Welcome, **Senior Cloud Security Specialist** at **ÇOLHAK Technology**! Your company hosts its risk analysis product for the finance sector in the cloud and is just 72 hours away from launch. However, our security team is on high alert due to unusual data exfiltration requests and leak reports from the outside. An attacker is suspected of having infiltrated through an unprotected data store, a misconfigured access permission, or a disabled security step. Your mission: Stop this covert data breach, contain the damage, and ensure the future resilience of your cloud infrastructure!
Simulation Roles
Your Role: Senior Cloud Security Specialist
You are responsible for the cloud infrastructure's security. You take an active role in technical analysis, detecting misconfigurations, and managing access permissions. Your choices will directly affect the outcome.
CEO Dilara Akın Prioritizes reputation and media.
CTO Furkan Tekin Knows the tech infrastructure, supports you.
CISO Can Çolhak Head of security, currently panicking.
PR Director Serap Nur Wants to control the press.
Finance Director Enes Mert Project cancellation would be a budget disaster.
Key Metrics
Data Leak Size Amount of sensitive data leaked. (Start: 0 GB)
Financial Loss The financial cost of the crisis to the company. (Start: $0)
Customer Trust Customers' faith in the company. (Start: 100)
Reputation Score Your company's image in the public eye and industry. (Start: 100)
09:00 AM - Call from the Security Team & Unusual Traffic
You start your day with an urgent call from the security operations team. The Lead Analyst reports unusual data exfiltration requests from your cloud environment's risk analysis product. Specifically, there's abnormal traffic flow from a data store named `Analysis-Data-Production`. With only 72 hours to launch, every minute is critical.
The attacker is potentially using:
A data store left publicly accessible,
A misconfigured access permission,
A disabled additional security verification,
Or an unprotected cloud function.
As the Senior Cloud Security Specialist, what is your first reaction?
Learning Note: The initial moments of a crisis are critical. Is it better to react quickly or to gather intelligence? Your decision will have both technical and operational consequences.
Day 1: Afternoon - Storage Vulnerability Discovered
03:30 PM - "Analysis-Data-Production" Data Store is Public!
Following your initial intervention, the team delved into the configuration of the `Analysis-Data-Production` data store. You've encountered a shocking discovery: the data store was mistakenly set to "Public"! This means the attacker could pull data with direct requests. Furthermore, audit logs show conclusive evidence that **over 500 GB of data** has been exfiltrated from this store in the last 24 hours. This includes sensitive analysis algorithms and customer test data that form the core of your financial risk analysis product.
Faced with this critical finding, what is your next immediate technical step?
Learning Note: Misconfigurations are one of the biggest vulnerabilities in cloud security. Access controls for the most critical assets must be continuously audited.
Day 2: Morning - Identity and Access Catastrophe
09:30 AM - Ghost Account of a Former Developer with Full Admin Privileges!
With the data store secured, you began examining access logs to uncover another layer of the attack. You found that an account belonging to a former developer (`developer_cem`), who left the company months ago, is still active and, shockingly, has **full administrative privileges to all cloud resources**! This account was detected making suspicious operations through the management console just before accessing the `Analysis-Data-Production` store. It appears the attacker gained initial access using this "ghost account."
How will you close this critical security gap and prevent further movement by the attacker?
Learning Note: Access permissions and former employee account management form the foundation of cloud security. Even the smallest vulnerability can lead to full system access.
Day 2: Afternoon - Suspicious Internal Connections
02:00 PM - A Whisper of a Command & Control Center?
The use of the former developer's account suggests that the attacker is not only exfiltrating data but also trying to establish persistence on your internal network. In the network traffic logs, you've detected an internal computer (`10.0.0.42`) continuously transferring encrypted data to an external Telegram server. This computer belongs to a developer in the Finance Department.
This situation could indicate that the attacker is using a compromised internal device as a **Command & Control (C2) center**. However, it also carries the possibility that the developer in the Finance Department is conducting an "authorized" test or research. CTO Furkan Tekin mentions that their department often conducts tests with external services.
How will you handle this suspicious internal connection?
Learning Note: Insider threats are among the most difficult to detect and manage. Wrong decisions can have devastating effects on both security and internal trust.
Day 3: Morning - Media Leak and Reputation Disaster
08:00 AM - Trending on Social Media: "Security Flaw in ÇOLHAK Product!"
Just as your internal investigation is underway, the nightmare scenario unfolds: a tech journalist with a large following posts on social media, "Claims of a major security flaw and customer data leak in ÇOLHAK Technology's much-anticipated product project!" The post quickly goes viral, and media outlets start contacting you. With only hours to launch, CEO Dilara Akın urgently summons you to her office. She has a serious expression: *"This is a disaster! We need to make a statement immediately. Our reputation is being destroyed! What should we do?"*
Together with PR Director Serap Nur and the Legal Counsel, how will you manage this media crisis and what message will you give to the public?
Learning Note: A media crisis can be one of the most devastating consequences of a cyber attack. Reputation management, transparency, speed, and the right message are key to regaining public trust.
Day 3: Afternoon - Board Meeting and Critical Decision
01:00 PM - Cancel the Launch?
In the midst of the media crisis, the executive board gathers for an emergency meeting. Everyone has a different priority, and tensions are high. The moment of decision has arrived:
As the Senior Cloud Security Specialist, under all this pressure, how will you make the final major technical and strategic decision that will determine the company's fate?
Learning Note: Critical business decisions can directly conflict with technical security risks. Finding a balance and communicating effectively with management is vital in such moments.
Day 3: Evening - Legal Obligations
06:00 PM - Call from the Legal Counsel
While dealing with the technical and managerial dimensions of the crisis, you receive a worried call from Legal Counsel Zeynep Kaya: *"According to the data we have, the leaked customer information qualifies as sensitive data under regulations like GDPR. This could bring us huge fines and lawsuits. We need to make an official data breach notification to the relevant authorities within 48 hours. This will directly affect our public perception and legal position. What are we doing?"*
How will you handle this legal obligation and reputational risk?
Learning Note: In data breaches, legal compliance is not just about avoiding fines; it also reflects the company's ethical stance and customer trust.
Post-Crisis Debriefing Report
Simulation complete. Below is a detailed breakdown of your crisis management performance.
