Containment Mechanics

Facilitating Strategic Response Decisions

The containment phase of Malware & Monsters sessions transforms theoretical cybersecurity knowledge into practical decision-making skills. As an Incident Master, your role is to guide teams through the complex process of selecting appropriate response strategies while maintaining the educational focus that makes these decisions meaningful learning experiences.

Understanding Type Effectiveness in Practice

Beyond Rock-Paper-Scissors

While the type effectiveness system provides structure, avoid presenting it as a simple matching game. Real cybersecurity requires nuanced thinking about context, resources, and organizational constraints.

IM Reference: Type Effectiveness Chart

Use this chart to guide discussions about security control effectiveness, but encourage teams to think beyond simple type matching:

Trojan

Weak to: Detection

Resists: Training

Worm

Weak to: Isolation

Resists: Backup

Ransomware

Weak to: Backup

Resists: Encryption

Rootkit

Weak to: Forensics

Resists: Detection

APT

Weak to: Intelligence

Phishing

Weak to: Training

Botnet

Weak to: Coordination

Infostealer

Weak to: Encryption

Effective Facilitation:

  • “Given that this is a Trojan-type threat, what approaches might be most effective?”
  • “How does knowing the threat type inform your strategy, but what other factors matter?”
  • “What would make a typically effective approach fail in this specific situation?”

Avoid Oversimplification:

  • Don’t present type effectiveness as automatic success or failure
  • Help teams understand why certain approaches work better against specific threats
  • Encourage discussion of real-world constraints and complications

Guiding Type-Based Thinking

Discovery Questions:

  • “What does knowing this threat type tell us about how to respond?”
  • “What vulnerabilities would this type of threat typically have?”
  • “How might this threat try to evade standard containment approaches?”

Strategic Questions:

  • “How do we match our available resources to this threat’s weaknesses?”
  • “What would happen if our first approach doesn’t work?”
  • “How do we balance speed with thoroughness given this threat type?”

Learning Questions:

  • “Why would [specific approach] be particularly effective against this type?”
  • “What would make this threat harder to contain than others?”
  • “How does understanding threat types improve real-world incident response?”

Facilitating Security Control Selection

Moving Beyond Tool Lists

Help teams think strategically about security controls rather than simply matching tools to threats.

Framework Questions:

  • “What needs to happen to stop this threat from achieving its objectives?”
  • “How do we address both immediate containment and long-term prevention?”
  • “What combination of technical and non-technical controls would be most effective?”

Context Integration:

  • “How do organizational constraints affect your containment options?”
  • “What would different stakeholders need to know about your containment approach?”
  • “How do you balance containment speed with business continuity?”

Common Security Controls and Facilitation Approaches

Signature Detection:

  • Strengths: Effective against known threats, fast implementation
  • IM Questions: “When would signature-based detection be your best first response?”
  • Learning Focus: Limitations of signature-based approaches, need for behavioral analysis

Network Isolation:

  • Strengths: Immediate containment, prevents spread
  • IM Questions: “What are the business implications of isolating these systems?”
  • Learning Focus: Balance between containment and operational continuity

Behavioral Analysis:

  • Strengths: Effective against novel threats, reveals attack patterns
  • IM Questions: “How would you detect malicious behavior without clear signatures?”
  • Learning Focus: Advanced detection techniques, human analysis skills

Backup and Recovery:

  • Strengths: Restores operations, reduces ransomware impact
  • IM Questions: “How do you ensure backups aren’t also compromised?”
  • Learning Focus: Business continuity planning, backup verification

Threat Intelligence:

  • Strengths: Provides context, enables proactive defense
  • IM Questions: “How would external intelligence change your response strategy?”
  • Learning Focus: Intelligence integration, attribution and context

Managing Collaborative Decision-Making

Encouraging Team Coordination

Role Integration Questions:

  • “How does each role’s perspective inform the containment strategy?”
  • “What would [specific role] be most concerned about with this approach?”
  • “How do we ensure all expertise is represented in our decision?”

Resource Allocation:

  • “Who takes the lead on each aspect of the containment effort?”
  • “How do you coordinate timing between different containment activities?”
  • “What communication is needed between team members during implementation?”

Risk Assessment:

  • “What could go wrong with this containment approach?”
  • “How do you balance aggressive containment with operational stability?”
  • “What’s your backup plan if the primary approach fails?”

Managing Disagreement

When Team Members Propose Different Approaches:

  • “Both strategies have merit—what are the trade-offs?”
  • “How might we test which approach would work better in this situation?”
  • “What additional information would help you choose between these options?”
  • “In what circumstances would each approach be most appropriate?”

Facilitating Compromise:

  • “How might you combine elements of both approaches?”
  • “What would a phased implementation look like?”
  • “How do you address the concerns raised about each option?”

Using Dice Mechanics Meaningfully

When to Roll Dice

  • Uncertain outcomes: When approach effectiveness depends on factors beyond team control
  • Time pressure: When teams need to act with incomplete information
  • Environmental factors: When organizational context affects success likelihood
  • Learning opportunities: When exploring “what if” scenarios adds educational value

When NOT to Roll Dice

  • Clear expertise: When teams demonstrate solid understanding and appropriate approach
  • Collaborative success: When team coordination and communication are excellent
  • Learning moments: When the process is more valuable than the outcome
  • Technical accuracy: When teams apply correct cybersecurity principles

Making Dice Results Educational

Success with High Rolls:

  • “Your containment approach worked well—what made it effective?”
  • “How would you explain your success to other teams facing similar threats?”
  • “What did you learn that you can apply to future incidents?”

Failure with Low Rolls:

  • “The approach was sound, but implementation faced challenges—what would you try next?”
  • “Real incidents sometimes don’t go as planned—how do you adapt when good strategies face obstacles?”
  • “What would you do differently knowing what you know now?”

Partial Success:

  • “You made progress but didn’t fully contain the threat—how do you build on what worked?”
  • “What aspects of your approach were most effective, and what needs adjustment?”
  • “How do you communicate partial success to stakeholders while planning next steps?”

Network Security Status Three-Track System

The comprehensive Network Security Status tracking system measures incident response success across three critical dimensions, providing realistic feedback that reflects the complexity of actual cybersecurity incidents.

Understanding the Three Tracks

🛡️ Network Security Track (0-100) - Measures: Technical security posture and system integrity - Starts at: 100 (optimal security state) - Decreases when: Malware spreads, vulnerabilities exploited, security controls fail - Increases when: Threats contained, vulnerabilities patched, security enhanced

⚡ IR Effectiveness Track (0-100) - Measures: Team coordination and incident response quality - Starts at: 100 (optimal team performance) - Decreases when: Poor coordination, investigation stalls, communication breaks down - Increases when: Good teamwork, effective investigation, clear communication

🏢 Business Operations Track (0-100) - Measures: Operational continuity and stakeholder confidence - Starts at: 100 (normal business operations) - Decreases when: Systems offline, stakeholder panic, regulatory scrutiny - Increases when: Service restored, confidence rebuilt, stakeholders informed

Track Interactions and Dependencies

The tracks influence each other realistically:

Poor IR Effectiveness impacts Network Security: - Delayed response allows more damage - Miscommunication leads to incomplete containment - IM Questions: “How is the team’s coordination affecting your ability to contain this threat?”

Network Security problems impact Business Operations: - System outages disrupt operations - Data breaches damage stakeholder confidence - IM Questions: “How do these technical issues affect business continuity?”

Business pressure affects IR Effectiveness: - Stakeholder pressure rushes decisions - Resource constraints limit response options - IM Questions: “How is business pressure influencing your response strategy?”

Practical Track Adjustment Guidelines

Network Security Track Adjustments:

Decrease (-5 to -25): - Malware spreads to additional systems (-10) - Critical vulnerability discovered (-15) - Security control bypassed or fails (-20) - Threat evolves to new stage (-25)

Increase (+5 to +20): - Successful threat containment (+15) - Vulnerabilities patched effectively (+10) - Security controls strengthened (+20) - Complete threat elimination (+25)

IR Effectiveness Track Adjustments:

Decrease (-5 to -20): - Team roles conflict or duplicate effort (-10) - Investigation goes off-track (-15) - Poor communication between roles (-20) - Key information missed or ignored (-25)

Increase (+5 to +20): - Excellent role coordination (+15) - Breakthrough investigation discovery (+20) - Clear, effective communication (+10) - Collaborative problem-solving (+25)

Business Operations Track Adjustments:

Decrease (-5 to -30): - Critical systems go offline (-20) - Stakeholder confidence lost (-15) - Regulatory scrutiny begins (-25) - Public disclosure of incident (-30)

Increase (+5 to +25): - Systems restored to operation (+20) - Stakeholder confidence rebuilt (+15) - Proactive communication success (+10) - Regulatory compliance maintained (+25)

Using Tracks for Educational Discussion

When Network Security is low but IR Effectiveness is high: - “Your team is working well together despite the technical challenges—how does good coordination help in difficult situations?” - “What would excellent teamwork accomplish that individual expertise might miss?”

When Business Operations drops significantly: - “Stakeholders are feeling the impact—how do you balance technical response with business communication?” - “What would help restore confidence while you’re still working on the technical problems?”

When all tracks move together: - “Notice how your decisions affect multiple aspects of the organization—what does this teach about incident response complexity?”

Track-Specific Facilitation Questions

Network Security Focus: - “What would improve the technical security posture right now?” - “How do you prevent this threat from causing additional damage?” - “What technical controls would be most effective here?”

IR Effectiveness Focus: - “How is the team working together—what’s helping or hindering coordination?” - “What communication would improve team effectiveness?” - “How are different perspectives contributing to better decision-making?”

Business Operations Focus: - “What are the business implications of your technical decisions?” - “How do you maintain stakeholder confidence during response activities?” - “What would different organizational roles need to know about the current situation?”

Final Track Scores and Success Assessment

Excellent Success (All tracks 80+): - “Outstanding incident response—what made this team so effective across all dimensions?” - “How would you share your approach with other organizations?”

Mixed Success (Tracks vary significantly): - “You succeeded in some areas while facing challenges in others—what does this teach about incident response complexity?” - “How would you balance competing priorities differently in future incidents?”

Learning Success (Low scores but good process): - “This was a challenging scenario that tested your skills—what did you learn that will help in future incidents?” - “How does experiencing realistic incident complexity prepare you for actual cybersecurity work?”

Advanced Containment Scenarios

Multi-Vector Threats

When Malmons Combine Types:

  • “How does addressing a worm/ransomware hybrid differ from dealing with each type separately?”
  • “What containment strategies work against threats with multiple attack vectors?”
  • “How do you prioritize response when facing complex, multi-faceted attacks?”

Evolution During Containment

When Threats Adapt to Response:

  • “The malware is adapting to your containment efforts—how does this change your strategy?”
  • “What would cause a threat to evolve during your response, and how do you prevent it?”
  • “How do you balance thorough containment with speed when threats are actively evolving?”

Resource Constraints

When Perfect Solutions Aren’t Available:

  • “Your ideal containment approach isn’t possible with current resources—what’s your alternative?”
  • “How do you achieve effective containment when you can’t implement your preferred strategy?”
  • “What creative approaches might work when standard containment methods aren’t available?”

Environmental Factors in Containment

Organizational Context

Different Industries, Different Constraints:

  • Healthcare: “How does patient safety affect your containment priorities?”
  • Financial: “What regulatory requirements influence your response timeline?”
  • Manufacturing: “How do you balance cybersecurity response with production continuity?”
  • Education: “What unique challenges do BYOD policies create for containment?”

Organizational Maturity:

  • Advanced Security: “How do sophisticated monitoring capabilities change your containment options?”
  • Basic Security: “What containment strategies work when you have limited security infrastructure?”
  • Hybrid Environments: “How do you coordinate containment across cloud and on-premises systems?”

Technical Environment

Network Architecture:

  • “How does your network segmentation affect containment strategy?”
  • “What containment options do air-gapped systems provide or limit?”
  • “How do you leverage existing security architecture for containment?”

Technology Stack:

  • “How do the specific technologies in your environment influence containment approaches?”
  • “What unique containment challenges do legacy systems create?”
  • “How do you adapt general containment principles to your specific technology environment?”

Assessment and Learning Integration

Evaluating Containment Effectiveness

Process Assessment:

  • “How well did the team coordinate different containment activities?”
  • “What communication strategies supported effective containment decision-making?”
  • “How did role specialization contribute to containment success?”

Strategic Assessment:

  • “How effectively did the team match containment strategies to threat characteristics?”
  • “What demonstrated understanding of type effectiveness and environmental factors?”
  • “How well did the team balance speed, thoroughness, and business continuity?”

Learning Assessment:

  • “What cybersecurity concepts did the containment phase reinforce or teach?”
  • “How did hands-on containment decision-making enhance understanding?”
  • “What insights about real-world incident response emerged from the containment experience?”

Post-Containment Reflection

Strategic Questions:

  • “What made your containment approach effective (or what would you improve)?”
  • “How did understanding threat types influence your strategy selection?”
  • “What role did team coordination play in containment success?”

Learning Questions:

  • “What did this containment experience teach you about cybersecurity defense?”
  • “How would you explain your containment strategy to others facing similar threats?”
  • “What insights from this simulation apply to real-world incident response?”

Application Questions:

  • “How would you adapt this containment approach for your actual work environment?”
  • “What containment capabilities would you want to develop in your organization?”
  • “How does this experience change your thinking about cybersecurity preparedness?”

Building Containment Expertise

For New Teams

  • Focus on fundamental containment concepts rather than complex technical details
  • Emphasize collaborative decision-making and role coordination
  • Use automatic successes for good teamwork and logical approaches
  • Connect containment decisions to basic cybersecurity principles

For Experienced Teams

  • Explore sophisticated containment strategies and advanced technical approaches
  • Include organizational constraints and business continuity considerations
  • Challenge teams with resource limitations and environmental complexities
  • Connect containment success to strategic cybersecurity planning

For Expert Teams

  • Introduce multi-stakeholder coordination and cross-organizational response
  • Explore innovation in containment techniques and creative problem-solving
  • Include policy and regulatory implications of containment decisions
  • Connect containment expertise to community knowledge sharing and mentorship

IM Guide: Containment Success Validation

Using the Containment Success Criteria

Teams assess their containment effectiveness using four levels: Complete, Effective, Partial, and Failure. Each level has specific, observable criteria that you can validate during gameplay.

Your Role as IM:

  • Observe during gameplay: Note when teams meet specific success criteria
  • Validate objectively: Use the criteria checklists to provide concrete feedback
  • Focus on learning: Emphasize improvement and understanding over “winning”
  • Provide examples: Give specific instances of what teams did well or could improve

Validation Guidelines by Success Level

Complete Containment Validation: Look for teams that demonstrate:

  • Technical precision: Can explain exactly how they stopped malicious activity
  • Comprehensive coverage: All aspects addressed (persistence, communication, spread, recovery)
  • Role coordination: Every available role contributed meaningfully
  • Documentation mindset: Show awareness of lessons learned and intelligence value
  • Stakeholder thinking: Consider business impact and communication needs

Effective Containment Validation: Teams show:

  • Core competency: Successfully address primary threats
  • Most roles engaged: 4+ roles participating effectively
  • Appropriate controls: Generally correct security control selections
  • Basic coordination: Good team communication and coordination
  • Recovery focus: Understand importance of system restoration

Partial Containment Validation: Teams demonstrate:

  • Some success: Eventually neutralize threat despite challenges
  • Limited coordination: 2-3 roles working together effectively
  • Mixed decisions: Some good choices, some suboptimal approaches
  • Learning awareness: Recognize areas for improvement
  • Basic understanding: Show grasp of fundamental concepts

Failure as Learning Experience: Frame failures positively:

  • Learning opportunity: Complex scenarios provide valuable insights
  • Realistic outcomes: Real incidents sometimes have poor outcomes initially
  • Skill development: Identify specific areas for team growth
  • Resilience building: Emphasize iteration and improvement

IM Validation Process

During Sessions:

  1. Take notes: Record specific examples of criteria being met
  2. Don’t interrupt: Allow natural team coordination to develop
  3. Ask clarifying questions: Help teams articulate their reasoning
  4. Encourage participation: Ensure all roles have opportunities to contribute

At Session End:

  1. Review criteria together: Go through the checklist with the team
  2. Provide specific examples: “You achieved Complete Containment because…”
  3. Identify improvements: “To reach the next level, consider…”
  4. Connect to learning: “This experience teaches us…”

Sample IM Feedback Scripts

Complete Containment: “Excellent work! You achieved Complete Containment. Specifically, I observed the Detective identifying all persistence mechanisms, the Protector successfully blocking C2 communications, the Tracker confirming no lateral movement, and the Communicator managing stakeholder notifications effectively. Your team coordination using each role’s strengths was particularly impressive.”

Effective Containment: “Great job achieving Effective Containment. You successfully stopped the threat and restored core systems. The area for growth is intelligence generation - you focused effectively on immediate containment but could develop more threat intelligence for future defense.”

Partial Containment: “This was a challenging scenario that provided valuable learning. You achieved Partial Containment - the threat was eventually stopped. The key learning opportunity is role coordination. Try having the Crisis Manager actively coordinate between roles rather than working independently.”

Learning from Failure: “This scenario demonstrated the complexity of real cybersecurity incidents. While the malmon achieved its objectives, your team gained important insights about threat assessment and response prioritization. In actual incidents, these lessons are exactly what make teams more effective over time.”

Common IM Validation Mistakes to Avoid

Being Too Generous:

  • Don’t award higher success levels just to make teams feel good
  • Require actual demonstration of criteria, not just discussion
  • Use specific examples to justify your assessment

Being Too Harsh:

  • Remember that learning is the primary objective
  • Celebrate partial successes and improvement
  • Focus on constructive feedback rather than criticism

Missing Role Contributions:

  • Actively look for ways each role contributed
  • Ask quiet players about their perspective
  • Ensure all roles have opportunities to demonstrate expertise

Ignoring Process:

  • Success isn’t just about outcomes - process matters too
  • Good teamwork with poor results can still be valuable learning
  • Poor teamwork with good results misses collaboration lessons

Remember: Containment mechanics serve learning objectives, not game complexity. The goal is developing strategic thinking about cybersecurity defense, not mastering game rules. Focus on helping teams understand how to match response strategies to threats while considering real-world constraints and organizational objectives.