Advanced Scenarios

Beyond Basic Incident Response

Once teams have mastered fundamental Malmon encounters and collaborative response techniques, advanced scenarios provide opportunities to tackle complex, multi-faceted cybersecurity challenges that mirror the sophistication of real-world threats. These scenarios test not just technical knowledge, but strategic thinking, coordination under pressure, and adaptive problem-solving.

Characteristics of Advanced Scenarios

Multi-Vector Attacks

Coordinated Threat Campaigns:

  • Multiple Malmons deployed simultaneously with different objectives
  • Attacks that span multiple attack vectors (email, web, USB, supply chain)
  • Threat actors using diversified techniques to achieve strategic goals
  • Requires teams to coordinate response across multiple concurrent threats

Example: Healthcare Hybrid Campaign

  • Initial Vector: Spear-phishing emails targeting administrative staff (GaboonGrabber)
  • Secondary Vector: USB-based propagation through medical device maintenance (Raspberry Robin)
  • Final Payload: Ransomware deployment targeting patient data systems (LockBit)
  • Learning Objectives: Multi-domain coordination, priority setting, resource allocation
Multi-Vector ATT&CK Analysis

Raspberry Robin Analysis (Secondary Vector):

🎯 MITRE ATT&CK Technique Analysis

Technique Tactic Description Mitigation Detection
T1091
Replication Through Removable Media		 Initial Access Spreads via infected USB drives in targeted environments USB controls, device management, endpoint protection USB monitoring, removable media scanning, device tracking
T1071.001
Application Layer Protocol		 Command and Control Uses legitimate services like Discord and Telegram for C2 Network monitoring, application control, traffic analysis Network traffic analysis, service monitoring, C2 detection
T1547.001
Registry Run Keys/Startup Folder		 Persistence Establishes persistence through Windows registry modifications Registry monitoring, startup controls, system integrity Registry monitoring, startup enumeration, persistence scanning
IM Facilitation Notes:
  • Use these techniques to guide player investigation questions
  • Help players connect evidence to specific ATT&CK techniques
  • Highlight type effectiveness relationships in responses
  • Encourage discussion of real-world mitigation strategies

LockBit Analysis (Final Payload):

🎯 MITRE ATT&CK Technique Analysis

Technique Tactic Description Mitigation Detection
T1566.001
Spearphishing Attachment		 Initial Access Initial access through malicious email attachments and compromised RDP Email security, RDP hardening, multi-factor authentication Email analysis, RDP monitoring, authentication logging
T1210
Exploitation of Remote Services		 Lateral Movement Exploits vulnerabilities in remote services for network propagation Patch management, network segmentation, service hardening Network monitoring, exploit detection, vulnerability scanning
T1486
Data Encrypted for Impact		 Impact Encrypts files using advanced encryption and demands ransom payment Backup systems, file monitoring, incident response planning File modification monitoring, encryption behavior, ransom notes
IM Facilitation Notes:
  • Use these techniques to guide player investigation questions
  • Help players connect evidence to specific ATT&CK techniques
  • Highlight type effectiveness relationships in responses
  • Encourage discussion of real-world mitigation strategies

Evolving Threat Landscapes

Dynamic Adaptation Scenarios:

  • Malmons that evolve based on defensive responses
  • Threat actors adapting tactics in real-time during incidents
  • Scenarios where initial containment strategies trigger escalation
  • Long-term campaigns that require sustained response over multiple sessions

Example: Nation-State Evolution Chain

  • Phase 1: Reconnaissance and initial access (Stuxnet-style APT)
  • Phase 2: Lateral movement and intelligence gathering
  • Phase 3: Sabotage attempt triggers defensive response
  • Phase 4: Threat actor adaptation and counter-response
  • Learning Objectives: Strategic patience, attribution analysis, escalation management

Cross-Organizational Incidents

Supply Chain and Partnership Scenarios:

  • Attacks that affect multiple organizations simultaneously
  • Vendor compromises that impact customer organizations
  • Information sharing and coordination between organizations
  • Regulatory and legal implications of cross-organizational incidents

Example: Cloud Service Provider Compromise

  • Scenario Setup: Critical cloud service used by multiple organizations is compromised
  • Team Challenge: Coordinate response while maintaining business operations
  • External Coordination: Share information with other affected organizations
  • Learning Objectives: Third-party risk management, information sharing protocols

Industry-Specific Advanced Scenarios

Healthcare Sector Challenges

Critical Infrastructure Considerations:

  • Patient safety implications of cybersecurity incidents
  • Coordination between IT and clinical staff during response
  • HIPAA compliance requirements during emergency response
  • Medical device security and operational technology integration

Advanced Healthcare Scenario: “Code Blue Cyber”

  • Setup: Ransomware targets both IT systems and connected medical devices
  • Complication: Attack occurs during peak patient care hours
  • Stakeholders: IT staff, clinical teams, hospital administration, regulatory bodies
  • Unique Challenges: Patient safety takes precedence over standard incident response procedures
  • Learning Objectives: Healthcare-specific prioritization, regulatory compliance under pressure

Financial Services Complexity

Regulatory and Market Implications:

  • Real-time transaction processing during incidents
  • Market confidence and customer communication
  • Multi-jurisdictional regulatory requirements
  • Coordination with law enforcement and financial regulators

Advanced Financial Scenario: “Market Manipulation”

  • Setup: APT campaign targeting high-frequency trading systems
  • Complication: Attack designed to manipulate market prices
  • Stakeholders: Trading floor, risk management, regulators, law enforcement
  • Unique Challenges: Distinguishing between attack effects and market volatility
  • Learning Objectives: Financial crime investigation, market impact assessment

Critical Infrastructure Protection

Physical/Cyber Convergence:

  • Operational technology and information technology integration
  • Safety system implications of cybersecurity incidents
  • Coordination with emergency services and government agencies
  • Public safety and national security considerations

Advanced Infrastructure Scenario: “Grid Down”

  • Setup: Stuxnet-variant targeting electrical grid control systems
  • Complication: Attack causes rolling blackouts affecting multiple states
  • Stakeholders: Utility operators, emergency services, government agencies, media
  • Unique Challenges: Physical safety implications of cyber incident response
  • Learning Objectives: Critical infrastructure protection, public-private coordination

Time-Pressure Scenarios

Crisis Timeline Management

Compressed Decision-Making:

  • Incidents with immediate public safety implications
  • Media attention and public scrutiny during response
  • Regulatory notification deadlines during active incidents
  • Coordinating response while managing external pressure

High-Pressure Scenario: “Zero Hour”

  • Setup: Ransomware with 4-hour deadline targeting hospital systems
  • Time Constraint: Must maintain patient care while responding to threat
  • Media Element: Local news coverage adds public pressure
  • Learning Objectives: Decision-making under extreme pressure, stakeholder management

Marathon Incidents

Sustained Response Operations:

  • Multi-week incidents requiring team endurance and rotation
  • Evolving threats that require adaptive long-term strategies
  • Resource management and team sustainability
  • Maintaining response effectiveness over extended periods

Extended Scenario: “The Long Game”

  • Setup: Nation-state APT with 6-month operation timeline
  • Format: Multiple connected sessions spanning weeks
  • Evolution: Threat adapts based on team responses between sessions
  • Learning Objectives: Strategic patience, long-term incident management

Competitive Advanced Scenarios

Red Team vs Blue Team Evolutions

Dynamic Adversary Simulation:

  • Red team adapts tactics based on blue team responses
  • Multiple rounds with escalating sophistication
  • Real-time threat actor decision-making
  • Authentic pressure of adapting adversaries

Advanced Red/Blue: “Adaptive Adversary”

  • Round 1: Red team deploys initial Malmon (30 minutes)
  • Round 2: Blue team responds, Red team adapts (30 minutes)
  • Round 3: Escalated tactics based on defensive effectiveness (30 minutes)
  • Debrief: Analysis of adaptation strategies and defensive effectiveness

Multi-Organization Championships

Coordinated Response Competitions:

  • Teams representing different organizations must coordinate
  • Information sharing protocols under competitive pressure
  • Balancing organizational interests with collective security
  • Simulating real-world industry cooperation during major incidents

Championship Format: “Global Response”

  • Setup: International incident affecting multiple countries/organizations
  • Teams: Each represents different organization (government, private sector, international)
  • Challenge: Balance individual organizational response with collective coordination
  • Scoring: Both individual effectiveness and collaborative success

Scenario Design Principles

Authentic Complexity

Real-World Fidelity:

  • Based on actual incident patterns and threat actor behaviors
  • Include authentic stakeholder pressures and constraints
  • Incorporate real regulatory and business requirements
  • Use actual threat intelligence and attack techniques

Managed Complexity:

  • Complex enough to challenge advanced teams
  • Structured to maintain learning focus
  • Scalable based on team capability and available time
  • Clear learning objectives despite scenario complexity

Adaptive Facilitation

Dynamic Scenario Adjustment:

  • Modify complexity based on team performance
  • Introduce additional challenges if teams handle initial scenario easily
  • Provide additional support if complexity overwhelms learning
  • Balance challenge with achievable success

Multiple Success Paths:

  • No single “correct” solution to scenario challenges
  • Reward creative and innovative approaches
  • Recognize different valid strategic choices
  • Focus on learning process rather than predetermined outcomes

Facilitation Techniques for Advanced Scenarios

Managing Increased Complexity

Information Management:

  • Provide information gradually to prevent overwhelming teams
  • Use multiple information sources (reports, briefings, intelligence updates)
  • Allow teams to request specific information based on their investigation priorities
  • Balance realism with manageable information flow

Stakeholder Simulation:

  • Introduce external pressures through simulated stakeholder demands
  • Create tension between different organizational priorities
  • Simulate media pressure and public scrutiny
  • Include regulatory and legal considerations in decision-making

Time Management:

  • Use realistic time pressure without preventing learning
  • Allow for breaks and team consultation during complex scenarios
  • Extend session time when warranted by scenario complexity
  • Balance urgency with opportunity for reflection and learning

Supporting Advanced Learning

Strategic Thinking Development:

  • Ask questions that require long-term thinking and planning
  • Encourage teams to consider second and third-order effects
  • Guide discussion of strategic trade-offs and resource allocation
  • Help teams balance immediate response with long-term resilience

Cross-Functional Coordination:

  • Simulate coordination with departments outside cybersecurity
  • Include business stakeholders, legal teams, and executive leadership
  • Practice communication with external agencies and partners
  • Develop skills in translating technical findings into business language

Innovation Encouragement:

  • Reward creative approaches to complex problems
  • Encourage teams to develop novel techniques and strategies
  • Support experimentation with different response approaches
  • Celebrate learning from failed approaches and adaptive thinking

Assessment and Learning Objectives

Advanced Competency Indicators

Strategic Leadership:

  • Ability to coordinate complex, multi-team responses
  • Strategic thinking about long-term implications and recovery
  • Effective communication with diverse stakeholders under pressure
  • Innovation in response techniques and coordination approaches

Advanced Technical Integration:

  • Understanding of complex attack techniques and defense strategies
  • Ability to coordinate technical and business response elements
  • Integration of threat intelligence with tactical response decisions
  • Advanced threat hunting and analysis capabilities

Organizational Resilience:

  • Development of organizational learning and improvement capabilities
  • Integration of incident response with business continuity planning
  • Building relationships and processes that support ongoing security
  • Contributing to industry-wide security improvement through information sharing

Reflection and Improvement

Comprehensive After-Action Reviews:

  • Analysis of decision-making processes under complex conditions
  • Evaluation of coordination effectiveness across teams and organizations
  • Assessment of learning objectives achievement despite scenario complexity
  • Identification of skills and knowledge gaps revealed by advanced challenges

Community Contribution:

  • Documentation of innovative techniques discovered during advanced scenarios
  • Sharing of lessons learned with broader Incident Master community
  • Development of new scenario concepts based on advanced scenario experiences
  • Contribution to advanced facilitator training and development

Building Advanced Scenario Capabilities

Facilitator Development

Advanced Facilitation Skills:

  • Managing complex multi-stakeholder scenarios
  • Adapting scenarios in real-time based on team performance
  • Balancing realism with learning objectives in complex situations
  • Supporting team learning during high-pressure, complex scenarios

Subject Matter Expertise:

  • Developing deeper understanding of specific industry challenges
  • Building knowledge of advanced attack techniques and threat actor behaviors
  • Understanding of strategic cybersecurity planning and organizational resilience
  • Knowledge of cross-organizational coordination and information sharing

Community Innovation

Scenario Development Collaboration:

  • Working with industry experts to develop authentic advanced scenarios
  • Testing and refining scenarios through community feedback
  • Adapting scenarios for different organizational contexts and learning objectives
  • Contributing to repository of advanced scenarios for community use

Research and Improvement:

  • Evaluating effectiveness of advanced scenarios for learning objectives
  • Researching best practices for complex scenario facilitation
  • Contributing to academic and industry understanding of cybersecurity education
  • Developing metrics and assessment approaches for advanced learning outcomes

Advanced scenarios represent the cutting edge of collaborative cybersecurity learning, preparing teams for the complex, high-stakes incidents they may face in their professional careers while building the strategic thinking and coordination skills necessary for cybersecurity leadership.