CloudSync Solutions

Select an Incident Scenario

Choose a realistic cybersecurity incident and work through the incident response process. Each scenario presents decision points, realistic log entries, and guidance based on NIST CSF and ISO 27035 frameworks.

SEV-1 CRITICAL

Ransomware Attack

BlackCat/ALPHV variant targeting file servers. Detected Friday 2:47 AM with encrypted files and $2.5M ransom demand.

Timeline: Friday 2:47 AM

MITRE ATT&CK: T1566, T1078, T1486, T1070

SEV-1 CRITICAL

Phishing → Data Breach

Finance employee clicked phishing link Tuesday 9:15 AM. Credential theft leads to mail forwarding and exfiltration of 12,847 employee records.

Timeline: Tuesday 9:15 AM

MITRE ATT&CK: T1566.001, T1114, T1567

SEV-1 CRITICAL

Insider Threat

Departing employee bulk downloading customer database Thursday 4:30 PM. DLP alerts on USB write and Google Drive upload detected.

Timeline: Thursday 4:30 PM

MITRE ATT&CK: T1074, T1052, T1567

IR Plan Reference

Purpose & Scope

Establish and maintain an incident response capability for CloudSync Solutions, a multi-tenant SaaS HR platform handling employee PII, payroll data, and HR records across 500+ client organizations.

IR Team Roles

CISO (Chief Information Security Officer): Strategic oversight, executive reporting, regulatory coordination

IR Lead (Security Manager): Operational incident command, decision authority during response

SOC Analyst: Detection, initial triage, containment execution

IT Operations: System isolation, backup/recovery, infrastructure changes

Forensics/IR Specialist: Evidence preservation, root cause analysis, threat hunting

Legal Counsel: Breach notification compliance, litigation support

Communications: Internal notifications, customer communications, public statements

Severity Classification

SEV-1 Critical: Confirmed breach, active exploitation, multiple systems compromised. SLA: Activation <5 min.

SEV-2 High: Active threat, limited scope, potential data exposure. SLA: Activation <15 min.

SEV-3 Medium: Suspicious activity, single system, limited PII exposure. SLA: Activation <1 hour.

SEV-4 Low: Contained threat, minimal impact. SLA: Investigation <24 hours.

Escalation Matrix

NIST RS.MA: Report to IR Lead → CISO → Executive Leadership

NIST RS.AN: Forensics → IR Lead → Legal (within 1 hour)

NIST RS.CO: IR Lead → Communications → Comms Plan (within 2 hours)

NIST RS.MI: IT Ops → IR Lead → Infrastructure changes approved

NIST CSF 2.0 Phases

DETECT: Initial alert, investigation, validation

RESPOND: Containment, eradication, communication

RECOVER: Restoration, validation, resumption

LEARN: Review, improvements, control updates

ISO 27035 Compliance

All incidents logged in security incident register with root cause, impact, and remediation tracked.

Select an Incident Scenario

Ransomware Attack

Phishing → Data Breach

Insider Threat

Incident Classification

Incident Timeline

Post-Incident Review

IR Plan Reference

Purpose & Scope

IR Team Roles

Severity Classification

Escalation Matrix

NIST CSF 2.0 Phases

ISO 27035 Compliance