Range Scenario · crucible · 30 min
Data Exfiltration: AI Baseline Detection on Cloud Egress
This cybersecurity training scenario simulates a working incident. An AI baseline cybersecurity model flagged a 7 GB outbound transfer to a free file-sharing site. Validate the alert, classify the technique, decide between block and watch.
Scenario briefing
You are an insider-threat analyst at a 9,000-person manufacturing firm. The DLP and CASB feed an AI baseline model that learns each user's normal egress destinations and volumes. Last night the model flagged user ENG-118: 7 GB transferred to a free file-sharing platform that the user has not visited in 6 months.
ENG-118 is a senior engineer with access to CAD designs for a forthcoming product. The user's manager confirmed the user gave notice last week.
This scenario tests cloud-egress technique mapping, the difference between exfil over command-and-control and exfil to web service, and the policy choice between block-and-investigate versus watch-and-collect-evidence. Sources: MITRE ATT&CK TA0010 Exfiltration.
What you will practice
- Distinguish T1041 from T1567 sub-techniques for cloud exfiltration
- Validate AI baseline alerts against raw network and CASB telemetry
- Pick the right policy: hard block vs. monitor-and-preserve depending on case
- Coordinate with HR and legal for departing-employee data theft
How this scenario is scored
The scenario has 6 ordered steps. Most steps are exact-match (a MITRE ATT&CK technique ID, a tool name, or a yes/no decision) or multiple choice. Free-text steps queue for manual review and do not affect the auto-final-score in the MVP.
Each step has a max score of 100 points. Hints deduct points up front, listed before you reveal them. Your final score is the sum across steps. Range Elo updates on completion based on scenario difficulty (Intermediate) and your final score percentage.
Frequently asked questions
T1041 vs T1567.002, what is the line?
T1041 is exfiltration over the C2 channel itself. T1567.002 is exfiltration to a cloud storage web service (Dropbox, Google Drive, MEGA, transfer.sh). The split matters for detection: T1041 sits in the C2 traffic profile, T1567.002 sits in HTTPS to known cloud storage hostnames. Most insider data theft is T1567.002.
Why might monitor-and-preserve beat block-and-investigate for departing-employee theft?
Blocking tips off the user, who may then use a personal device or USB to finish the theft. Monitoring with full pcap and CASB activity capture, while HR and legal coordinate, builds a stronger evidentiary record. The choice depends on the data sensitivity and whether containment can finish before the user leaves the building.
Why is AI baseline different from a static volume threshold?
Static thresholds (block any transfer over 1 GB) flood security with false positives from legitimate large file transfers. AI baselining learns each user's normal pattern and flags deviations from that user's baseline. The cost is harder explainability, which is why baseline models always need a human-readable feature trail.
Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.