Advanced Challenge Template

⚡ Advanced Challenge Template

Target Time: 150-170 minutes

This template is designed for experienced teams and competitive events, offering maximum depth, complexity, and challenge. It pushes players to their limits with intricate scenarios and high stakes.

When to Use:

• Experienced team advanced training and skill validation.
• Competitive events, tournaments, and cybersecurity exercises.
• Professional development for seasoned security practitioners.
• Sessions with a strong focus on badge progression and advanced learning outcomes.

Pre-Configured Settings:

• MAJOR TIME IMPACT:
  • Number of Rounds: 3 rounds
  • Actions per Player: 2 actions per round
• MODERATE TIME IMPACT:
  • Investigation Structure: Open (players choose investigation paths)
  • Response Structure: Creative (players develop their own approach)
  • Team Size: 4-6 players (standard roles recommended)
• MINOR TIME IMPACT:
  • Success Mechanics: Complex (Network Security Status tracking)
  • Debrief Length: Extended (15-20 min)
  • Turn Timer: Soft (encourages timely decisions without strict enforcement)
• COMPLEXITY OPTIONS:
  • Attack Complexity: Multi-stage
  • Evidence Type: Subtle
  • Red Herrings: Present
  • Containment Clarity: Ambiguous
  • NPC Count: Full cast (4-6 NPCs for intricate social dynamics)
  • Badge Tracking: On
  • Reference Materials: Not available (tests knowledge recall under pressure)

Experience:

The ultimate M&M challenge. Players face highly realistic, multi-layered threats, requiring expert-level analysis, strategic thinking, and adaptive incident response. The absence of reference materials and presence of red herrings demand deep existing knowledge.

Time Breakdown (Example 160-minute session):

• Introduction & Role Assignment: 10 minutes
• Scenario Briefing: 10 minutes
• Gameplay (3 rounds, 2 actions, Open/Creative, Complex Tracking): ~110 minutes
• Extended Debrief: 20 minutes
• Total: ~150 minutes (with buffer, easily reaches 160-170)

Customize This Template:

This template is near its maximum complexity. Adjustments typically involve making it slightly easier or focusing on specific areas.

• Reduce to 120-140 min:
  • Change “Success Mechanics” to “Dice/Cards” (remove Complex Tracking).
  • Change “Debrief Length” to “Standard” (10 min).
• Make easier (without reducing time):
  • Change “Evidence Type” to “Mixed” or “Obvious”.
  • Change “Red Herrings” to “Absent”.
  • Make “Reference Materials” Available.

Recommended Scenarios & Malmons:

Choose highly complex, multi-stage scenarios with intricate narratives. - Recommended Malmons: Any, but ideally those with complex interactions or multiple attack vectors (e.g., Stuxnet, LockBit with advanced features). - Recommended Scenarios: Advanced Persistent Threat, Supply Chain Attack, Nation-State Cyber Espionage.

Facilitation Notes:

• Maintain a challenging but fair environment. Players should feel pushed, but not defeated.
• Encourage collaborative problem-solving and deep analysis.
• The extended debrief is crucial for processing complex learning and linking to real-world advanced strategies.
• Be mindful of time, but allow players the space to grapple with difficult decisions, as this is central to the “Advanced Challenge” experience.
• Prepare thoroughly, as you will need to manage complex information and player inquiries without direct answers.

Advanced Challenge Prep Checklist

Pre-Session Materials (40-50 min prep)

Investigation Sources WITH Complexity:

Build on the Full Game investigation catalog with additional layers of realistic complexity:

Base Catalog (Same as Full Game):

• System Logs, Email/Communications, Interviews, System Analysis, Network Traffic, External Research
• What information is available and how to discover it
• Key discovery paths and realistic dead ends

Subtle Evidence Layer:

For each evidence source, add how indicators are harder to interpret:

• Ambiguous Indicators: Evidence that could have multiple interpretations
• Partial Information: Data that’s incomplete or requires correlation with other sources
• Technical Complexity: Requires advanced knowledge to recognize significance
• Time-Delayed Patterns: Anomalies only visible when analyzing trends over time

Red Herrings Layer:

Plausible misleading evidence that experienced teams might investigate:

• Legitimate Anomalies: Actual system issues unrelated to the attack
• Coincidental Timing: Events that correlate with attack but aren’t causally related
• Previous Incidents: Old security events that resemble current attack
• Misdirection: Evidence the attacker intentionally placed to waste time

Expert-Level Insights:

Subtle discoveries only experienced practitioners would recognize:

• Advanced TTPs: Sophisticated attacker techniques requiring knowledge of recent threats
• Operational Security Patterns: How the attacker’s behavior reveals their skill level
• Second-Order Effects: Cascading impacts not immediately obvious
• Strategic Implications: What the attack reveals about attacker motivation and capabilities

Response Evaluation with Innovation Requirements:

Standard Approaches (Baseline):

• Type-effective containment methods for this malmon
• Common effective strategies for this scenario
• These approaches work but won’t be sufficient alone

Why Standard Approaches Are Insufficient:

• Scenario-Specific Challenges: What makes this particular situation harder
• Attacker Sophistication: How advanced techniques require adaptation
• Business Constraints: Organizational factors limiting standard playbook responses
• Time Pressure: Compressed timeline requiring simultaneous actions

Innovation Required:

• Types of Creative Adaptation Needed: Hybrid approaches, novel combinations, unconventional tactics
• Framework for Novel Solutions: How to evaluate untested approaches
• Acceptable Risk Tolerance: When to approve high-risk/high-reward strategies
• Trade-off Assessment: Balancing speed vs thoroughness, security vs operations

Network Security Status Tracking:

• Initial State: Starting network health and defensive posture
• Degradation Triggers: What player actions or time passage worsens the situation
• Recovery Mechanisms: How effective responses improve network security
• Critical Thresholds: Points where situation fundamentally changes
• Consequences: What happens at each degradation/recovery level

Session Flow (player-driven, 3 rounds with complexity)

Round 1 (30-35 minutes): Discovery with Subtlety

• Players investigate sources with subtle evidence
• IM presents information neutrally, not highlighting significance
• Red herrings require evaluation and potentially waste investigation time
• Expert insights available only to players who recognize subtle indicators
• Network Security Status begins degrading if attack isn’t identified quickly

Round 2 (35-40 minutes): Scope Assessment with Complexity

• Players correlate partial information across multiple sources
• IM provides incomplete data requiring inference
• Red herrings may lead to investigating wrong scope or attribution
• Players must separate signal from noise
• Network Security Status continues to reflect investigation quality

Round 3 (35-40 minutes): Innovative Response Implementation

• Standard approaches acknowledged but shown as insufficient
• Players must innovate beyond typical playbook responses
• IM adjudicates novel solutions using innovation framework
• Creative combinations and hybrid approaches encouraged
• Network Security Status outcome depends on innovation quality

Advanced Facilitation Techniques

Presenting Subtle Evidence Neutrally:

• Don’t highlight significance: Present all evidence with equal weight
• Maintain poker face: Don’t react differently to important vs unimportant discoveries
• Accurate but incomplete: Provide technically correct information without context
• Example: “The logs show a spike in PowerShell activity” (don’t say “which is suspicious”)

Using Red Herrings Effectively:

• Make them plausible: Red herrings should seem reasonable to investigate
• Ensure they’re ruleable-out: Players can determine they’re false leads through investigation
• Don’t punish investigation: Dead ends should take time but not catastrophically waste resources
• Example: Recent legitimate system upgrade that correlates with attack timeline

Requiring Innovation:

• Challenge standard approaches: “That would normally work, but in this case…”
• Prompt creative thinking: “What else could you try? What combination of approaches?”
• Reward well-reasoned risks: “That’s unconventional, but I see your logic…”
• Never say “no”: Use “yes, but…” or “that works partially because…”

Managing Complexity Tracking:

• Keep Network Security Status visible: Update status board after each significant action
• Explain degradation/improvement: “The network status worsens because…”
• Use thresholds as dramatic moments: “You’ve reached a critical threshold…”
• Track multiple dimensions: Not just “good/bad” but different security aspects

Materials Location Pattern

Base Sources (Same as Full Game):

• Planning document Section 5: Available Evidence Sources
• Scenario card: Type Effectiveness sections

Subtle Evidence:

• If planning doc has “Subtle Evidence Layer” section: Use directly
• If not: Extract from planning doc “Advanced Details” or “Make Harder” sections

Red Herrings:

• Planning document Section 11: “Make Harder” → adapt legitimate complications as red herrings
• Scenario card “Secrets” → invert to create plausible false leads

Innovation Requirements:

• Planning document Section 6: “Type-Effective Approaches” → identify what standard approaches miss
• Planning document Section 10: “Evolution Triggers” → use to understand scenario-specific challenges

Network Security Status:

• Planning document Section 7: “Network Security Status Tracking” (if available)
• Otherwise: Create simple 5-level scale (Excellent → Good → Compromised → Critical → Catastrophic)

What Makes Advanced Challenge Unique

Realistic Complexity Without Unfairness: The scenario includes subtle evidence and red herrings that mirror real incident response—not everything is obviously malicious, and some leads are dead ends. However, everything is ruleable-out through thorough investigation. The challenge is sorting signal from noise, not solving unsolvable puzzles.

Innovation Beyond Standard Playbook: Teams can’t simply follow the NIST framework or standard playbook. The scenario requires creative adaptation, novel combinations of approaches, or unconventional tactics. The IM evaluates innovation using criteria, rewarding well-reasoned risk-taking and strategic thinking.

Expert-Level Recognition: Some insights are only accessible to practitioners who recognize advanced TTPs, understand operational security patterns, or spot second-order effects. Players without this background knowledge can still succeed through thorough investigation, but expert practitioners gain advantages by recognizing subtle indicators others might miss.

No Reference Materials: Unlike other formats, players can’t look up MITRE ATT&CK techniques or review malware profiles during play. This tests knowledge recall under pressure and forces teams to rely on collective expertise rather than external resources. The extended debrief provides time to review what they remembered correctly and what they missed.