Code Red Scenario: Web Hosting Company Crisis

Code Red Scenario: Web Hosting Company Crisis

Frontier Hosting: Web hosting company, 500 employees, hosting 50,000+ websites

Worm • Code Red

STAKES

Client website availability + Business reputation + Internet infrastructure stability

HOOK

Frontier Hosting is managing peak summer traffic for their e-commerce clients when their operations center detects hundreds of client websites displaying defacement messages instead of normal content. Network monitoring reveals the IIS servers are generating massive outbound scanning traffic – the company’s infrastructure has been compromised and is now participating in coordinated internet attacks against other infrastructure targets.

PRESSURE

• Summer e-commerce peak season — client website downtime causes immediate revenue loss + Reputation damage threatens business survival

FRONT • 90 minutes • Intermediate

Frontier Hosting: Web hosting company, 500 employees, hosting 50,000+ websites

Worm • Code Red

NPCs

• Michael Torres (CEO): Managing 50,000+ client websites during peak season, watching servers get compromised in real-time, must balance immediate response with business continuity
• Sandra Williams (Network Administrator): Discovering that IIS servers are scanning the entire internet for vulnerable targets, realizing the company's infrastructure is participating in global attacks
• Karen Shah (Client Relations Manager): Fielding angry calls from e-commerce clients whose websites are defaced during peak sales season, must manage customer retention during security crisis
• David Thompson (Security Engineer): Analyzing the buffer overflow exploit targeting IIS servers, coordinating with ISPs and security community about internet-wide threat

SECRETS

• Web hosting company delayed IIS security patches to avoid disrupting client websites during peak season
• Hundreds of client websites share vulnerable server infrastructure with minimal security segmentation
• Infected servers are now attacking other institutions

Code Red Scenario: Web Hosting Company Crisis

Amsterdam Data Systems: Hosting provider near AMS-IX, 400 employees, 40,000+ websites

Worm • Code Red

STAKES

Client website availability + Business reputation + Internet infrastructure stability

HOOK

Amsterdam Data Systems is managing peak summer traffic for their e-commerce clients when their operations center detects hundreds of client websites displaying defacement messages instead of normal content. Network monitoring reveals the IIS servers are generating massive outbound scanning traffic – the company’s infrastructure has been compromised and is now participating in coordinated internet attacks against other infrastructure targets.

PRESSURE

• Summer e-commerce peak season — client website downtime causes immediate revenue loss + Reputation damage threatens business survival

FRONT • 90 minutes • Intermediate

Amsterdam Data Systems: Hosting provider near AMS-IX, 400 employees, 40,000+ websites

Worm • Code Red

NPCs

• Pieter van Dijk (CEO): Managing 40,000+ client websites during peak season, watching servers get compromised in real-time, must balance immediate response with business continuity
• Sander Visser (Network Administrator): Discovering that IIS servers are scanning the entire internet for vulnerable targets, realizing the company's infrastructure is participating in global attacks
• Marieke Smit (Client Relations Manager): Fielding angry calls from e-commerce clients whose websites are defaced during peak sales season, must manage customer retention during security crisis
• Maarten Jansen (Security Engineer): Analyzing the buffer overflow exploit targeting IIS servers, coordinating with ISPs and security community about internet-wide threat

SECRETS

• Web hosting company delayed IIS security patches to avoid disrupting client websites during peak season
• Hundreds of client websites share vulnerable server infrastructure with minimal security segmentation
• Infected servers are now attacking other institutions

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Code Red Web Hosting Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Code Red Web Hosting Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

“It’s Tuesday afternoon at Frontier Hosting during peak summer e-commerce season, and the company is managing record traffic for their 50,000+ client websites. Suddenly, the operations center receives alerts that hundreds of client websites are now displaying ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ instead of their normal content. Network monitoring shows their IIS servers are generating massive amounts of scanning traffic targeting other web servers across the internet.”

“It’s Tuesday afternoon at Amsterdam Data Systems during peak summer e-commerce season, and the company is managing record traffic for their 40,000+ client websites. Suddenly, the operations center receives alerts that hundreds of client websites are now displaying ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ instead of their normal content. Network monitoring shows their IIS servers are generating massive amounts of scanning traffic targeting other web servers across the internet.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• “Client websites displaying identical defacement messages instead of normal content”
• “IIS web servers generating massive amounts of outbound scanning traffic”
• “Network bandwidth consumption spiking due to automated scanning activity”
• “Multiple client websites affected simultaneously across different server clusters”

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• Web server log analysis reveals buffer overflow exploitation targeting IIS vulnerability
• File system examination shows memory-only infection with no persistent files created
• Timeline analysis indicates rapid automated propagation across vulnerable server infrastructure

Protector System Analysis:

Note🛡️ Protector System Analysis

• Real-time monitoring shows infected servers participating in coordinated internet scanning
• Web server security assessment reveals unpatched IIS systems vulnerable to buffer overflow
• Network traffic analysis indicates participation in distributed coordinated attack infrastructure

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• Internet traffic analysis reveals coordinated scanning patterns targeting global web server infrastructure
• DNS and network flow data shows communication with other infected systems worldwide
• Attack source analysis indicates automated worm propagation rather than targeted attacks

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• Client communications regarding website defacements and business impact during peak season
• ISP coordination about malicious traffic originating from company infrastructure
• Security community information sharing about internet-wide worm propagation

Mid-Scenario Pressure Points:

• Hour 1: Major e-commerce client threatens contract termination due to website defacement during peak sales period
• Hour 2: ISP contacts company about malicious scanning traffic violating terms of service
• Hour 3: Security community reports company’s servers participating in coordinated DDoS attack preparation
• Hour 4: News media reports widespread internet worm affecting web hosting providers

Evolution Triggers:

• If response takes longer than 6 hours, infected servers participate in massive coordinated DDoS attack
• If patch deployment is delayed, worm continues spreading to additional client websites
• If network isolation fails, company infrastructure continues contributing to internet-wide attacks

Resolution Pathways:

Technical Success Indicators:

• Emergency patch deployment stops worm propagation across server infrastructure
• Network isolation prevents further participation in coordinated internet attacks
• Server restart and patching removes memory-only infection while maintaining client services

Business Success Indicators:

• Client relationships maintained through rapid response and transparent communication
• Business operations restored with minimal impact on hosting service availability
• Company reputation protected through professional incident management and coordinated response

Learning Success Indicators:

• Team understands internet-scale worm propagation and infrastructure targeting
• Participants recognize shared responsibility for internet security and coordinated defense
• Group demonstrates crisis management balancing business continuity with infrastructure security

Common IM Facilitation Challenges:

If Internet-Scale Impact Is Underestimated:

“Your server response is good, but Sandra Williams just discovered that your infected systems are scanning the entire internet and participating in attacks against other organizations. How does this change your response priorities?”

If Client Impact Is Ignored:

“While you’re investigating the technical details, Karen Shah has 50 angry clients on hold whose e-commerce websites are defaced during their peak sales season. How do you balance technical response with client relations?”

If Coordinated Nature Is Missed:

“David Thompson just realized this isn’t a targeted attack on Frontier Hosting – it’s an internet-wide worm that’s turning web hosting infrastructure into a coordinated attack platform. What does this mean for your response strategy?”

If Internet-Scale Impact Is Underestimated:

“Your server response is good, but Sander Visser just discovered that your infected systems are scanning the entire internet and participating in attacks against other organizations. How does this change your response priorities?”

If Client Impact Is Ignored:

“While you’re investigating the technical details, Marieke Smit has 50 angry clients on hold whose e-commerce websites are defaced during their peak sales season. How do you balance technical response with client relations?”

If Coordinated Nature Is Missed:

“Maarten Jansen just realized this isn’t a targeted attack on Amsterdam Data Systems – it’s an internet-wide worm that’s turning web hosting infrastructure into a coordinated attack platform. What does this mean for your response strategy?”

Success Metrics for Session:

• Team understands internet-scale worm behavior and infrastructure targeting
• Client service continuity maintained as priority throughout security incident response
• Coordinated response demonstrates understanding of shared internet security responsibility
• Learning includes web server security and vulnerability management in hosting environments
• Response strategy addresses both immediate threats and internet infrastructure protection

Template Compatibility

Quick Demo (35-40 min)

• Rounds: 1
• Actions per Player: 1
• Investigation: Guided
• Response: Pre-defined
• Focus: Use the “Hook” and “Initial Symptoms” to quickly establish web hosting crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing worm propagation patterns and internet infrastructure responsibility.

Lunch & Learn (75-90 min)

• Rounds: 2
• Actions per Player: 2
• Investigation: Guided
• Response: Pre-defined
• Focus: This template allows for deeper exploration of web hosting cybersecurity challenges. Use the full set of NPCs to create realistic client service pressures. The two rounds allow Code Red to spread to more clients and begin coordinated attacks, raising stakes. Debrief can explore balance between business operations and internet security responsibility.

Full Game (120-140 min)

• Rounds: 3
• Actions per Player: 2
• Investigation: Open
• Response: Creative
• Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing client website availability, business reputation, internet infrastructure stability, and coordinated attack participation. The three rounds allow for full narrative arc including worm’s internet-scale propagation and DDoS attack coordination.

Advanced Challenge (150-170 min)

• Rounds: 3
• Actions per Player: 2
• Investigation: Open
• Response: Creative
• Complexity: Add red herrings (e.g., legitimate IIS updates causing unrelated client website issues). Make containment ambiguous, requiring players to justify client-facing decisions with incomplete information. Remove access to reference materials to test knowledge recall of worm behavior and web hosting security principles.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “Web server log analysis reveals active exploitation of an IIS buffer overflow vulnerability across servers hosting 50,000+ client websites. The memory-only worm is spreading autonomously through Frontier Hosting‘s infrastructure, defacing hundreds of client websites with ’HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ messages during peak summer e-commerce season.”

Clue 2 (Minute 10): “Real-time network monitoring shows infected IIS servers generating massive internet scanning traffic targeting other web servers globally. Web server security assessment reveals Frontier Hosting delayed IIS patches to avoid disrupting client websites during peak season, creating widespread vulnerability across their hosting infrastructure serving thousands of business clients.”

Clue 3 (Minute 15): “Internet traffic analysis reveals Frontier Hosting’s infected servers participating in coordinated scanning and DDoS attack preparation against internet infrastructure targets. ISP contacts indicate the company’s infrastructure is violating terms of service through malicious traffic, while major e-commerce clients are threatening contract termination due to defaced websites during their peak sales period.”

Clue 1 (Minute 5): “Web server log analysis reveals active exploitation of an IIS buffer overflow vulnerability across servers hosting 40,000+ client websites. The memory-only worm is spreading autonomously through Amsterdam Data Systems‘s infrastructure, defacing hundreds of client websites with ’HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ messages during peak summer e-commerce season.”

Clue 2 (Minute 10): “Real-time network monitoring shows infected IIS servers generating massive internet scanning traffic targeting other web servers globally. Web server security assessment reveals Amsterdam Data Systems delayed IIS patches to avoid disrupting client websites during peak season, creating widespread vulnerability across their hosting infrastructure serving thousands of business clients.”

Clue 3 (Minute 15): “Internet traffic analysis reveals Amsterdam Data Systems’s infected servers participating in coordinated scanning and DDoS attack preparation against internet infrastructure targets. ISP contacts indicate the company’s infrastructure is violating terms of service through malicious traffic, while major e-commerce clients are threatening contract termination due to defaced websites during their peak sales period.”

Pre-Defined Response Options

Option A: Emergency IIS Patching & Internet Isolation

• Action: Immediately deploy emergency IIS patches to all web hosting servers, isolate infected systems from internet to stop coordinated attacks, restore client websites from secure backups, coordinate with ISPs and security community about internet threat cessation.
• Pros: Completely stops worm propagation and ends company participation in internet attacks; enables rapid client website restoration; demonstrates responsible internet infrastructure management.
• Cons: Requires complete hosting infrastructure patching affecting all 50,000+ client websites temporarily; some client data from peak season may need restoration from backups.
• Type Effectiveness: Super effective against Worm type malmons like Code Red; memory-only worm is eliminated through reboot after patching.

• Action: Immediately deploy emergency IIS patches to all web hosting servers, isolate infected systems from internet to stop coordinated attacks, restore client websites from secure backups, coordinate with ISPs and security community about internet threat cessation.
• Pros: Completely stops worm propagation and ends company participation in internet attacks; enables rapid client website restoration; demonstrates responsible internet infrastructure management.
• Cons: Requires complete hosting infrastructure patching affecting all 40,000+ client websites temporarily; some client data from peak season may need restoration from backups.
• Type Effectiveness: Super effective against Worm type malmons like Code Red; memory-only worm is eliminated through reboot after patching.

Option B: Prioritized Client Restoration & Service Focus

• Action: Quarantine confirmed infected servers, implement prioritized restoration for high-value client websites first, maintain service for unaffected clients while accelerating infrastructure-wide remediation.
• Pros: Allows continued web hosting operations for major clients; protects business relationships through revenue-prioritized recovery; maintains peak season service for unaffected customers.
• Cons: Risks continued worm propagation in non-prioritized infrastructure; hosting infrastructure continues participating in internet attacks during selective restoration; may affect smaller clients disproportionately.
• Type Effectiveness: Moderately effective against Worm threats; reduces but doesn’t eliminate worm presence or coordinated attack participation.

• Action: Quarantine confirmed infected servers, implement prioritized restoration for high-value client websites first, maintain service for unaffected clients while accelerating infrastructure-wide remediation.
• Pros: Allows continued web hosting operations for major clients; protects business relationships through revenue-prioritized recovery; maintains peak season service for unaffected customers.
• Cons: Risks continued worm propagation in non-prioritized infrastructure; hosting infrastructure continues participating in internet attacks during selective restoration; may affect smaller clients disproportionately.
• Type Effectiveness: Moderately effective against Worm threats; reduces but doesn’t eliminate worm presence or coordinated attack participation.

Option C: Mass Server Reboot & Infrastructure Coordination

• Action: Perform coordinated hosting-infrastructure-wide server reboot to eliminate memory-only worm, rapidly restore all 50,000+ client websites simultaneously from backups, coordinate with web hosting industry and security community about internet-scale threat response.
• Pros: Fastest technical solution eliminating worm through memory clearing; demonstrates web hosting industry leadership through coordinated response and information sharing with internet security community.
• Cons: Requires complete hosting infrastructure downtime affecting all clients simultaneously during peak e-commerce season; doesn’t address underlying IIS vulnerability enabling future reinfection.
• Type Effectiveness: Partially effective against Worm malmon type; eliminates current infection but leaves vulnerability for rapid reinfection without proper patching.

• Action: Perform coordinated hosting-infrastructure-wide server reboot to eliminate memory-only worm, rapidly restore all 40,000+ client websites simultaneously from backups, coordinate with web hosting industry and security community about internet-scale threat response.
• Pros: Fastest technical solution eliminating worm through memory clearing; demonstrates web hosting industry leadership through coordinated response and information sharing with internet security community.
• Cons: Requires complete hosting infrastructure downtime affecting all clients simultaneously during peak e-commerce season; doesn’t address underlying IIS vulnerability enabling future reinfection.
• Type Effectiveness: Partially effective against Worm malmon type; eliminates current infection but leaves vulnerability for rapid reinfection without proper patching.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Discovery & Identification (30-35 min)

Investigation Clues:

• Clue 1 (Minute 5): Client Support Manager Rachel Thompson reports 2,000+ urgent tickets from website owners seeing defacement messages. “Small businesses, personal sites, e-commerce stores – all showing ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ instead of their content!”
• Clue 2 (Minute 10): Hosting infrastructure forensics reveal an IIS buffer overflow being actively exploited across the shared hosting platform. The infection is autonomously spreading through 50,000+ client websites on 500+ shared hosting servers during peak e-commerce season.
• Clue 3 (Minute 15): Network monitoring shows infected hosting servers generating massive scanning traffic and participating in coordinated attacks against other internet infrastructure. “We’re attacking other hosting providers, ISPs, and websites worldwide.”
• Clue 4 (Minute 20): Infrastructure Director Mark Rodriguez reveals that IIS patches were delayed to avoid disrupting client websites during summer e-commerce peak. “We couldn’t risk platform updates when clients depend on uptime for their business revenue.”

• Clue 1 (Minute 5): Client Support Manager Rachel Thompson reports 2,000+ urgent tickets from website owners seeing defacement messages. “Small businesses, personal sites, e-commerce stores – all showing ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ instead of their content!”
• Clue 2 (Minute 10): Hosting infrastructure forensics reveal an IIS buffer overflow being actively exploited across the shared hosting platform. The infection is autonomously spreading through 40,000+ client websites on 500+ shared hosting servers during peak e-commerce season.
• Clue 3 (Minute 15): Network monitoring shows infected hosting servers generating massive scanning traffic and participating in coordinated attacks against other internet infrastructure. “We’re attacking other hosting providers, ISPs, and websites worldwide.”
• Clue 4 (Minute 20): Infrastructure Director Mark Rodriguez reveals that IIS patches were delayed to avoid disrupting client websites during summer e-commerce peak. “We couldn’t risk platform updates when clients depend on uptime for their business revenue.”

Response Options:

• Option A: Emergency Infrastructure Reboot - Immediately reboot all infected hosting servers to clear memory-only worm, restore client websites from backups, delay comprehensive patching until after peak season.
  • Pros: Fastest path to client website restoration; minimal e-commerce disruption; maintains client business continuity.
  • Cons: Doesn’t patch underlying IIS vulnerability; servers will be reinfected within hours; continues internet attack participation risk.
  • Type Effectiveness: Partially effective – clears current infection but leaves reinfection vector open.
• Option B: Tiered Client Patching - Patch hosting servers for high-revenue clients first (enterprise accounts), quarantine remaining infected infrastructure, restore services in revenue-prioritized order.
  • Pros: Protects highest-revenue relationships; balances security with business needs; enables controlled restoration.
  • Cons: Small business clients remain compromised; differential treatment damages platform trust; partial attack participation continues.
  • Type Effectiveness: Moderately effective – stops propagation in patched systems but worm remains active in others.
• Option C: Platform Isolation & Emergency Hosting - Isolate entire hosting infrastructure from internet to stop attack participation, migrate critical clients to temporary clean servers, defer full remediation to post-peak season.
  • Pros: Stops company’s attack participation immediately; maintains service for critical clients; allows systematic patching.
  • Cons: Most clients experience downtime; emergency migration complex for websites; revenue impact during peak season.
  • Type Effectiveness: Moderately effective – contains threat but sacrifices revenue for security.

Round 2: Scope Assessment & Response (30-35 min)

Investigation Clues:

• Clue 5 (Minute 30): If Option A (reboot only) was chosen: Within 2 hours, hosting infrastructure is reinfected. Other hosting providers report attacks from Frontier Hosting IP addresses. “Major competitors are blocking our IP ranges due to attack traffic.”
• Clue 5 (Minute 30): If Option B or C was chosen: Revenue analysis shows enterprise clients maintained service, but 10,000 small business clients lost hours of peak e-commerce traffic – representing significant revenue loss affecting business survival.
• Clue 6 (Minute 40): Infrastructure forensics reveal worm has been resident for 18 hours, allowing potential access to client website data, customer databases, and e-commerce transactions across shared hosting environment.
• Clue 7 (Minute 50): CEO receives calls from major clients threatening migration to competitors if service reliability issues aren’t resolved. “Amazon Web Services and other providers are offering migration incentives.”
• Clue 8 (Minute 55): Legal counsel advises that client data exposure in shared hosting environment triggers complex breach notification requirements – multiple clients’ customer data potentially affected.

• Clue 5 (Minute 30): If Option A (reboot only) was chosen: Within 2 hours, hosting infrastructure is reinfected. Other hosting providers report attacks from Amsterdam Data Systems IP addresses. “Major competitors are blocking our IP ranges due to attack traffic.”
• Clue 5 (Minute 30): If Option B or C was chosen: Revenue analysis shows enterprise clients maintained service, but 10,000 small business clients lost hours of peak e-commerce traffic – representing significant revenue loss affecting business survival.
• Clue 6 (Minute 40): Infrastructure forensics reveal worm has been resident for 18 hours, allowing potential access to client website data, customer databases, and e-commerce transactions across shared hosting environment.
• Clue 7 (Minute 50): CEO receives calls from major clients threatening migration to competitors if service reliability issues aren’t resolved. “European cloud providers and other providers are offering migration incentives.”
• Clue 8 (Minute 55): Legal counsel advises that client data exposure in shared hosting environment triggers complex breach notification requirements – multiple clients’ customer data potentially affected.

Response Options:

• Option A: Emergency Full Patching with Client Compensation - Deploy comprehensive IIS patching across entire hosting infrastructure, coordinate simultaneous client website restoration, offer service credits to affected clients, issue proactive data exposure notification.
  • Pros: Completely eliminates worm; demonstrates client partnership through compensation; meets regulatory requirements; protects long-term platform trust.
  • Cons: Brief downtime affects remaining peak season revenue; compensation is expensive; acknowledges infrastructure security failure.
  • Type Effectiveness: Super effective against Worm type – eliminates vulnerability and infection completely.
• Option B: Peak Season Containment with Post-Season Remediation - Maintain current containment state through peak e-commerce period, implement enhanced monitoring, schedule comprehensive patching for after season ends.
  • Pros: Maximizes peak season revenue recovery; allows systematic thorough patching; minimizes immediate client disruption.
  • Cons: Extended vulnerability window; continued limited attack participation; delayed breach notification may violate regulations.
  • Type Effectiveness: Moderately effective – maintains containment but delays complete remediation.
• Option C: Third-Party Infrastructure Support - Engage external hosting security consultants, implement parallel backup hosting for critical clients, conduct comprehensive forensic analysis of client data exposure while maintaining operations.
  • Pros: Expert assistance accelerates response; business continuity for major clients; thorough data exposure assessment.
  • Cons: Expensive external support during peak season; potential client data exposure to consultants; admission of insufficient internal capability.
  • Type Effectiveness: Moderately effective – improves response quality but extends timeline and increases cost.

Round Transition Narrative

After Round 1 → Round 2:

The team’s initial response determines whether the hosting platform quickly returns to vulnerable operation (reboot approach) or maintains containment with significant client impact (isolation/selective approaches). Either way, the situation escalates as major clients threaten migration to competitors, other hosting providers block Frontier Hosting IP addresses due to attacks, forensics reveals extensive potential client data exposure in shared hosting environment, and legal counsel demands breach notification compliance during peak revenue season. The team must balance complete security remediation with client retention, regulatory compliance, industry reputation, and business survival during critical e-commerce period.

After Round 1 → Round 2:

The team’s initial response determines whether the hosting platform quickly returns to vulnerable operation (reboot approach) or maintains containment with significant client impact (isolation/selective approaches). Either way, the situation escalates as major clients threaten migration to competitors, other hosting providers block Amsterdam Data Systems IP addresses due to attacks, forensics reveals extensive potential client data exposure in shared hosting environment, and legal counsel demands breach notification compliance during peak revenue season. The team must balance complete security remediation with client retention, regulatory compliance, industry reputation, and business survival during critical e-commerce period.

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands the scenario from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than receiving timed clues. Round 3 shifts from immediate crisis response to long-term strategic recovery. Rounds run 30-35 minutes each with more open-ended decision-making. Use the Resolution Pathways section to guide your assessment of team progress.

Round 1: Initial Web Hosting Worm Outbreak (30 min)

Peak summer e-commerce season at Frontier Hosting – the web hosting provider serves 50,000+ client websites with shared IIS infrastructure. Network Administrator Sandra Williams detects servers scanning the entire internet for vulnerable targets, while Client Relations Manager Karen Shah reports angry calls flooding in from e-commerce clients whose websites are displaying defacement messages during their busiest sales period.

Open investigation guidance: All four Key Discovery Paths are available. Teams typically uncover the unpatched IIS buffer overflow (delayed to avoid disrupting client websites during peak season), the worm’s autonomous propagation across the shared hosting infrastructure, and the scope of client impact (hundreds of websites defaced within hours, with the infection spreading to thousands).

If the team stalls: “Security Engineer David Thompson traces the exploit chain: ‘The worm is hitting our IIS servers through the same buffer overflow Microsoft patched weeks ago. We delayed the patch to avoid breaking client websites during summer traffic peaks – now every server in our shared infrastructure is a target.’”

Facilitation questions:

• “50,000+ client websites share the same server infrastructure – what does worm propagation look like when there’s no network segmentation between clients?”
• “E-commerce clients are losing revenue every minute their websites are down during peak summer season – how do you balance speed of restoration against thoroughness of remediation?”
• “Your infected servers are scanning the entire internet and participating in coordinated attacks – what’s your responsibility to the broader internet beyond your own clients?”

Peak summer e-commerce season at Amsterdam Data Systems – the web hosting provider serves 40,000+ client websites with shared IIS infrastructure. Network Administrator Sander Visser detects servers scanning the entire internet for vulnerable targets, while Client Relations Manager Marieke Smit reports angry calls flooding in from e-commerce clients whose websites are displaying defacement messages during their busiest sales period.

Open investigation guidance: All four Key Discovery Paths are available. Teams typically uncover the unpatched IIS buffer overflow (delayed to avoid disrupting client websites during peak season), the worm’s autonomous propagation across the shared hosting infrastructure, and the scope of client impact (hundreds of websites defaced within hours, with the infection spreading to thousands).

If the team stalls: “Security Engineer Maarten Jansen traces the exploit chain: ‘The worm is hitting our IIS servers through the same buffer overflow Microsoft patched weeks ago. We delayed the patch to avoid breaking client websites during summer traffic peaks – now every server in our shared infrastructure is a target.’”

Facilitation questions:

• “40,000+ client websites share the same server infrastructure – what does worm propagation look like when there’s no network segmentation between clients?”
• “E-commerce clients are losing revenue every minute their websites are down during peak summer season – how do you balance speed of restoration against thoroughness of remediation?”
• “Your infected servers are scanning the entire internet and participating in coordinated attacks – what’s your responsibility to the broader internet beyond your own clients?”

Round 1→2 Transition

The investigation reveals automated IIS worm propagation across the entire shared hosting infrastructure. CEO Michael Torres faces the core tension: the worm is memory-resident, so rebooting clears it temporarily, but reinfection happens within minutes from continued internet scanning. Complete remediation requires patching all servers – which means taking 50,000+ client websites offline during peak revenue season.

The investigation reveals automated IIS worm propagation across the entire shared hosting infrastructure. CEO Pieter van Dijk faces the core tension: the worm is memory-resident, so rebooting clears it temporarily, but reinfection happens within minutes from continued internet scanning. Complete remediation requires patching all servers – which means taking 40,000+ client websites offline during peak revenue season.

Round 2: Client Revenue Crisis & Infrastructure Responsibility (35 min)

If teams chose immediate infrastructure shutdown: All 50,000+ client websites offline during peak summer season. E-commerce clients losing revenue by the hour. Some clients had no backup hosting arrangements and face complete online presence loss. Client Relations Manager Karen Shah receiving threats of breach-of-contract lawsuits.

If teams attempted rolling remediation: Some servers patched and restored, but unpatched servers continue reinfecting patched ones through the flat network. Clients on restored servers experience intermittent reinfection. The “whack-a-mole” pattern is frustrating both staff and clients.

New developments beyond Round 1: Infected hosting servers are participating in coordinated DDoS attacks against internet infrastructure targets – Frontier Hosting’s infrastructure is being weaponized. ISPs upstream from Frontier Hosting are threatening to null-route the company’s IP ranges if attack traffic isn’t stopped, which would take ALL client websites offline regardless of remediation status. Competitor hosting companies are offering emergency migration deals to Frontier Hosting clients.

Facilitation questions:

• “Your upstream ISP is threatening to null-route your entire IP range if attack traffic continues – that’s 50,000+ client websites gone regardless of what you do. How does this external pressure change your approach?”
• “The worm reinfects patched servers through unpatched ones on the same network – what infrastructure architecture would have prevented this cascade?”
• “E-commerce clients are losing peak summer revenue, and some may not survive – what’s the hosting provider’s responsibility beyond SLA credits?”

If teams chose immediate infrastructure shutdown: All 40,000+ client websites offline during peak summer season. E-commerce clients losing revenue by the hour. Some clients had no backup hosting arrangements and face complete online presence loss. Client Relations Manager Marieke Smit receiving threats of breach-of-contract lawsuits.

If teams attempted rolling remediation: Some servers patched and restored, but unpatched servers continue reinfecting patched ones through the flat network. Clients on restored servers experience intermittent reinfection. The “whack-a-mole” pattern is frustrating both staff and clients.

New developments beyond Round 1: Infected hosting servers are participating in coordinated DDoS attacks against internet infrastructure targets – Amsterdam Data Systems’s infrastructure is being weaponized. ISPs upstream from Amsterdam Data Systems are threatening to null-route the company’s IP ranges if attack traffic isn’t stopped, which would take ALL client websites offline regardless of remediation status. Competitor hosting companies are offering emergency migration deals to Amsterdam Data Systems clients.

Facilitation questions:

• “Your upstream ISP is threatening to null-route your entire IP range if attack traffic continues – that’s 40,000+ client websites gone regardless of what you do. How does this external pressure change your approach?”
• “The worm reinfects patched servers through unpatched ones on the same network – what infrastructure architecture would have prevented this cascade?”
• “E-commerce clients are losing peak summer revenue, and some may not survive – what’s the hosting provider’s responsibility beyond SLA credits?”

Round 2→3 Transition

The worm is contained – all servers patched, client websites being restored from pre-infection backups. But the damage is significant: hours to days of client website downtime during peak season, potential participation in internet-wide attacks, and the fundamental revelation that shared hosting infrastructure with no segmentation is a single point of failure. Focus shifts to client trust and infrastructure redesign.

The worm is contained – all servers patched, client websites being restored from pre-infection backups. But the damage is significant: hours to days of client website downtime during peak season, potential participation in internet-wide attacks, and the fundamental revelation that shared hosting infrastructure with no segmentation is a single point of failure. Focus shifts to client trust and infrastructure redesign.

Round 3: Long-Term Hosting Security & Client Recovery (35 min)

Three weeks post-incident. Client websites are restored but the business aftermath is severe – e-commerce clients lost peak summer revenue, some small business clients are evaluating alternatives, and the hosting industry is questioning shared infrastructure security models. Frontier Hosting faces a defining question: how do you continue operating a shared hosting business when the fundamental architecture enabled a single vulnerability to compromise 50,000+ client websites?

Investigation focus areas:

• Infrastructure security redesign – Security Engineer David Thompson proposes: client isolation through containerization, automated vulnerability management, network segmentation between client environments, continuous monitoring. Major infrastructure investment requiring 10-12 week implementation
• Client retention strategy – Karen Shah assesses: client attrition risk by segment (enterprise clients demanding dedicated infrastructure, e-commerce clients evaluating competitors, small business clients considering cloud platforms), SLA credit obligations, and retention incentives
• ISP and internet community relations – Upstream ISPs and internet infrastructure organizations evaluating Frontier Hosting’s responsible hosting practices; positive security response demonstration affects future peering and connectivity agreements
• Business model evaluation – CEO Michael Torres questioning whether shared hosting at current price points can support the security infrastructure needed; potential pivot to managed hosting or cloud services

Pressure events:

• Two enterprise clients (representing 12% of revenue) announce migration to dedicated hosting providers, citing security concerns
• Hosting industry review site publishes “Frontier Hosting Security Incident Analysis” that becomes widely shared among potential customers
• ISP sends formal notice requiring security remediation plan within 30 days to maintain current connectivity agreements
• Key systems administrator receives competing offer from a cloud provider, citing Frontier Hosting’s infrastructure challenges

Facilitation questions:

• “Can shared web hosting be done securely, or does this incident prove the model is fundamentally flawed?”
• “How do you convince 50,000+ client websites to stay when competitors are actively offering migration deals?”
• “What’s Frontier Hosting’s responsibility to the broader internet when its infrastructure was used as an attack platform?”

Three weeks post-incident. Client websites are restored but the business aftermath is severe – e-commerce clients lost peak summer revenue, some small business clients are evaluating alternatives, and the hosting industry is questioning shared infrastructure security models. Amsterdam Data Systems faces a defining question: how do you continue operating a shared hosting business when the fundamental architecture enabled a single vulnerability to compromise 40,000+ client websites?

Investigation focus areas:

• Infrastructure security redesign – Security Engineer Maarten Jansen proposes: client isolation through containerization, automated vulnerability management, network segmentation between client environments, continuous monitoring. Major infrastructure investment requiring 10-12 week implementation
• Client retention strategy – Marieke Smit assesses: client attrition risk by segment (enterprise clients demanding dedicated infrastructure, e-commerce clients evaluating competitors, small business clients considering cloud platforms), SLA credit obligations, and retention incentives
• ISP and internet community relations – Upstream ISPs and internet infrastructure organizations evaluating Amsterdam Data Systems’s responsible hosting practices; positive security response demonstration affects future peering and connectivity agreements
• Business model evaluation – CEO Pieter van Dijk questioning whether shared hosting at current price points can support the security infrastructure needed; potential pivot to managed hosting or cloud services

Pressure events:

• Two enterprise clients (representing 12% of revenue) announce migration to dedicated hosting providers, citing security concerns
• Hosting industry review site publishes “Amsterdam Data Systems Security Incident Analysis” that becomes widely shared among potential customers
• ISP sends formal notice requiring security remediation plan within 30 days to maintain current connectivity agreements
• Key systems administrator receives competing offer from a cloud provider, citing Amsterdam Data Systems’s infrastructure challenges

Facilitation questions:

• “Can shared web hosting be done securely, or does this incident prove the model is fundamentally flawed?”
• “How do you convince 40,000+ client websites to stay when competitors are actively offering migration deals?”
• “What’s Amsterdam Data Systems’s responsibility to the broader internet when its infrastructure was used as an attack platform?”

Victory Conditions

• Worm eliminated across all hosting infrastructure with comprehensive server patching
• Client website restoration completed with SLA compliance assessment
• Internet community responsibility demonstrated through ISP and infrastructure coordination
• Hosting infrastructure security architecture redesigned with client isolation

Debrief Focus (Full Game)

• How shared infrastructure models (hosting, cloud, SaaS) create blast radius where a single vulnerability affects thousands of organizations
• The tension between infrastructure cost efficiency (shared servers) and security isolation (dedicated environments)
• Why hosting providers bear internet citizenship responsibilities beyond their client obligations
• How ISP-level enforcement (null-routing, disconnection threats) creates external pressure that overrides internal remediation timelines
• Long-term business model viability when security infrastructure investment fundamentally changes the economics of shared hosting

Advanced Challenge Materials (150-170 min, 3+ rounds)

Red Herrings & Misdirection

• Legitimate traffic spike – summer e-commerce peak creates server performance patterns similar to worm scanning, delaying correct identification of malicious traffic
• Client website errors – several clients recently deployed updates with bugs that cause display issues, creating confusion about which website problems are worm-related
• Routine server maintenance – scheduled overnight server updates coincide with worm spread, initially masking the infection as planned activity
• DDoS attack speculation – some clients assume a competitor is DDoS-attacking their websites, misdirecting from the worm’s autonomous propagation

Removed Resources & Constraints

• No infrastructure segmentation – flat network architecture means there’s no way to isolate infected servers without affecting the entire client base
• Backup restoration bottleneck – tape-based backup system restores one server at a time, creating a multi-day queue for all client websites
• Night shift skeleton crew – attack detected during evening shift with minimal staff; full response team unavailable until morning
• No client communication platform – bulk client notification system runs on the same infrastructure affected by the worm, preventing automated breach communication

Enhanced Pressure

• ISP null-route deadline – upstream ISP gives 6-hour ultimatum: stop attack traffic or entire Frontier Hosting IP range gets null-routed, killing all 50,000+ client websites regardless of individual status
• Client collective action – e-commerce clients form emergency coalition demanding compensation exceeding Frontier Hosting’s annual revenue
• Hosting industry regulatory discussion – government regulators use the incident to advocate for mandatory hosting security standards, threatening industry-wide compliance costs
• Staff burnout crisis – 72-hour continuous remediation effort; key network administrator makes configuration error due to exhaustion, temporarily worsening the situation

• ISP null-route deadline – upstream ISP gives 6-hour ultimatum: stop attack traffic or entire Amsterdam Data Systems IP range gets null-routed, killing all 40,000+ client websites regardless of individual status
• Client collective action – e-commerce clients form emergency coalition demanding compensation exceeding Amsterdam Data Systems’s annual revenue
• Hosting industry regulatory discussion – government regulators use the incident to advocate for mandatory hosting security standards, threatening industry-wide compliance costs
• Staff burnout crisis – 72-hour continuous remediation effort; key network administrator makes configuration error due to exhaustion, temporarily worsening the situation

Ethical Dilemmas

• Client prioritization – enterprise clients paying premium rates demand priority restoration over thousands of small business clients; is this contractually justified or discriminatory when small businesses face greater harm?
• ISP coordination versus client privacy – ISP requests detailed traffic logs to verify remediation, but those logs contain client website visitor data; sharing helps prove remediation but exposes client customer information
• Patch delay accountability – management delayed patches to avoid disrupting client revenue during peak season; the decision was made with client interests in mind but created the vulnerability. Who’s accountable?
• Competitive migration assistance – some clients want to migrate to competitors immediately; does Frontier Hosting have an obligation to facilitate smooth migration (helping competitors) or can they prioritize retention?

• Client prioritization – enterprise clients paying premium rates demand priority restoration over thousands of small business clients; is this contractually justified or discriminatory when small businesses face greater harm?
• ISP coordination versus client privacy – ISP requests detailed traffic logs to verify remediation, but those logs contain client website visitor data; sharing helps prove remediation but exposes client customer information
• Patch delay accountability – management delayed patches to avoid disrupting client revenue during peak season; the decision was made with client interests in mind but created the vulnerability. Who’s accountable?
• Competitive migration assistance – some clients want to migrate to competitors immediately; does Amsterdam Data Systems have an obligation to facilitate smooth migration (helping competitors) or can they prioritize retention?

🌍 Localizing to Other EU Countries

This Dutch variation can be adapted to other EU countries during facilitation. All EU countries share GDPR (72-hour breach notification) but have different regulatory institutions.

When running this scenario for another EU country, substitute these elements:

Country	Data Protection Authority	Cybersecurity Agency	Hosting Context
France	CNIL	ANSSI	Major Paris data center hub, OVHcloud HQ
Germany	BfDI	BSI	Frankfurt data center hub, Hetzner HQ
Ireland	DPC	NCSC-IE	Dublin data center hub, many US tech companies EU HQ
Sweden	IMY	CERT-SE	Stockholm data center hub, Bahnhof hosting
Belgium	GBA	CCB	Brussels data center presence, EU institutions

Notes:

• France/Germany: Strong national cyber agencies (ANSSI/BSI) with direct authority over critical infrastructure
• Ireland: Data Protection Commission (DPC) is lead GDPR regulator for many US tech companies
• Sweden: Bahnhof is known for privacy-focused hosting with underground data centers

Hosting company names and NPC names are left to the IM's discretion.

Advanced Debrief Topics

• How shared infrastructure economics create systematic underinvestment in security isolation when cost savings are visible but security risks are invisible until exploitation
• The ethics of service prioritization during infrastructure outages when all clients are affected but harm is distributed unequally
• Why hosting provider internet citizenship obligations (stopping attacks from your infrastructure) can override client service obligations
• How ISP-level enforcement mechanisms create external accountability for hosting security that market forces alone don’t provide
• Balancing business model viability (shared hosting price points) against security architecture requirements (isolation, segmentation, monitoring)