Data Exfiltration: AI Baseline Detection on Cloud Egress

AI for Cybersecurity · 6 steps

Briefing

You are an insider-threat analyst at a 9,000-person manufacturing firm. The DLP and CASB feed an AI baseline model that learns each user's normal egress destinations and volumes. Last night the model flagged user ENG-118: 7 GB transferred to a free file-sharing platform that the user has not visited in 6 months.

ENG-118 is a senior engineer with access to CAD designs for a forthcoming product. The user's manager confirmed the user gave notice last week.

This scenario tests cloud-egress technique mapping, the difference between exfil over command-and-control and exfil to web service, and the policy choice between block-and-investigate versus watch-and-collect-evidence. Sources: MITRE ATT&CK TA0010 Exfiltration.

How Crucible mode works

One ordered pass through every step. No clock. Each answer scores against the canonical solution.

Hints reduce the points you can earn for that step. Free-text steps queue for manual review.

What you will practice

01Distinguish T1041 from T1567 sub-techniques for cloud exfiltration
02Validate AI baseline alerts against raw network and CASB telemetry
03Pick the right policy: hard block vs. monitor-and-preserve depending on case
04Coordinate with HR and legal for departing-employee data theft

Back to Range