incident-response-trainer
Incident response training · Rule-based scoring
DemoCatalogHistoryDashboard
← Back to catalog
Cloud InfrastructurehardCloud Metadata SSRF Credential TheftCritical asset
Scenario

Web-app SSRF reached the cloud metadata endpoint — workload role credentials likely stolen

A hard Cloud Infrastructure scenario on Cloud Metadata SSRF Credential Theft.

Practice this scenario

Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.

Launches this exact scenario. One of 3 templates in this Track + Difficulty pool.

catalog id · cloud-metadata-ssrf-credential-theft

Training alignment

What this scenario practices, mapped to recognized frameworks.

Educational mapping only. Not a compliance attestation.

What this trains
  • Connect an app-layer SSRF to stolen cloud workload credentials
  • Revoke the role session, patch the app, and scope the blast radius
MITRE ATT&CKmitre-attack
  • Unsecured Credentials: Cloud Instance Metadata API · Credential AccessT1552.005 · TA0006
    MappedHigh confidence

    Trains response to workload role credentials retrieved from the cloud metadata service via an app SSRF.

  • Valid Accounts: Cloud Accounts · Initial AccessT1078.004 · TA0001
    PartialMedium confidence

    Trains scoping the stolen role session's use from an anomalous host.

MITRE D3FENDmitre-d3fend
  • User Account ContainmentD3-UAC
    MappedHigh confidence

    Trains revoking the role session and invalidating the temporary credentials.

  • Network Traffic AnalysisD3-NTA
    MappedMedium confidence

    Trains detecting the server-side request to the internal metadata endpoint and anomalous role use.

  • User Account PermissionsD3-UAP
    MappedMedium confidence

    Trains confirming least privilege bounded what the stolen role could reach.

NIST CSF 2.0nist-csf-2
  • Identity Management, Authentication, and Access Control · ProtectPR.AA · PR
    MappedHigh confidence

    Trains controlling and revoking the workload role session after credential theft.

  • Continuous Monitoring · DetectDE.CM · DE
    MappedHigh confidence

    Trains detecting anomalous role-credential use against the app's normal egress.

NIST SP 800-61r3nist-sp-800-61r3
  • IR lifecycle phaseContainment, Eradication & Recovery
    MappedHigh confidence

    Trains revoking the session and fixing the SSRF plus metadata hardening as containment.

  • IR lifecycle phaseDetection & Analysis
    MappedHigh confidence

    Trains correlating app and cloud logs to prove the app-to-metadata-to-role chain.

CISA Cybersecurity Performance Goalscisa-cpg
  • Detecting Relevant Threats and TTPs3.A
    MappedHigh confidence

    Trains the detection baseline that flags anomalous workload-credential use.

  • Log Collection2.T
    MappedMedium confidence

    Trains preserving app and cloud audit logs that together prove the incident.

CIS Controls v8cis-controls
  • Application Software SecurityControl 16
    MappedHigh confidence

    Trains fixing the SSRF in the application as part of containment.

  • Access Control ManagementControl 6
    MappedMedium confidence

    Trains scoping and revoking the workload role and shortening credential lifetime.