Handout B: VPN Access Log

IM NOTE – SELECT ONE VERSION ONLY

Distribute one version only based on Round 1 outcome. Print or display only the selected version – do not show players the other.

  • Version 1 (Clean): Use if players chose Option A (isolate Tom’s machine) or Option C (reset Tom’s passwords)
  • Version 2 (Compromised): Use if players chose Option B (keep machine running and monitor)
VERSION 1 -- CLEAN (use if Option A or C was chosen in Round 1)

VPN Access Log – Clearwater Community Foundation
Log window: Sunday 12:00 – Monday 09:30 UTC Extracted from VPN gateway and donor database access logs, Monday 9:15am.

Timestamp           User                IP Address          Location        Notes
-----------------   ------------------  ------------------  -----------     -----
[no external logins in this period]

tom.reeves last VPN session:
  Previous Monday   tom.reeves          203.0.113.12        Office          Normal session -- donor records check

Donor database access log:
  Last access:      tom.reeves          09:01 (prev. Mon)   Normal access   No unusual queries
  Export queries:   None detected
  Bulk operations:  None detected

Physical confirmation: Tom’s workstation was isolated before any credential transmission completed. Stage 2 did not trigger.

Version 1 IM Notes:

No external access occurred. The donor database is clean. Containment in Round 1 prevented the attacker from using Tom’s credentials.

Key discussion questions for this version:

  • β€œWhat does this tell you about the timing of your Round 1 decision?” (Containment before credential transmission prevented the breach)
  • β€œThe credentials were still harvested – what still needs to happen?” (Credential reset, even though they were not used – they are still in the attacker’s hands)
  • β€œIs the fundraiser now safe to launch on Wednesday?” (Technically yes, with proper remediation – but this is Priya’s call, and the team should give her a clear picture)
VERSION 2 -- COMPROMISED (use if Option B was chosen in Round 1)

VPN Access Log – Clearwater Community Foundation Log window: Sunday 12:00 – Monday 09:30 UTC Extracted from VPN gateway and donor database access logs, Monday 9:15am.

Timestamp           User                IP Address              Location            Notes
-----------------   ------------------  --------------------    ----------------    -----
Mon 08:23:07        tom.reeves          198.51.100.77           Amsterdam (NL)      EXTERNAL LOGIN
                                                                Residential ISP     ** FIRST TIME THIS LOCATION **
Mon 08:24:11        [donor-db access]   via tom.reeves session  --                  Export query initiated
Mon 08:27:44        [session ended]     198.51.100.77           --                  Session terminated (4 min)

Donor database access log:
  Mon 08:24:11      tom.reeves session  Export query: ALL RECORDS
  Records queried:  14,000
  Export status:    INCOMPLETE -- session terminated before download finished
  Query metadata:   captured

Mon 09:01:23        tom.reeves          203.0.113.12            Office (normal)     Tom arriving at work

Version 2 IM Notes:

The attacker used Tom’s credentials at 8:23am – while Tom was still commuting to work. The donor database was accessed and a full export was attempted, but the session ended before the download completed.

Key discussion questions for this version:

  • β€œWhat does the Amsterdam login tell you?” (Tom was not in Amsterdam – these are the attacker’s credentials in use)
  • β€œThe export says INCOMPLETE – does that mean the data is safe?” (No. 14,000 records were queried and the export started. The file did not complete downloading, but the query metadata was captured. Regulatory notification obligations may still apply.)
  • β€œWhat does Tom’s 9:01am login tell you?” (He arrived at work after the breach had already occurred and ended. He does not yet know.)
  • β€œWhat does this change about what you tell Priya before the board call?” (The donor database was accessed. This is the answer to her first question – and it is not the answer she wanted.)

IM Facilitation Notes

  • Release this handout at the start of Round 2.
  • Choose your version before showing players anything. The wrong version directly contradicts the Round 1 narrative.
  • Use this artifact to anchor the malmon card reveal moment and the fundraiser timing decision.
  • All IP addresses use TEST-NET ranges (RFC 5737) and documentation ranges – safe for simulation use.
  • The INCOMPLETE export status is intentionally ambiguous: the data may not have left the network, but the regulatory position depends on the query itself, not only successful exfiltration. This ambiguity is good debrief material.