incident-response-trainer
Incident response training · Rule-based scoring
DemoCatalogHistoryDashboard
← Back to catalog
Cloud InfrastructureeasyCloud Root/Owner Account MFA DisabledCritical asset
Scenario

Cloud root/owner account MFA disabled — suspicious login from an unfamiliar IP

A easy Cloud Infrastructure scenario on Cloud Root/Owner Account MFA Disabled.

Practice this scenario

Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.

Launches this exact scenario. One of 3 templates in this Track + Difficulty pool.

catalog id · cloud-root-account-mfa-disabled

Training alignment

What this scenario practices, mapped to recognized frameworks.

Educational mapping only. Not a compliance attestation.

What this trains
  • Secure a cloud root/owner account with MFA after a suspicious login
  • Review root activity and preserve sign-in evidence
MITRE ATT&CKmitre-attack
  • Valid Accounts: Cloud Accounts · Initial AccessT1078.004 · TA0001
    MappedHigh confidence

    Trains response to a suspicious interactive login on a root/owner cloud account whose MFA is disabled.

MITRE D3FENDmitre-d3fend
  • Multi-factor AuthenticationD3-MFA
    MappedHigh confidence

    Trains re-enabling and enforcing MFA on the most-privileged account as the core fix.

  • User Account ContainmentD3-UAC
    MappedMedium confidence

    Trains rotating root credentials and invalidating sessions when the login cannot be confirmed.

NIST CSF 2.0nist-csf-2
  • Identity Management, Authentication, and Access Control · ProtectPR.AA · PR
    MappedHigh confidence

    Trains the access-control posture that keeps the root/owner identity MFA-protected.

  • Continuous Monitoring · DetectDE.CM · DE
    MappedHigh confidence

    Trains detection of an anomalous root login and of MFA being disabled.

NIST SP 800-61r3nist-sp-800-61r3
  • IR lifecycle phaseContainment, Eradication & Recovery
    MappedHigh confidence

    Trains re-enabling MFA and rotating root credentials as the containment action.

  • IR lifecycle phaseDetection & Analysis
    MappedHigh confidence

    Trains confirming whether the root login was legitimate and reviewing what it did.

CISA Cybersecurity Performance Goalscisa-cpg
  • Phishing-Resistant MFA2.E
    MappedHigh confidence

    Trains the MFA baseline the disabled root account violated.

  • Detection of Unsuccessful (Automated) Login Attempts2.Q
    MappedMedium confidence

    Trains the login-monitoring baseline that surfaces anomalous root access.

CIS Controls v8cis-controls
  • Account ManagementControl 5
    MappedHigh confidence

    Trains the account-management control for securing a privileged root account.

  • Access Control ManagementControl 6
    MappedMedium confidence

    Trains enforcing MFA and least privilege so root stays break-glass only.