incident-response-trainer
Incident response training · Rule-based scoring
DemoCatalogHistoryDashboard
← Back to catalog
Cloud Infrastructureextremely-hardCloud Cross-Tenant CI/CD Trust AbuseCritical asset
Scenario

Federated CI/CD (OIDC) trust abused for cross-account pivot — partial, ambiguous audit trail

A extremely-hard Cloud Infrastructure scenario on Cloud Cross-Tenant CI/CD Trust Abuse.

Practice this scenario

Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.

Launches this exact scenario. One of 3 templates in this Track + Difficulty pool.

catalog id · cloud-cross-tenant-cicd-trust-abuse

Training alignment

What this scenario practices, mapped to recognized frameworks.

Educational mapping only. Not a compliance attestation.

What this trains
  • Contain abuse of a federated CI/CD trust pivoting across cloud accounts
  • Reconstruct a partial cross-account trail and harden pipeline trust
MITRE ATT&CKmitre-attack
  • Trusted Relationship · Initial AccessT1199 · TA0001
    MappedHigh confidence

    Trains response to abuse of a trusted federated CI/CD relationship to reach production cloud accounts.

  • Valid Accounts: Cloud Accounts · Privilege EscalationT1078.004 · TA0004
    MappedMedium confidence

    Trains bounding the cross-account role assumptions the federated identity performed.

MITRE D3FENDmitre-d3fend
  • User Account ContainmentD3-UAC
    MappedHigh confidence

    Trains revoking active role sessions and tokens for the abused federated identity.

  • Resource Access Policy AuditingD3-RAPA
    MappedHigh confidence

    Trains auditing and tightening the federated trust policy and the assumed-role permissions.

NIST CSF 2.0nist-csf-2
  • Identity Management, Authentication, and Access Control · ProtectPR.AA · PR
    MappedHigh confidence

    Trains least-privilege, narrowly-scoped trust conditions for federated automation identities.

  • Continuous Monitoring · DetectDE.CM · DE
    MappedHigh confidence

    Trains detecting unexpected cross-account role assumption by the pipeline identity.

NIST SP 800-61r3nist-sp-800-61r3
  • IR lifecycle phaseContainment, Eradication & Recovery
    MappedHigh confidence

    Trains containing the trust without breaking production and restricting cross-account assumption.

  • IR lifecycle phasePost-Incident Activity
    MappedMedium confidence

    Trains hardening to unique per-job federated identities and trust-change alerting.

CISA Cybersecurity Performance Goalscisa-cpg
  • Detecting Relevant Threats and TTPs3.A
    MappedHigh confidence

    Trains the detection baseline for anomalous cross-account assumption.

  • Log Collection2.T
    MappedMedium confidence

    Trains preserving cloud, IdP token-issuance, and CI/CD run logs to reconstruct the partial trail.

CIS Controls v8cis-controls
  • Access Control ManagementControl 6
    MappedHigh confidence

    Trains scoping the federated trust and assumed-role permissions to least privilege.

  • Application Software SecurityControl 16
    MappedMedium confidence

    Trains hardening the CI/CD pipeline trust as part of secure software delivery.