INTERACTIVE INCIDENT SIMULATION — PLAY AS SOC ANALYST
SS-CONSULTING // SOC CONSOLE
THREAT: CRITICAL
T+00:00
YOUR RESPONSE AS SOC ANALYST
INCIDENT LOG
RESILIENCE METRICS
Containment0%
Detection speed0%
Damage prevented0%
ISO 27001 / NIST STATUS
A.6.3Awareness trainingFAIL
A.8.5MFA controlsFAIL
A.8.16Log monitoringFAIL
A.5.24IR proceduresFAIL
PR.ATNIST awarenessFAIL
ID.SCSupply chain riskFAIL
SIMULATION COMPLETE
0%
INCIDENT OVERVIEW
5
CONTROL FAILURES
Root cause identified
18
DAYS UNDETECTED
No SIEM deployed
Tier 1
NIST MATURITY
Ad hoc / reactive
Tier 3
TARGET MATURITY
90-day goal
BREACH TIMELINE
WEEK 1 - DAY 1
AI phishing email targets finance team
Attacker sends deepfake voice note impersonating CEO requesting urgent wire approval. No phishing simulation training existed.
WEEK 1 - DAY 2
Credentials harvested - VPN access gained
Finance consultant clicked malicious link. No MFA enforced. Attacker gained full VPN access within 4 minutes.
WEEKS 1-3
18-day lateral movement undetected
No SIEM, no anomaly detection. Attacker accessed client risk assessments, ISO audit reports and financial records across 12 shared drives.
DAY 18
Data exfiltration - 2.3GB transferred
Client PII, consulting reports and financial data exfiltrated. Discovered when a client found SS-Consulting data on a dark web forum.
DAY 19
Incident declared - IR plan not tested
CISO activated IR plan. Response was chaotic - plan existed but had never been practiced. External forensics engaged.
DAY 21
Assessment commissioned
This post-breach assessment commissioned to identify root causes and build remediation roadmap aligned to ISO 27001:2022 and NIST CSF 2.0.
ROOT CAUSE ANALYSIS
NO MFA
VPN had no MFA. Credential theft gave immediate full access.
NO SIEM
No centralised logging. Attacker moved freely for 18 days undetected.
NO TRAINING
No phishing simulations. Finance team had no context to recognise deepfake voice notes.
UNTESTED IR
IR plan existed but never exercised. Response on Day 19 cost 3 additional days of exposure.
NIST CSF PRE-BREACH MATURITY
ATTACK PATH - MITRE ATT&CK ALIGNED
01
Initial Access
02
Credential Theft
03
Lateral Movement
04
Exfiltration
05
Impact + Response
ATTACK VECTOR ANALYSIS
DWELL TIME COMPARISON
A SIEM deployment would have reduced dwell time from 18 days to ~3 days, cutting client data exposure by 83%.
RISK HEAT MAP - LIKELIHOOD x IMPACT
INTERACTIVE RISK MATRIX - CLICK A CELL
IMPACT -->
Click a cell to see the risk detail.
TOP RISKS - SS-CONSULTING
AI phishing / credential theft
Likelihood: High / Impact: Critical / ISO: A.6.3, A.8.5 / NIST: PR.AT
Lateral movement post-compromise
Likelihood: Medium / Impact: Critical / ISO: A.8.16 / NIST: DE.CM
Client data exfiltration
Likelihood: High / Impact: Critical / ISO: A.5.12 / NIST: PR.DS
Third-party vendor exploitation
Likelihood: Medium / Impact: High / ISO: A.5.19 / NIST: ID.SC
Delayed incident response
Likelihood: High / Impact: High / ISO: A.5.24 / NIST: RS.RP
CONTROL FAILURES - ISO 27001 AND NIST CSF MAPPING
| ID | CONTROL AREA | FINDING | ISO 27001 | NIST CSF | SEVERITY | STATUS |
|---|---|---|---|---|---|---|
| C-001 | Security Awareness | No phishing simulations or AI impersonation training - finance team clicked deepfake link | A.6.3 | PR.AT | CRITICAL | OPEN |
| C-002 | MFA / Authentication | No MFA on VPN or internal systems - credential theft gave immediate full access | A.8.5 | PR.AC | CRITICAL | IN PROGRESS |
| C-003 | SIEM / Log Monitoring | No SIEM deployed - lateral movement undetected for 18 days across 12 network shares | A.8.16 | DE.CM | CRITICAL | OPEN |
| C-004 | Incident Response | IR plan existed but untested - chaotic Day 19 response cost 3 additional days of exposure | A.5.24 | RS.RP | CRITICAL | IN PROGRESS |
| C-005 | Privileged Access | No PAM - admin credentials reused across client-facing and internal systems | A.9.2.3 | PR.AC | CRITICAL | OPEN |
| C-006 | Third-Party Risk | No vendor risk assessments - third-party consultant had unrestricted system access | A.5.19 | ID.SC | HIGH | OPEN |
| C-007 | Asset Inventory | No asset register - shadow IT and unmanaged devices expanded attack surface | A.5.9 | ID.AM | HIGH | IN PROGRESS |
| C-008 | Data Classification | No data classification - client PII stored without protection controls | A.5.12 | PR.DS | HIGH | OPEN |
| C-009 | Governance / Policy | No formal cyber risk appetite - security not integrated into business risk management | Cl.5-6 | GV.RM | HIGH | OPEN |
| C-010 | Business Continuity | BCP not integrated with IR - recovery procedures unknown to operational staff | A.5.30 | RC.RP | MEDIUM | IN PROGRESS |
NIST CSF 2.0 - MATURITY ASSESSMENT
ALL 6 FUNCTIONS - CURRENT vs TARGET
FUNCTION
BEFORE / TARGET
NOW
TARGET
GV - Govern
1.0
3.0
ID - Identify
1.5
2.5
PR - Protect
1.0
3.5
DE - Detect
0.5
3.0
RS - Respond
1.0
2.5
RC - Recover
1.5
2.5
Pre-breach
Post-remediation target
GV - GOVERN
1.0 / 4.0
No formal information security policy. No cyber risk appetite. Security not integrated into business risk management.
Gaps: risk register, SoA, management commitment
DE - DETECT
0.5 / 4.0
No SIEM. No EDR. No anomaly detection. Attacker operated freely for 18 days and was only discovered via external intelligence.
Critical: SIEM, EDR, log aggregation, SOC
RS - RESPOND
1.0 / 4.0
IR plan existed but was never tested. Response on Day 19 was ad hoc and poorly coordinated. No runbooks. No tabletop exercises.
Critical: tested IR plan, runbooks, tabletops
90-DAY REMEDIATION ROADMAP
PHASE 1 - DAYS 1-30
STOP THE BLEEDING
Enforce MFA across all systems
VPN, email, internal platforms. Blocks credential theft. ISO A.8.5 / NIST PR.AC
Deploy EDR on all endpoints
CrowdStrike or Microsoft Defender XDR. Real-time detection. ISO A.8.7
Implement RBAC and PAM
Least-privilege access. Rotate all admin credentials. ISO A.9.2.3
Emergency phishing training
Mandatory session covering AI phishing and deepfake voice notes. ISO A.6.3
PHASE 2 - DAYS 31-60
BUILD VISIBILITY
Deploy SIEM / centralised logging
Microsoft Sentinel or Splunk. Insider threat detection rules. ISO A.8.16 / NIST DE.CM
Test and update IR plan
Tabletop exercise for insider threat scenario. ISO A.5.24 / NIST RS.RP
Vendor risk assessments
Assess all IT suppliers. Enforce MFA and just-in-time access. ISO A.5.19
Data classification framework
Classify all client data. Enforce DLP controls. ISO A.5.12 / NIST PR.DS
PHASE 3 - DAYS 61-90
GOVERN AND SUSTAIN
Begin ISO 27001:2022 ISMS
Define scope, risk register, Statement of Applicability. ISO Clause 4-6
Define cyber risk appetite
Integrate into enterprise risk management. KPIs: MTTD, MTTR. NIST GV.RM
Simulated phishing campaign
KnowBe4 or Proofpoint. Include AI deepfake scenarios. ISO A.6.3
Quarterly vulnerability scanning
Nessus or Qualys. Continuous posture monitoring. ISO A.8.8
MATURITY PROGRESSION - 90-DAY TARGETS
| FUNCTION | CURRENT | 30-DAY | 60-DAY | 90-DAY | KEY ACTIONS |
|---|---|---|---|---|---|
| GV - Govern | 1.0 | 1.5 | 2.0 | 3.0 | Risk register, ISMS scope, board commitment |
| ID - Identify | 1.5 | 2.0 | 2.5 | 2.5 | Asset inventory, vendor assessments, data classification |
| PR - Protect | 1.0 | 2.0 | 2.5 | 3.5 | MFA, EDR, RBAC, awareness training |
| DE - Detect | 0.5 | 1.5 | 2.5 | 3.0 | SIEM, EDR alerts, centralised logging |
| RS - Respond | 1.0 | 2.0 | 2.5 | 2.5 | Tested IR plan, tabletop exercises, runbooks |
| RC - Recover | 1.5 | 2.0 | 2.5 | 2.5 | BCP aligned to IR, tested recovery procedures |