Code Red Scenario: Web Hosting Company Crisis
Scenario Details for IMs
Opening Presentation
“It’s Tuesday afternoon at NetHost Solutions during peak summer e-commerce season, and the company is managing record traffic for their 15,000 client websites. Suddenly, the operations center receives alerts that hundreds of client websites are displaying the message ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ instead of their normal content. Network monitoring shows their IIS servers are generating massive amounts of scanning traffic targeting other web servers across the internet.”
Initial Symptoms to Present:
- “Client websites displaying identical defacement messages instead of normal content”
- “IIS web servers generating massive amounts of outbound scanning traffic”
- “Network bandwidth consumption spiking due to automated scanning activity”
- “Multiple client websites affected simultaneously across different server clusters”
Key Discovery Paths:
Detective Investigation Leads:
- Web server log analysis reveals buffer overflow exploitation targeting IIS vulnerability
- File system examination shows memory-only infection with no persistent files created
- Timeline analysis indicates rapid automated propagation across vulnerable server infrastructure
Protector System Analysis:
- Real-time monitoring shows infected servers participating in coordinated internet scanning
- Web server security assessment reveals unpatched IIS systems vulnerable to buffer overflow
- Network traffic analysis indicates participation in distributed coordinated attack infrastructure
Tracker Network Investigation:
- Internet traffic analysis reveals coordinated scanning patterns targeting global web server infrastructure
- DNS and network flow data shows communication with other infected systems worldwide
- Attack source analysis indicates automated worm propagation rather than targeted attacks
Communicator Stakeholder Interviews:
- Client communications regarding website defacements and business impact during peak season
- ISP coordination about malicious traffic originating from company infrastructure
- Security community information sharing about internet-wide worm propagation
Mid-Scenario Pressure Points:
- Hour 1: Major e-commerce client threatens contract termination due to website defacement during peak sales period
- Hour 2: ISP contacts company about malicious scanning traffic violating terms of service
- Hour 3: Security community reports company’s servers participating in coordinated DDoS attack preparation
- Hour 4: News media reports widespread internet worm affecting web hosting providers
Evolution Triggers:
- If response takes longer than 6 hours, infected servers participate in massive coordinated DDoS attack
- If patch deployment is delayed, worm continues spreading to additional client websites
- If network isolation fails, company infrastructure continues contributing to internet-wide attacks
Resolution Pathways:
Technical Success Indicators:
- Emergency patch deployment stops worm propagation across server infrastructure
- Network isolation prevents further participation in coordinated internet attacks
- Server restart and patching removes memory-only infection while maintaining client services
Business Success Indicators:
- Client relationships maintained through rapid response and transparent communication
- Business operations restored with minimal impact on hosting service availability
- Company reputation protected through professional incident management and coordinated response
Learning Success Indicators:
- Team understands internet-scale worm propagation and infrastructure targeting
- Participants recognize shared responsibility for internet security and coordinated defense
- Group demonstrates crisis management balancing business continuity with infrastructure security
Common IM Facilitation Challenges:
If Internet-Scale Impact Is Underestimated:
“Your server response is good, but Sandra just discovered that your infected systems are scanning the entire internet and participating in attacks against other organizations. How does this change your response priorities?”
If Client Impact Is Ignored:
“While you’re investigating the technical details, Jennifer has 50 angry clients on hold whose e-commerce websites are defaced during their peak sales season. How do you balance technical response with client relations?”
If Coordinated Nature Is Missed:
“David just realized this isn’t a targeted attack on NetHost - it’s an internet-wide worm that’s turning web hosting infrastructure into a coordinated attack platform. What does this mean for your response strategy?”