr 19 03:27:03 vpn-gw auth: FAIL  user=admin  src=185.220.101.34  reason="bad password"
Apr 19 03:27:05 vpn-gw auth: FAIL  user=admin  src=185.220.101.34  reason="bad password"
... (245 similar lines) ...
Apr 19 03:42:11 vpn-gw auth: SUCCESS user=admin  src=185.220.101.34  session=7f2a91
Apr 19 03:42:40 vpn-gw flow: session=7f2a91 -> 10.20.0.15:445  (SMB)
Apr 19 03:43:12 vpn-gw flow: session=7f2a91 -> 10.20.0.22:3389 (RDP)
Apr 19 03:45:02 vpn-gw flow: session=7f2a91 -> 10.20.0.22:3389 (RDP, active)

# Threat intel lookup
185.220.101.34 — known Tor exit node, last seen in credential-stuffing campaigns (TI feed: abuse.ch)
Affected asset
Name
vpn.acme-corp.com / admin account
Type
Privileged VPN gateway account
Owner
IT Infrastructure
Level
Critical
Your submitted response
43 words
Isolate affected hosts at the switch port, preserve volatile memory and disk images, rotate compromised credentials, scope the breach via SIEM correlation across affected accounts, notify the incident commander, and document a timeline of containment, eradication, and recovery before allowing systems back online.
Final score
18/ 100
43 words submitted
Verdict · Fail

The response is missing several critical incident response steps. Review the rubric and try again. Score: 18/100. Strongest area: Clarity & structure (72%). Weakest area: Attack understanding (0%) — expand this next time. The response is quite short; aim for a more structured, step-by-step plan.

Category breakdown

Where points came from

coverage × weight = points
  • Attack understanding0/3 · 0.0 / 15
  • Asset impact0/3 · 0.0 / 10
  • Prioritization0/2 · 0.0 / 10
  • Containment1/5 · 4.0 / 20
  • Investigation1/4 · 3.8 / 15
  • Recovery0/3 · 0.0 / 10
  • Evidence preservation1/3 · 3.3 / 10
  • Clarity & structure1/2 · 7.2 / 10

Strengths

  • Clarity & structure

Missing / weak

  • Attack understanding
  • Asset impact
  • Prioritization
  • Containment
  • Investigation
  • Recovery
  • Evidence preservation

Dangerous actions detected

None detected in your response.

Learning · Coaching

Learn from this attempt

Post-submission coaching for this scenario. Score and verdict are unchanged — these notes are for your next attempt.

Why points were deducted

  • Attack understanding0% coverage

    Name this as brute-force / credential-stuffing from a Tor exit followed by lateral RDP / SMB on the HR subnet — not just `247 bad logins`.

  • Asset impact0% coverage

    Identify the privileged VPN admin account, the gateway, AND the HR subnet hosts (10.20.0.15 SMB, 10.20.0.22 active RDP) — partial scope = partial answer.

  • Prioritization0% coverage

    Declare a P1 active intrusion (the RDP session is still alive) and justify why containment runs before report-writing.

Model answer outline

Situation

Between 03:27 and 03:42 UTC the VPN admin account took 247 failed logins from a known Tor exit (185.220.101.34) and then 1 success — the only difference was patience. MFA was disabled by a 9-month-old exception that nobody renewed. Within minutes the attacker hit 10.20.0.15 (SMB) and 10.20.0.22 (RDP, still active on the HR subnet). This is an active intrusion, not a noisy log.

Prioritization
  • Treat as a P1 active intrusion on a privileged VPN admin account; the attacker session is still alive.
  • Containment beats forensics in the first minutes — do not let the RDP session keep running while you write a report.
  • Loop in IT Infrastructure, the SOC lead, and (because of HR-subnet targeting) Privacy / HR leadership.
Containment
  • Kill VPN session 7f2a91 on the gateway (`disconnect` / `clear vpn-session`) and any child RDP / SMB sessions on the targeted hosts.
  • Disable the `admin` account on the VPN gateway and reset its credential; revoke any shared service-account password it shares with other systems.
  • Block 185.220.101.34 (and the broader Tor exit list) at the gateway, and segment / isolate 10.20.0.22 and 10.20.0.15 until they are reviewed.
Investigation
  • Reconstruct the timeline 03:27 → 03:42 → 03:45 from VPN auth log + flow data, and record exactly what the attacker did on 10.20.0.15 (SMB) and 10.20.0.22 (RDP).
  • Check the targeted hosts for new local accounts, scheduled tasks, persistence, dumped credentials, and lateral movement to peers.
  • Pull historical logins for `admin` to see whether this Tor IP / pattern appeared before today; baseline the account's normal source set.
  • Audit other accounts that share the same MFA exception and check whether any have been spray-tested.
Recovery
  • Enforce phishing-resistant MFA on every privileged VPN account; close the 9-month exception and add a quarterly review for any new exception.
  • Add account-lockout / rate-limit policy on the VPN gateway so 247 failed attempts cannot complete unmolested.
  • Rebuild or thoroughly verify 10.20.0.22 (the active RDP target) and 10.20.0.15 before they go back into the HR subnet trust boundary.
Evidence preservation
  • Preserve the full VPN auth log, NetFlow for session 7f2a91, and any pcap captured on the HR subnet during the intrusion window.
  • Snapshot RDP / SMB host logs (Security 4624 / 4672 / 4688) on 10.20.0.22 and 10.20.0.15 before any cleanup runs.
  • Record threat-intel context for 185.220.101.34 (Tor exit, abuse.ch hits) so the case has external corroboration.
Communication
  • Brief IT Infrastructure leadership and the SOC manager with a short timeline and the containment status.
  • Notify HR / Privacy because the targeted subnet stores HR-relevant systems; do not over-share details internally yet.
  • Hold customer / external comms until investigation confirms data exposure beyond the HR subnet.

Dangerous actions to avoid

  • Do not leave the active VPN / RDP session running while you write up the alert.
  • Do not delete or roll the auth log to `make the SIEM quiet`.
  • Do not just reset the password without enforcing MFA — the 9-month exception is the actual root cause.
  • Do not paste the new admin credential into chat or email.

How to improve next time

  • 247 failures + 1 success is not a `noisy alert` — it is the textbook end of a brute-force / spray, and the answer is to assume the attacker is in.
  • Always close the live session before you reset the password — a stolen session token can outlive a password change.
  • MFA exceptions decay — every privileged exception needs a renewal date, an owner, and a quarterly review, otherwise they become the next root cause.
  • When the post-login flows show internal SMB + RDP, treat the targeted internal hosts as part of the incident, not as `unrelated infrastructure`.
  • Baseline `admin`'s normal source IPs / hours so the next anomaly is obvious; the historical-login query is part of the answer, not extra credit.
AI · Supplemental review

Request an AI review of this attempt

This AI review is supplemental coaching. It does not change your official score or verdict. The review is only kept for this page session and is not saved permanently.

Review language
AI Tutor · Explains your result

AI Tutor

This tutor explains your result. It does not change your score. Pick a question to see how the deterministic grading reached your verdict and where to focus next.

Generated deterministically from your graded result — no AI model was called.

Why did I get this score?

Your verdict was Fail at 18/100. That total is the sum of deterministic rubric points across 8 categories — each scores how much of its expected, ordered steps your answer covered, not an opinion about your writing. Your strongest coverage was Clarity & structure (72%). Points were held back mostly in Attack understanding (0%), Asset impact (0%), Prioritization (0%).

Rubric focusattackUnderstandingassetImpactprioritization
Next study step

Re-read the attack understanding expectations for this scenario and list the concrete steps you missed.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I improve first?

Focus on Attack understanding first — it is your weakest rubric area at 0% coverage and carries weight 15. For this scenario: Name this as brute-force / credential-stuffing from a Tor exit followed by lateral RDP / SMB on the HR subnet — not just `247 bad logins`.

Rubric focusattackUnderstanding
Next study step

Rewrite your attack understanding section as a short numbered checklist before your next attempt.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

How does my answer compare to the model answer outline?

Compared with the model answer outline, the most useful sections to study are the ones matching your weak areas. Re-read the outline's attack understanding, asset impact, prioritization guidance and check which listed points you did not cover. The outline is a high-level checklist of expected points — use it to find gaps, not to copy a finished answer.

Rubric focusattackUnderstandingassetImpactprioritization
Next study step

Pick one model-answer section you missed and add its key points to your next response in your own words.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Which rubric area mattered most here?

Containment mattered most here: it carries the highest rubric weight (20), so coverage there moves your score the most. You covered 20% of it this time, worth 4 points.

Rubric focuscontainment
Next study step

Prioritise the highest-weight categories first; make sure containment is fully addressed before lower-weight ones.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I study next?

Based on this attempt, study attack understanding, asset impact, prioritization next. Coaching tip for this scenario: 247 failures + 1 success is not a `noisy alert` — it is the textbook end of a brute-force / spray, and the answer is to assume the attacker is in.

Rubric focusattackUnderstandingassetImpactprioritization
Next study step

247 failures + 1 success is not a `noisy alert` — it is the textbook end of a brute-force / spray, and the answer is to assume the attacker is in.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Coach Notes

Save study notes for this attempt.

Loading notes…