Discovery Phase Question Bank

Player Expertise Focus

Core Principle: All questions should draw on what participants already know rather than testing what they don’t know. The goal is collaborative discovery using their existing expertise, not knowledge assessment.

Universal Opening Questions

Initial Investigation Starters

These work for any Malmon, any group, any expertise level:

• “What’s the first thing that would seem unusual here?”
• “Who in your organization would typically notice these problems first?”
• “What pattern suggests this isn’t a normal technical issue?”
• “Based on your experience, what would worry you most about this situation?”
• “What would be your first instinct when hearing these symptoms?”
• “If this were happening at your workplace, what would you check first?”

Experience-Based Questions

Connect to participant backgrounds:

• “How would this compare to problems you’ve seen before?”
• “What does this remind you of from your work experience?”
• “In your role, what would make you suspicious about this situation?”
• “What would your standard troubleshooting process be here?”
• “Based on your background, what stands out as unusual?”

Role-Specific Question Banks

Detective Questions

Evidence Analysis

• “What clues would you look for to understand what happened?”
• “Where would you expect to find evidence of this activity?”
• “What logs or records would tell the story here?”
• “What timeline would you want to establish?”
• “What pattern recognition is your brain doing right now?”

Investigation Techniques

• “What tools would help you investigate this further?”
• “How would you verify your suspicions?”
• “What would prove or disprove your theory?”
• “What questions would you ask the affected users?”
• “What forensic approach would you take?”

When Detectives Find Evidence

• “What story does this evidence tell?”
• “How does this connect to what others have found?”
• “What does the timing of this evidence suggest?”
• “What would an attacker need to create this evidence?”
• “What other evidence would you expect to find alongside this?”

Protector Questions

Defensive Assessment

• “What defenses should have caught this?”
• “How might this have gotten past your security controls?”
• “What vulnerabilities would this exploit?”
• “What defensive gaps does this expose?”
• “How would you normally protect against this type of attack?”

System Security

• “What systems are most at risk here?”
• “How would you assess the current security posture?”
• “What immediate protections could you implement?”
• “What would you lock down first?”
• “How do you balance security with operational needs?”

When Protectors Find Compromise

• “How extensive is the compromise?”
• “What systems need immediate protection?”
• “How would you contain this without disrupting operations?”
• “What defensive measures are still intact?”
• “How do you prevent further spread?”

Tracker Questions

Network Analysis

• “What unusual network activity would concern you?”
• “How would you monitor data flows in this situation?”
• “What traffic patterns would indicate a problem?”
• “Where would you look for signs of data theft?”
• “What network behavior seems out of place?”

Data Flow Investigation

• “What data would be valuable to an attacker here?”
• “How would you trace suspicious connections?”
• “What would normal network traffic look like versus this?”
• “How do you identify command and control communications?”
• “What geographic or timing patterns might be significant?”

When Trackers Find Suspicious Activity

• “What does this traffic pattern tell you?”
• “How would you characterize this data exfiltration?”
• “What can you determine about the destination?”
• “How long has this unusual activity been happening?”
• “What other network indicators should we look for?”

Communicator Questions

Human Factor Analysis

• “How would users typically interact with this type of attack?”
• “What social engineering techniques might be involved?”
• “Who would be the most likely targets in this organization?”
• “What would make people fall for this type of deception?”
• “How do you assess the human element of this incident?”

Stakeholder Management

• “Who needs to know about this situation?”
• “What are the business impacts we need to consider?”
• “How would you communicate this to non-technical leadership?”
• “What regulatory or compliance implications do you see?”
• “How do you balance transparency with operational security?”

When Communicators Discover Social Engineering

• “What made this social engineering effective?”
• “How would you prevent this type of user manipulation?”
• “What training gaps does this expose?”
• “How do you rebuild user confidence after this?”
• “What cultural changes would prevent future incidents?”

Crisis Manager Questions

Incident Coordination

• “What’s your overall assessment of this situation?”
• “How would you prioritize the team’s efforts?”
• “What resources do you need to manage this incident?”
• “How do you coordinate multiple investigation streams?”
• “What’s your incident response strategy here?”

Organizational Impact

• “What are the business continuity implications?”
• “How do you balance investigation with operational needs?”
• “What escalation criteria would you use?”
• “How do you manage stakeholder expectations during investigation?”
• “What documentation requirements do you have?”

When Crisis Managers See the Big Picture

• “How does this incident fit into broader organizational risk?”
• “What patterns suggest this might be targeted versus opportunistic?”
• “How do you allocate team resources most effectively?”
• “What are the strategic implications of this type of attack?”
• “How do you prepare for potential escalation?”

Threat Hunter Questions

Proactive Discovery

• “What might we be missing in this investigation?”
• “Where would an advanced attacker try to hide?”
• “What other indicators should we be hunting for?”
• “How would you search for persistence mechanisms?”
• “What assumptions about this attack might be wrong?”

Advanced Analysis

• “What sophisticated techniques might be involved here?”
• “How would you look for signs of lateral movement?”
• “What would indicate this is part of a larger campaign?”
• “How do you hunt for the unknown unknowns?”
• “What threat intelligence would be relevant here?”

When Threat Hunters Find Hidden Elements

• “What does this discovery change about our understanding?”
• “How does this hidden element connect to the visible attack?”
• “What other hidden threats should we now look for?”
• “How would you validate this threat hunting discovery?”
• “What does this suggest about the sophistication of our adversary?”

Malmon Type-Specific Questions

Trojan-Type Malmons (GaboonGrabber, FakeBat, etc.)

Deception Focus

• “What made this seem legitimate to users?”
• “How would you verify the authenticity of software?”
• “What red flags should users have noticed?”
• “How do you distinguish legitimate from fake applications?”
• “What trust relationships did this exploit?”

Masquerading Techniques

• “How is this pretending to be something it’s not?”
• “What legitimate process is it mimicking?”
• “How would you detect masquerading malware?”
• “What signatures would indicate deception?”
• “How do you validate system integrity?”

Worm-Type Malmons (WannaCry, Code Red, etc.)

Propagation Focus

• “How might this be spreading between systems?”
• “What network vulnerabilities enable rapid spread?”
• “How would you contain a self-propagating threat?”
• “What would stop the spread most effectively?”
• “How do you identify the propagation vector?”

Network Exploitation

• “What network services might be vulnerable here?”
• “How would you assess network exposure?”
• “What patching strategy would address this?”
• “How do you prevent network-based attacks?”
• “What network segmentation would help?”

Ransomware-Type Malmons (LockBit, etc.)

Data Protection Focus

• “What data would be most valuable to encrypt?”
• “How would you protect against data encryption attacks?”
• “What backup and recovery capabilities do you have?”
• “How do you maintain business continuity during encryption attacks?”
• “What would indicate ransomware deployment?”

Business Impact Analysis

• “What would be the operational impact of data encryption?”
• “How do you prioritize system recovery?”
• “What communication strategy would you use with stakeholders?”
• “How do you assess the cost-benefit of paying versus recovering?”
• “What legal and regulatory implications exist?”

APT-Type Malmons (Stuxnet, Noodle RAT, etc.)

Sophisticated Threat Focus

• “What level of sophistication does this suggest?”
• “How would you attribute this to specific threat actors?”
• “What geopolitical context might be relevant?”
• “How do you investigate nation-state level threats?”
• “What resources would an attacker need for this?”

Long-term Persistence

• “How might this establish long-term access?”
• “What would indicate advanced persistence techniques?”
• “How do you hunt for dormant threats?”
• “What counter-intelligence considerations apply?”
• “How do you investigate without alerting sophisticated adversaries?”

Expertise Level Adaptations

For High-Expertise Groups

Leveraging Deep Technical Experience

• “Based on your experience, what attack patterns do you recognize here?”
• “What forensic techniques have you used for similar situations?”
• “What network analysis approaches would you apply here?”
• “How would you approach analyzing unknown malware?”
• “What intelligence sources have helped you in past incidents?”

Drawing on Advanced Experience

• “What behavioral patterns would concern you in your environment?”
• “How have you seen automated detection help with similar threats?”
• “What connections do you see to threats you’ve encountered before?”
• “What sophisticated techniques worry you most as a defender?”
• “How do you typically develop detection capabilities for new threats?”

For Mixed-Expertise Groups

Bridging Questions

• “Can someone explain that concept for the less technical folks?”
• “How would you translate that finding for management?”
• “What’s the business impact of what you just described?”
• “How does that technical detail affect our response options?”
• “What would that look like to an end user?”

Collaborative Discovery

• “Who here has experience with similar situations?”
• “What would your organization’s process be for this?”
• “How would different roles in your company handle this?”
• “What questions would your management ask about this?”
• “How do you explain technical risks to non-technical people?”

For Business-Focused Groups

Impact and Risk Focus

• “From your business experience, what would concern you most about this situation?”
• “How have you seen cybersecurity incidents affect organizations?”
• “What compliance or regulatory issues would worry you here?”
• “Based on your role, how would this disrupt normal operations?”
• “What recovery challenges have you observed in business contexts?”

Decision-Making Framework

• “Based on your management experience, what information would you need here?”
• “How have you balanced competing priorities in crisis situations?”
• “Who would you involve in these kinds of decisions?”
• “How do you typically communicate complex problems to leadership?”
• “What business protection mechanisms have you worked with?”

Progressive Question Techniques

When Initial Questions Don’t Work

Simplification Sequence

1. Technical question fails: “Let me ask that differently…”
2. Simplify: “What would worry you about this situation?”
3. Common sense: “Using logic, what seems wrong here?”
4. Analogy: “This is like [familiar situation]…”
5. Multiple choice: “Would you be more concerned about A, B, or C?”

Building Complexity

1. Start simple: “What seems unusual?”
2. Add context: “Given that it’s unusual, what might cause that?”
3. Explore implications: “If that’s true, what would it mean for…”
4. Connect evidence: “How does that relate to what others found?”
5. Synthesize: “What story do all these pieces tell together?”

When Groups Get Stuck

Perspective Shifts

• “Let’s approach this from a different angle…”
• “What would [different role] think about this?”
• “If you were the attacker, what would you be trying to accomplish?”
• “What would success look like from the adversary’s perspective?”
• “How would this look to an outside observer?”

Knowledge Building

• “What do we know for certain?”
• “What are our best theories about what’s happening?”
• “What evidence would support or disprove our theories?”
• “What’s the simplest explanation for what we’re seeing?”
• “What assumptions are we making that might be wrong?”

Emergency Discovery Questions

When Everything Else Fails

• “If you had to guess what’s happening here, what would it be?”
• “What’s your gut feeling about this situation?”
• “If this were a movie, what would the villain be trying to do?”
• “What would make someone target this organization?”
• “What would be the worst-case scenario here?”

Energy Restoration

• “What would happen if we’re wrong about this?”
• “Who would be panicking about this right now?”
• “What would the news headlines say if this got out?”
• “How would your CEO react to this situation?”
• “What keeps you awake at night about cybersecurity?”

Remember: The goal of discovery questions is to facilitate group learning and collaborative investigation. The best questions help participants use their existing knowledge to understand new concepts and connect evidence into a coherent understanding of the threat.