FakeBat Scenario: Freelancer Coworking Space
Planning Resources
Scenario Details for IMs
Innovation Hub: Professional Community Under Multi-Tenant Pressure
Organization Profile
- Type: Freelancer coworking space and professional community
- Members: 120 independent professionals across diverse industries
- Services: Shared workspace, high-speed network, meeting rooms, professional events
- Business Model: Monthly memberships ($300-600), day passes, meeting room rentals
- Technology: Shared high-performance network, centralized WiFi, collaborative tools
Member Professional Diversity
Industries Represented:
- Creative: Web designers, graphic designers, photographers, videographers
- Technology: Software developers, UX designers, IT consultants, cybersecurity specialists
- Business: Marketing consultants, business strategists, financial advisors
- Legal: Attorneys, paralegals, compliance consultants
- Other: Writers, researchers, educators, nonprofit coordinators
Current Critical Context
Monday Client Deadline Cascade:
- Web Designer: Launching e-commerce site for major retail client ($50K project)
- Software Developer: Deploying healthcare application to production (regulatory deadline)
- Marketing Consultant: Presenting campaign strategy to Fortune 500 client
- Attorney: Filing court documents (statutory deadline, no extensions)
- Business Strategist: Delivering merger analysis to corporate client
Opening Presentation
“It’s Friday afternoon at Innovation Hub Coworking, and what should be focused work before Monday client deadlines has turned into a crisis. Multiple freelancers are reporting browser issues - redirects to unexpected productivity websites, persistent advertisements appearing during client video calls, and concerning system performance. Independent professionals mention installing ‘must-have collaboration tools’ and ‘essential project management software’ they discovered online to improve client deliverables. With dozens of freelancers facing Monday deadlines and shared network security at risk, investigate what’s happening before malware destroys both professional livelihoods and workspace trust.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 2: Multiple freelancers report urgent client deadlines Monday - requires functional systems for deliverable completion
- Hour 3: Workspace members questioning network security and considering alternative coworking locations
- Hour 4: Client of affected freelancer calls workspace directly expressing concern about data security
Evolution Triggers:
- If containment takes longer than 4 hours, FakeBat begins targeting client communication channels
- If browser security isn’t addressed, malware spreads to additional freelancers using shared resources
- If fake software source isn’t identified, new coworking members may encounter same threats
Resolution Pathways:
Technical Success Indicators:
- Team identifies FakeBat through freelancer-focused software verification and multi-workstation behavior analysis
- Shared network security policies prevent future freelancer-initiated malicious software installations
- Browser and client communication isolation protects professional data and business relationships
Business Success Indicators:
- Freelancer productivity restored with minimal impact on Monday client deadlines
- Workspace reputation maintained through transparent communication and security demonstration
- Coworking operations continue while systematically cleaning and securing shared systems
Learning Success Indicators:
- Team understands how freelancer-focused software masquerading exploits professional productivity desires
- Participants recognize challenges of securing shared workspace environments with diverse users
- Group demonstrates balance between freelancer autonomy and network security in coworking spaces
Common IM Facilitation Challenges:
If Team Focuses Too Heavily on Technical Details:
“That’s excellent analysis of the shared network infection pattern. How does this information help you communicate the security status to the freelancers who have client deadlines Monday?”
If Business Stakeholders Are Ignored:
“While you’re investigating the malware, Jennifer just received a call from a long-term member considering leaving due to security concerns. How do you handle this?”
If Software Masquerading Aspect Is Missed:
“The technical indicators are clear, but why did freelancers trust these particular productivity tools and install them seeking business advantage?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish coworking crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing freelancer-targeted fake software and shared workspace security risks.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of shared workspace security challenges. Use the full set of NPCs to create realistic coworking environment pressures. The two rounds allow FakeBat to progress toward client communications, escalating stakes. Debrief can explore balance between freelancer autonomy and security controls in shared professional spaces.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing shared network security, freelancer business needs, workspace operations, and professional trust. The three rounds allow for full narrative arc including villain’s coworking-specific multi-stage attack plan.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate freelance tool updates causing unrelated performance issues). Make containment ambiguous, requiring players to justify business-facing decisions with incomplete information. Remove access to reference materials to test knowledge recall of shared workspace security principles.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “You discover that 30+ coworking workstations visited ‘freelance-productivity-pro.com’ and ‘remote-work-tools-official.com’ over the past two days and downloaded ‘FreelancerPro_Suite.exe’ and ‘CollabSync_Manager.exe’. Both domains were registered last week.”
Clue 2 (Minute 10): “Analyzing the downloaded files reveals they lack valid publisher digital signatures. Legitimate freelance productivity tools always have verified signatures from recognized business software publishers.”
Clue 3 (Minute 15): “You find new browser extensions installed across freelancer workstations: ‘Remote Work Optimizer’ and ‘Client Collaboration Plus’. Both have permissions to access client communication data and are injecting business-related advertisements into legitimate professional websites.”
Pre-Defined Response Options
Option A: Workstation Cleaning & Shared Network Policies
- Action: Remove malware from affected freelancer systems, implement shared workspace security policies that balance autonomy with protection, verify network isolation.
- Pros: Completely removes threat and establishes secure coworking environment policies; protects client data across diverse users.
- Cons: Time-intensive workstation-by-workstation remediation; may temporarily limit freelancer software installation flexibility.
- Type Effectiveness: Super effective against Trojan type malmons like FakeBat in shared environments.
Option B: Browser Lockdown & User Education
- Action: Implement browser security policies for shared workspace, reset compromised browsers, provide freelancer education on software verification for business tools.
- Pros: Prevents persistent browser compromises in coworking environment; addresses human factor with targeted education.
- Cons: Doesn’t remove underlying malware that may redeploy during freelancer sessions.
- Type Effectiveness: Moderately effective against Browser Hijacker threats in shared workspaces.
Option C: Network Segmentation & Malicious Domain Blocking
- Action: Segment freelancer network traffic, add malicious domains to workspace firewall blocklist, implement DNS filtering for productivity software downloads.
- Pros: Protects shared infrastructure immediately; prevents additional freelancers from downloading fake business tools.
- Cons: Doesn’t remove already-installed malware from 30+ compromised freelancer workstations.
- Type Effectiveness: Partially effective against Downloader type malmons; protects infrastructure but not endpoints.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Initial Detection & Coworking Response (35-40 minutes)
Opening Hook & Investigation Phase (Minutes 0-20)
IM Narrative Setup: “It’s Friday afternoon at Innovation Hub, and what should be focused pre-weekend client work has devolved into chaos. Jennifer Wilson, your workspace manager, looks stressed as she briefs you: ‘We have freelancers reporting browser problems across multiple desks. Some are saying their productivity tools are acting strange, others mention installing collaboration software yesterday. We have people with Monday client deliverables who can’t work reliably. Can you figure out what’s happening before this damages our reputation and people start canceling memberships?’”
Time-Stamped Investigation Clues (Present every 3-5 minutes):
Minute 5 - Detective Discovery: “You examine workspace network logs and find something concerning: 30+ different freelancer workstations visited ‘freelance-productivity-pro.com’ and ‘remote-work-tools-official.com’ over the past 48 hours. Both domains were registered just last week. Download logs show ‘FreelancerPro_Suite.exe’ and ‘CollabSync_Manager.exe’ installations across multiple independent contractors.”
Minute 8 - Protector Analysis: “Running memory scans on several affected workstations reveals unfamiliar processes: ‘fpro_service.exe’ and ‘collab_sync.exe’ running from temp directories. These processes are injecting code into browser sessions and have hooks into Chrome, Firefox, and Edge. Digital signature checks show both executables lack valid publisher certificates—legitimate business software always includes verified signatures.”
Minute 12 - Tracker Network Evidence: “DNS query logs reveal the compromised freelancer workstations are making regular connections to ‘cdn-freelance-tools[.]xyz’ and ‘analytics-workspace-pro[.]net’—both registered to privacy-protected hosting in Eastern Europe. Network traffic analysis shows these aren’t analytics; they’re command-and-control callbacks happening every 15 minutes from 30+ independent systems.”
Minute 16 - Communicator Interviews: “You speak with affected freelancers. Diana Foster, community manager, shares: ‘Multiple members mentioned they found these tools through searches for remote work collaboration software. The websites looked professional—screenshots, testimonials, the whole package. One freelancer said they installed it because a client deadline was approaching and they needed better project management. Nobody suspected these were fake.’”
Minute 20 - Critical Discovery: “Browser analysis reveals the scope: affected workstations have extensions named ‘Remote Work Optimizer’ and ‘Client Collaboration Plus’ installed without user knowledge. Both extensions have permissions to: read and change all your data on websites you visit, manage your downloads, and access your tabs. They’re actively injecting advertisements into legitimate freelancer research and redirecting professional searches to malicious sites.”
Response Decision Phase (Minutes 20-35)
Pressure Event (Minute 22): Jennifer (Workspace Manager) interrupts with urgency: “I just got off the phone with three long-term members asking if our network is secure. One mentioned they’re considering moving to the coworking space downtown because they can’t risk client data exposure. We need answers now—what do I tell people about their professional data and Monday deliverables?”
Available Response Options:
Option A: Immediate Workstation Quarantine & Staged Cleaning - Isolate all 30+ affected freelancer workstations from shared network - Begin systematic malware removal starting with client-deadline freelancers - Implement temporary guest network for unaffected members - Create workspace software verification policy before reconnection
Pros: Prevents further spread through shared workspace; prioritizes business-critical freelancers; establishes verification protocol Cons: Significant disruption to 30+ independent businesses; weekend cleaning required; member frustration likely Type Effectiveness: Super effective against Trojan-type spread in coworking environments
Option B: Browser Security Lockdown & Network Filtering - Reset all affected browsers to default configurations - Remove malicious extensions and browser modifications - Implement workspace-wide DNS filtering blocking malicious domains - Deploy browser security policies for shared workspace systems
Pros: Quick deployment minimizes freelancer downtime; protects client communication channels; prevents new infections Cons: Underlying malware may persist and redeploy; doesn’t address root compromise on 30+ systems Type Effectiveness: Moderately effective against browser hijacking; incomplete against full infection
Option C: Forensic Investigation & Professional Communication - Document full scope for insurance and potential member notification - Identify patient zero and infection timeline across freelancers - Prepare detailed member communication about workspace security - Engage external IR support for professional assessment
Pros: Comprehensive understanding of compromise; professional documentation; transparency builds trust Cons: Investigation extends member uncertainty; potential news spread hurts reputation; delayed remediation Type Effectiveness: No immediate technical containment; purely investigative approach
Round 1 Debrief Questions (Minutes 35-40)
Technical Understanding: “How did FakeBat leverage freelancer productivity desires to compromise 30+ independent systems? What made the fake productivity tools convincing?”
Shared Workspace Context: “What security challenges are unique to coworking spaces where independent contractors need autonomy but share network infrastructure?”
Stakeholder Balance: “How did you balance Jennifer’s need for member retention with Carlos’s recommendation for thorough system cleaning? What trade-offs did you consider?”
Response Effectiveness: “Which parts of your response addressed immediate member concerns versus long-term workspace security? Did you explain the difference clearly?”
Round 2: Containment & Coworking Trust (35-45 minutes)
Evolution Narrative (Minute 40)
IM Transition Based on Round 1 Choice:
If Option A (Workstation Quarantine) was chosen: “Your systematic cleaning approach is working, but it’s Saturday morning and you’re only through 12 of 30+ compromised workstations. Jennifer calls with concerning news: ‘Five members with Monday client deliverables are asking when they’ll have access again. One mentioned they might work from a coffee shop this weekend using their compromised laptop. Also, Robert Chen reports three prospective members toured yesterday, and two asked pointed questions about our recent security issues. How do we handle this?’”
If Option B (Browser Lockdown) was chosen: “Your browser security measures deployed quickly and members are back to work—but Carlos Martinez has troubling findings: ‘The browser fixes were surface-level. I’m still detecting ’fpro_service.exe’ running on 20+ workstations, and it’s attempting to reinstall the browser extensions every few hours. We blocked the C2 domains, but the malware is trying alternative communication methods. We need deeper remediation, but that means re-disrupting freelancers who think everything’s fixed.’”
If Option C (Investigation) was chosen: “Your forensic documentation is comprehensive, but it’s Saturday afternoon and Jennifer is receiving member cancellation emails. ‘Four freelancers notified us they’re not renewing next month, citing security concerns. Your investigation report is detailed, but members want to know what we’re DOING, not just what happened. We have compromised systems still operating in our workspace, and our reputation is deteriorating while we document.’”
Advanced Investigation Clues (Present every 4-5 minutes)
Minute 44 - Detective Depth: “Deeper analysis of ‘FreelancerPro_Suite.exe’ reveals it’s a loader—its job is delivering additional payloads. You find evidence of secondary infections: RedLine Stealer and Vidar Infostealer deployed to 8 workstations where freelancers had saved client passwords in browsers. Those freelancers’ client credentials may be compromised. This explains FakeBat’s pay-per-install business model—it monetizes by loading other malware families.”
Minute 49 - Protector Findings: “Memory forensics on heavily-infected systems shows credential theft in action. Browser password stores were accessed on workstations belonging to freelancers in web development, graphic design, and consulting. Client FTP credentials, WordPress logins, AWS console access—all potentially exfiltrated. This isn’t just workspace disruption; it’s client business compromise across multiple freelancer portfolios.”
Minute 54 - Tracker Attribution: “You trace the infection source: the fake productivity websites used malvertising through Google Ads. Searches for ‘freelance collaboration tools’ and ‘remote work productivity software’ triggered ads leading to fake download sites. The threat actors specifically targeted keywords freelancers use. This wasn’t random—it was a calculated campaign targeting independent professionals in coworking environments.”
Minute 59 - Communicator Stakeholder Crisis: “Diana Foster reports escalating concerns: ‘A freelancer just told me their client received suspicious login attempts to shared project management tools. The client is asking questions about security practices. Another member posted in our community Slack asking if others experienced similar issues—the conversation is getting tense. People want to know: are their clients’ data safe, and should they be notifying their own customers?’”
Advanced Response Options (Minutes 60-75)
Pressure Event (Minute 62): Robert Chen (Member Services) delivers difficult news: “I have a freelancer whose client contracts require breach notification within 72 hours if credentials are potentially compromised. They’re asking if this incident meets that threshold. If they notify their client about workspace-originated compromise, that client might publicize it. We could be looking at reputation damage beyond our member community. Also, the graphic designer with the Monday pitch? Their client just called Jennifer directly asking about our security practices. What’s our official position?”
Enhanced Response Options:
Option D: Comprehensive Member Remediation & Client Protection - Complete malware removal from all 30+ workstations using dedicated weekend effort - Provide affected freelancers with client communication templates about potential credential exposure - Offer workspace-funded password manager subscriptions for all members - Implement mandatory security orientation for new and existing members
Business Impact: High remediation cost, weekend overtime, but demonstrates workspace commitment Member Impact: Short-term disruption, long-term protection, professional support for client notification Reputation Impact: Transparent approach may build trust; proactive support demonstrates responsibility Type Effectiveness: Comprehensive containment addressing technical and business dimensions
Option E: Selective Deep Cleaning & Liability Management - Focus intensive remediation on 8 workstations with confirmed credential theft - Provide those freelancers with professional IR support for client notification - Implement browser-based protections workspace-wide for remaining systems - Document member security responsibilities in updated membership agreements
Business Impact: Controlled costs through triage approach; legal protection via policy updates Member Impact: Uneven response—comprehensive for high-risk, basic for others Reputation Impact: May appear cost-focused rather than member-focused Type Effectiveness: Addresses most critical compromises; accepts residual risk on other systems
Option F: External IR Partnership & Professional Standards - Engage external cybersecurity firm for professional workspace assessment - Implement findings as workspace security certification (advertising competitive advantage) - Provide all affected freelancers with complimentary IR consultation - Transform incident into workspace security differentiator for marketing
Business Impact: Significant investment converts crisis to competitive advantage Member Impact: Professional-grade security builds confidence; valuable member benefit Reputation Impact: Proactive professional response demonstrates workspace quality Type Effectiveness: Comprehensive technical response plus strategic business positioning
NPC Interactions (Introduce throughout Round 2)
Jennifer Wilson (Workspace Manager) - Business Continuity Focus: “I understand your technical recommendations, but I need to balance member retention with security. We have freelancers who pay $300/month for reliable workspace—if we disrupt their client work too aggressively, they’ll leave regardless of our security improvements. Can we phase the remediation? High-risk systems first, others during scheduled maintenance?”
Carlos Martinez (Network Administrator) - Technical Thoroughness: “Partial cleaning is how organizations end up reinfected within weeks. Every compromised workstation is a potential re-infection source for the shared network. I know it’s disruptive, but we need complete remediation on all 30+ systems, not just the obviously compromised ones. If we cut corners now, we’ll be dealing with this again next month.”
Diana Foster (Community Manager) - Member Trust: “Our community is built on trust and collaboration—that’s why freelancers choose us over coffee shops. Some members are defending us on Slack, saying these incidents happen everywhere. Others are questioning whether we take security seriously. How we handle this will define our community culture. Are we transparent and supportive, or defensive and minimal?”
Robert Chen (Member Services) - Liability & Communication: “I’m getting specific questions I can’t answer without your guidance: Should freelancers notify their clients? Are we liable for any client data compromised through our network? Can we require members to follow specific security practices? Our membership agreements don’t clearly address malware incidents. We need clear direction on what we’re telling people.”
Round 2 Debrief Questions (Minutes 75-85)
Layered Response: “How did FakeBat’s pay-per-install model make this incident more complex than simple browser hijacking? What did the secondary payload deployment mean for freelancers and their clients?”
Stakeholder Conflicts: “Jennifer wanted fast member restoration, Carlos wanted thorough cleaning, Diana focused on community trust, and Robert worried about liability. How did you navigate these competing legitimate priorities?”
Shared Responsibility: “What security responsibilities belong to the workspace versus individual freelancer members? Where’s the boundary between shared infrastructure protection and independent contractor autonomy?”
Client Impact: “Several freelancers face potential client notification requirements due to credential theft. How did your response address not just workspace security but freelancers’ professional obligations to their own clients?”
Reputation Management: “Did your response communicate competence and care, or did it feel defensive or minimal? How do coworking spaces balance transparency about security incidents with protecting business reputation?”
Key Learning Objectives (Lunch & Learn)
Technical Concepts: - Software masquerading and fake productivity tool characteristics - Loader/dropper malware delivering secondary payloads (pay-per-install model) - Browser hijacking persistence and credential theft progression - Shared network security challenges in coworking environments
Business Context: - Balancing freelancer autonomy with workspace security responsibilities - Member retention pressures during security incidents - Professional reputation management for service-based businesses - Client impact considerations beyond immediate workspace scope
Incident Response Skills: - Triaging 30+ compromised independent systems with varying business impacts - Communicating security status to non-technical stakeholders with competing priorities - Developing phased remediation approaches balancing thoroughness with disruption - Managing reputation during incidents in community-focused business environments
Full Game Materials (120-140 min, 3 rounds)
Round 1: Discovery & Initial Containment (35-40 minutes)
Opening Scenario (Minute 0)
Full IM Narrative: “It’s Friday at 2:00 PM at Innovation Hub Coworking, and what began as isolated complaints has escalated into a workspace-wide crisis. Jennifer Wilson, your workspace manager, is coordinating a response from her office that’s simultaneously serving as incident command. ‘We have reports coming from multiple freelancers across different areas—graphic designers, developers, consultants, writers. Common thread? They all mention installing productivity software in the last day or two, and now they’re experiencing browser problems.’
Carlos Martinez, your network administrator, interrupts with laptop in hand: ‘I ran preliminary scans. We’re looking at 30+ compromised workstations, maybe more. These aren’t isolated incidents—this is coordinated. And Friday afternoon with Monday client deadlines? Worst possible timing.’
Diana Foster, community manager, adds context: ‘The Slack channel is active. Freelancers are starting to compare notes. A few are questioning whether they should work elsewhere this weekend. One member just posted asking if anyone else experienced “weird browser behavior”—we have about 30 minutes before this becomes public knowledge that our workspace has a security problem.’
Robert Chen from member services looks grim: ‘I have three prospective members scheduled to tour today at 4:00 PM. They’re evaluating us versus two other coworking spaces. If they see chaos or compromised workstations, we lose those contracts. Also, we have long-term members up for renewal next week—security concerns could cost us thousands in recurring revenue.’
You have full investigative authority and workspace access. What’s your approach?”
Open Investigation Phase (Minutes 0-25)
Available Investigation Paths (Players choose focus areas; provide relevant information based on their choices)
Detective Role Options: - Examine software installation logs across all workspace workstations - Analyze downloaded executable files for signatures and behavior - Review browser history logs for infection source identification - Conduct registry analysis for persistence mechanisms - Interview freelancers about installation timelines and sources
Protector Role Options: - Run memory forensics on multiple compromised systems - Analyze running processes and network connections - Test executable behavior in isolated environment - Perform digital signature verification on suspicious software - Map infection spread patterns across workspace network
Tracker Role Options: - Analyze DNS query logs for malicious domain identification - Trace network traffic to identify C2 infrastructure - Investigate domain registration and hosting details - Map infection timeline across 30+ workstations - Identify download sources and distribution methods
Communicator Role Options: - Interview affected freelancers about software installation context - Document business impact across different freelancer specializations - Assess client deadline impacts and professional reputation risks - Coordinate with NPCs to understand workspace operations constraints - Prepare member communication strategy frameworks
Dynamic IM Responses (Provide information based on player investigation choices)
If players examine software installation logs: “Installation logs reveal a pattern: ‘FreelancerPro_Suite.exe’ (8.2MB) and ‘CollabSync_Manager.exe’ (6.7MB) installed on 32 workstations between Wednesday 3:00 PM and Thursday 5:00 PM. Installation paths vary—some users saved to Downloads, others to Desktop—but execution timestamps cluster around late afternoon when freelancers are often rushing to finish work. All installations originated from user-initiated downloads, not network-pushed deployments.”
If players analyze downloaded executables: “Behavioral analysis in isolated environment reveals concerning capabilities: Both executables drop additional files to %TEMP% directories, establish browser hooks into Chrome/Firefox/Edge processes, modify registry keys for persistence (HKCU\Software\Microsoft\Windows\CurrentVersion\Run), and initiate network connections to ‘cdn-freelance-tools[.]xyz’ approximately 90 seconds after execution. Neither executable has valid digital signatures—legitimate productivity software from reputable vendors always includes verified certificates.”
If players interview freelancers: “Conversations reveal consistent social engineering: Most freelancers found the software through Google searches for ‘freelance productivity tools,’ ‘remote work collaboration,’ and ‘project management for contractors.’ Several mention the download sites looked professional—clean design, user testimonials, feature comparisons. One freelancer admits: ‘I was behind on a client deadline and saw a tool that claimed to organize project workflows. I didn’t check who published it. That seems obvious now, but in the moment, I needed help.’”
If players trace network traffic: “Network forensics reveal sophisticated infrastructure: Primary C2 domains ‘cdn-freelance-tools[.]xyz’ and ‘analytics-workspace-pro[.]net’ both registered 18 days ago through privacy-protected hosting in Bulgaria. Traffic analysis shows encrypted callbacks every 12-15 minutes from compromised workstations—these aren’t random, they’re scheduled check-ins. Additional concerning finding: 8 workstations show connections to known RedLine Stealer C2 infrastructure, suggesting secondary payload deployment already occurred.”
Pressure Events (Introduce throughout Round 1)
Minute 12 - Member Communication Pressure: Diana Foster forwards a Slack message thread: “The conversation is getting detailed. Members are sharing symptoms, comparing notes, and someone just asked if their client data might be compromised. I can redirect the conversation temporarily, but we need official guidance within the hour. What’s our messaging: ‘investigating isolated issues’ or transparent admission of broader compromise?”
Minute 18 - Business Continuity Conflict: Jennifer Wilson pulls you aside: “I understand your investigation is ongoing, but I have freelancers asking direct questions: Can they continue working this afternoon? Should they use their personal laptops instead? Is the network safe for client communications? I need answers that balance safety with business reality—these people’s livelihoods depend on getting work done.”
Minute 22 - Prospective Member Crisis: Robert Chen interrupts: “The 4:00 PM tour group just called—they’re arriving early, 3:00 PM instead. That’s 35 minutes from now. I can try to reschedule, but they mentioned they’re making a decision today between us and downtown workspace. If they see incident response happening on the floor, that’s probably a deal-breaker for three memberships at $350/month each—$12,600 annual revenue walking away.”
Response Decision Phase (Minutes 25-35)
Facilitation Guidance: Encourage players to develop their own response strategies. Challenge them with questions: - “How do you balance thorough remediation with minimal disruption to 32 independent businesses?” - “What’s your communication strategy to members who are comparing notes in Slack?” - “How do you handle prospective members touring during an active incident?” - “Which systems get priority for cleaning—first compromised, business-critical, or most damaged?”
Sample Player-Developed Responses (Examples of approaches players might create)
Technical Containment with Business Triage: - Isolate 8 workstations showing secondary payload deployment (highest risk) - Implement workspace-wide DNS filtering blocking known malicious domains - Allow remaining 24 systems to continue operation with browser security hardening - Schedule comprehensive cleaning for Saturday with member communication and support
Transparent Communication with Phased Response: - Immediate member notification explaining scope and containment actions - Offer affected freelancers choice: immediate system cleaning or scheduled weekend service - Provide temporary clean workstations for Monday-deadline critical freelancers - Position transparency as workspace security commitment for prospective members
Aggressive Full Containment: - Immediate quarantine all 32 compromised workstations from shared network - Deploy clean temporary workstations for business-critical freelancers - Weekend intensive cleaning with external support if needed - Honest communication about thoroughness priority over convenience
Round 1 Debrief (Minutes 35-40)
- “What evidence led you to identify this as FakeBat versus other malware families?”
- “How did you balance investigation thoroughness with urgent business decisions?”
- “What was your rationale for your containment approach—technical priorities versus business impact?”
- “How did you plan to communicate security status to members with varying technical understanding?”
Round 2: Escalation & Secondary Payload Discovery (40-45 minutes)
Evolution Narrative (Minute 40)
IM Transition Based on Player Approach:
If players chose aggressive containment: “Your full quarantine approach is thorough but causing friction. It’s Saturday morning, and Carlos has finished cleaning 15 of 32 workstations—you’re at the halfway point. Jennifer reports: ‘I have seven freelancers asking when they’ll have access. Three mentioned working from coffee shops on their compromised laptops instead of waiting. One of those three is Sarah Chen, a graphic designer whose laptop showed secondary payload deployment. If she works remotely with credential stealers active, she could compromise her client’s entire project management system. How do we prevent that without legal authority to confiscate her laptop?’
Meanwhile, Robert notices something concerning: ‘The prospective members rescheduled for Monday. One mentioned on the phone that they “heard about the security situation” and want to see how we handled it. Our response is our reputation now—will Monday show recovered operations or ongoing crisis?’”
If players chose phased response: “Your balanced approach kept most freelancers operational, but deeper analysis reveals problems with partial containment. Carlos reports Monday morning: ‘Remember those 24 systems we applied browser hardening to instead of full cleaning? I’m detecting re-infection on 9 of them. The underlying FakeBat malware persisted in memory and reinstalled browser modifications overnight. Your compromise count just went from 32 to 41—new systems got infected through shared workspace resources while we focused on the high-priority systems.’
Diana forwards a concerning email: ‘A member whose system was in the “lower priority” group just contacted me. Their client reported suspicious login attempts on shared project tools. The freelancer is asking if our “partial” cleaning approach left them vulnerable while we prioritized other members. This is getting into liability territory.’”
If players chose transparency-focused approach: “Your open communication approach built trust but revealed complexities you’re now obligated to address. It’s Saturday, and member responses to your transparency vary widely. Jennifer shares: ‘Fifteen freelancers appreciated the honesty and are cooperating fully with remediation. Eight are demanding to know why workspace security didn’t prevent this initially. Three hired their own cybersecurity consultants who are asking detailed technical questions about our network architecture and security controls. We invited scrutiny through transparency—now we have to demonstrate competence.’
Robert adds concerning business context: ‘Two long-term members provided formal notice they’re not renewing, citing security concerns. One posted a detailed account on a freelancer community forum describing our “malware incident.” It’s factual but frames us negatively. We’re seeing reputation impact beyond our immediate member base—potential members are reading about this before they even visit.’”
Advanced Investigation (Minutes 40-60)
Deeper Discovery Clues (Present based on player investigation continuing)
Minute 44 - Secondary Payload Revelation: “Carlos completes forensic analysis on the 8 workstations that showed unusual network activity. His findings are serious: ‘Those systems weren’t just browser hijackers—FakeBat deployed secondary payloads. I found RedLine Stealer and Vidar Infostealer installed on systems belonging to freelancers in web development, cloud architecture consulting, and graphic design. These infostealers specifically targeted browser password stores, crypto wallets, and authentication cookies. The freelancers affected have client credentials stored locally—FTP access, WordPress admin logins, AWS console credentials, design client project management systems. We’re not just talking workspace compromise anymore. This is potential client business compromise across multiple freelancer portfolios.’”
Minute 49 - Credential Exfiltration Evidence: “Network logs reveal the scope of credential theft. You identify outbound data transfers from the 8 heavily-compromised systems to ‘data-collection[.]xyz’ totaling 47MB over two days—that’s consistent with credential database and cookie exfiltration. Timing analysis shows transfers occurring between 2:00-4:00 AM when workstations were idle but powered on in the workspace. The threat actors specifically targeted credentials during off-hours when monitoring was minimal.”
Minute 54 - Attribution & Campaign Scope: “Tracker analysis reveals this wasn’t opportunistic—it was targeted. The malvertising campaign used Google Ads triggered by specific searches: ‘freelance collaboration tools,’ ‘remote work productivity,’ ‘coworking software,’ ‘independent contractor project management.’ Geofencing targeted ads to users in metropolitan areas with coworking spaces. Threat actors specifically designed this campaign to compromise independent professionals with client access but limited security awareness. You find evidence of similar campaigns targeting freelancers in 6 other cities.”
Minute 58 - Client Impact Confirmation: “Diana receives the message you’d been dreading: ‘A freelancer just forwarded an email from their client. The client detected unauthorized access attempts on their project management system using credentials that only our member had access to. The client is asking direct questions: Was there a data breach at the coworking space? Should they assume all credentials shared with our member are compromised? The freelancer is panicking—this client represents 40% of their annual income. What do we tell them?’”
Advanced Response Phase (Minutes 60-75)
Complex Pressure Event (Minute 62):
Multiple NPCs present competing demands simultaneously:
Jennifer (Workspace Manager): “We need a decision about client notification. Do we advise all affected freelancers to notify their clients about potential credential compromise? That’s the ethically correct approach, but it means 32 freelancers simultaneously telling their clients about a workspace security failure. Some of those clients will pull contracts. Freelancers will blame us for lost income. What’s our liability here?”
Carlos (Network Administrator): “I found evidence that the malware has persistence mechanisms we haven’t addressed yet. Even after cleaning individual workstations, there’s a possibility of reinfection from shared network resources—specifically, compromised USB drives several members used for client file transfers. We need to expand our investigation to all removable media that touched compromised systems. That’s potentially hundreds of devices across 32 freelancers.”
Diana (Community Manager): “The community dynamic is fracturing. Some members want aggressive action—they’re saying we should have prevented this with better network security. Others are defensive of affected freelancers, saying social engineering can happen to anyone. A few are organizing a”security practices discussion” for Monday evening. If we don’t participate, it looks defensive. If we do participate, we’re explaining our security failures to a room full of customers. How do we handle this?”
Robert (Member Services): “Legal counsel provided guidance, and it’s complicated. Our membership agreement includes general security disclaimers, but nothing specific about member workstation compromises or credential theft. We’re potentially liable for inadequate notice about shared network risks. Legal recommends we offer affected members complimentary cybersecurity services—professional cleaning, credential monitoring, maybe identity protection. That’s roughly $200-300 per affected member. For 32 members, we’re looking at $6,400-9,600 in unbudgeted expense. Do you recommend we offer this?”
Enhanced Response Options:
Players should develop comprehensive strategies addressing: - Complete technical remediation including secondary payload removal - Client notification guidance for affected freelancers - Workspace liability management and member support offerings - Community communication and trust rebuilding - Long-term security improvements for shared workspace environment
Facilitation Challenges for Player-Developed Solutions:
“Your technical plan is thorough—how do you communicate this timeline to the freelancer who just lost a major client due to compromised credentials? What do you tell them about workspace responsibility?”
“You’re offering complimentary cybersecurity services to affected members—does that create legal admission of liability? How does legal counsel respond to that offer?”
“Your client notification guidance is ethically sound—but what support do you provide freelancers who lose income as a result? Is the workspace responsible for client relationship damage?”
“You’re planning a community security discussion—what’s your message? Defensive explanation of what went wrong, or transparent acknowledgment with concrete improvements?”
Round 2 Debrief (Minutes 75-85)
- “How did discovering secondary payload deployment change your understanding of the incident’s severity and your response approach?”
- “What competing priorities did NPCs present, and how did you navigate workspace business needs versus freelancer support versus technical thoroughness?”
- “How did you balance workspace liability concerns with ethical obligations to affected freelancers and their clients?”
- “What did this incident reveal about security responsibility boundaries in coworking environments where independent contractors share infrastructure?”
Round 3: Recovery & Long-Term Workspace Security (35-45 minutes)
Final Evolution (Minute 85)
IM Culmination Narrative:
“It’s Monday morning, one week after initial detection. Your incident response has progressed through detection, containment, eradication—now you’re in recovery and lessons-learned phase. But recovery in a coworking environment isn’t just technical; it’s community, reputation, and business model.
Jennifer calls an all-hands meeting with you, Carlos, Diana, and Robert. ’Here’s where we stand: Technically, Carlos reports all systems cleaned and verified. No persistence detected, C2 communications blocked, network monitoring enhanced. That’s the good news. The challenging news? We have four confirmed member departures citing security concerns, three prospective members who chose competitors, and about $18,000 in revenue impact including cleaning costs and lost membership fees.
More importantly, we have community trust to rebuild. Diana has a Slack channel full of questions about what we’re changing. Robert has renewal conversations happening with members who experienced the incident. We need to show we didn’t just fix this problem—we improved our entire security approach. This is where technical response becomes business strategy. What’s our path forward?’”
Long-Term Planning Phase (Minutes 85-110)
Strategic Decision Points:
1. Workspace Security Architecture Redesign
Players must propose improvements to shared workspace security considering:
Network Segmentation Options: - Isolated member VLANs with controlled inter-connectivity - Separate guest network for non-member visitors and prospective tours - DMZ for shared resources (printers, conference room technology) - Protected management network for workspace operations
Endpoint Security Approach: - Mandatory security software for workspace-provided equipment - Optional but recommended security standards for member-owned devices - Periodic security health checks as membership requirement - Balance between security and freelancer device autonomy
Software Installation Policies: - Workspace-curated approved software list for shared systems - Education program about software verification and publisher signatures - DNS filtering blocking known malicious infrastructure - Member awareness about fake productivity tool campaigns
2. Member Education & Security Culture
Educational Programming: - Monthly security workshops as included member benefit - Onboarding security orientation for new members - Workspace security newsletter highlighting threats targeting freelancers - Peer learning—members sharing security experiences and solutions
Incident Transparency Standards: - Clear communication protocols for security incidents - Member notification thresholds and timelines - Balance between security awareness and fear-mongering - Trust-building through honesty rather than reputation protection
3. Business Model & Liability Management
Service Offerings Evolution: - Tiered membership: Basic versus Security-Enhanced with included cybersecurity services - Optional complimentary add-ons: password managers, VPN services, security consultations - Positioning security as competitive differentiator for professional coworking - Partner with local cybersecurity firms for member discounts
Liability & Insurance: - Cyber liability insurance covering workspace operations - Updated membership agreements clarifying security responsibilities - Member education about their own professional obligations for client data - Clear boundaries: workspace protects infrastructure, members protect their business data
4. Reputation Recovery & Marketing
Community Rebuilding: - Host the security discussion session Diana mentioned—lean into transparency - Feature member testimonials about response quality and support received - Document lessons learned and share with broader coworking community - Transform incident into demonstration of workspace commitment to member protection
Competitive Positioning: - Publicize security improvements as industry-leading coworking practices - Obtain security certifications or third-party assessments for credibility - Marketing messaging: “We take security seriously enough to learn from incidents” - Attract security-conscious freelancers seeking professional workspace
Final Pressure Points & NPC Interactions
Minute 95 - Investment vs. Recovery Dilemma: Jennifer presents financial reality: “Your proposed improvements are excellent—network segmentation, security software, educational programming, third-party assessment. I ran numbers with our accountant. Implementing everything you’re recommending costs approximately $25,000-30,000 initially, plus $800-1,000 monthly ongoing for security services and software licensing. We just lost $18,000 in revenue from this incident. Do we invest heavily in security immediately and risk cash flow problems, or phase improvements over time and risk another incident before we’re fully protected?”
Minute 100 - Community Security Discussion: Diana facilitates the member security discussion that was organized. Members ask direct questions:
- “Why didn’t the workspace prevent this initially? What security did we have before?”
- “Should we assume shared workspace networks are inherently insecure for client work?”
- “What responsibility do I have versus what the workspace provides? Where’s the line?”
- “If this happens again, will you handle it the same way or differently? What did you learn?”
Players must respond to these questions in-character, defending their response choices and articulating improvements.
Minute 105 - Competing Member Perspectives:
Three members approach with different feedback:
Member A (Appreciated Response): “I was one of the affected freelancers. Yes, it was disruptive and scary, but you handled it professionally. The cleaning was thorough, communication was transparent, and the complimentary security services helped me recover. You earned my loyalty through how you handled crisis. I’m renewing and recommending Innovation Hub to colleagues.”
Member B (Critical of Response): “I understand malware happens, but what I don’t understand is how our network allowed 32 systems to get compromised before detection. Where was monitoring? Why didn’t we have better endpoint protection? I feel like we discovered you weren’t providing the security infrastructure we assumed we had when we signed up. Rebuilding my trust requires demonstrating you’ve fundamentally changed your security approach, not just fixed this specific problem.”
Member C (Left Due to Incident): “I’m not renewing, and I want to explain why. It’s not that the incident happened—I work in tech, I know breaches occur. It’s that I lost a client relationship because of workspace infrastructure compromise, and there’s no clear accountability for that business impact. You offered cleaning services, but my actual damage was professional reputation and income loss. Until coworking spaces address liability for member business impact from shared infrastructure compromise, I can’t risk my livelihood here.”
How do players respond to these three perspectives? What does each suggest about workspace security responsibilities?
Round 3 Debrief (Minutes 110-120)
Comprehensive Session Debrief Questions:
Technical Mastery: “Walk through the technical evolution of FakeBat in this scenario—from initial fake productivity tool installation, through browser hijacking, to secondary payload deployment and credential theft. What was the pay-per-install business model and how did it amplify damage?”
Coworking-Specific Challenges: “What security challenges are unique to coworking spaces where independent contractors need autonomy but share infrastructure? How did shared workspace dynamics complicate traditional incident response?”
Stakeholder Balance: “You balanced Jennifer’s business concerns, Carlos’s technical requirements, Diana’s community management, and Robert’s liability issues throughout three rounds. Which competing priorities were hardest to navigate? Where did you compromise, and why?”
Response Evolution: “How did your approach evolve across rounds as you learned more about secondary payloads, credential theft, and client impact? What early decisions would you change knowing the full scope?”
Shared Responsibility: “Member C raised a difficult question about accountability for business impact from shared infrastructure compromise. Who IS responsible when coworking space malware costs a freelancer a client relationship? What’s fair?”
Long-Term Prevention: “What security improvements did you propose that would prevent FakeBat-style infections in the future? How did you balance security thoroughness with freelancer autonomy that makes coworking attractive?”
Reputation Management: “How did transparency versus reputation protection factor into your communication choices? Did being honest about the incident help or hurt workspace reputation in the long run?”
Learning Integration: “What will you remember from this scenario when you encounter fake software or software masquerading attacks in your own professional environment? How does coworking context inform general security principles?”
Key Learning Objectives (Full Game)
Advanced Technical Concepts: - Multi-stage malware: loader/dropper delivering secondary payloads - Pay-per-install (PPI) business model and malware monetization - Browser hijacking creating persistent infection and credential access vectors - Infostealer deployment (RedLine, Vidar) through FakeBat platform - Shared network compromise propagation and containment challenges
Complex Business Context: - Coworking business model: community trust, member autonomy, shared infrastructure security - Liability boundaries between service provider (workspace) and independent contractors (members) - Reputation management during security incidents in community-based businesses - Financial decision-making under pressure: immediate response costs versus long-term investment - Client impact beyond immediate organization—freelancer professional relationships at risk
Advanced Incident Response: - Triage and prioritization when 30+ independent systems are compromised simultaneously - Phased remediation balancing thoroughness with business continuity for multiple stakeholders - Credential compromise notification and client protection guidance - Community communication during ongoing investigations with evolving understanding - Long-term security culture development and policy framework creation
Soft Skills Development: - Navigating NPC competing priorities when all perspectives have legitimate concerns - Defending response decisions under stakeholder scrutiny and community questioning - Balancing transparency (builds trust) with reputation management (protects business) - Making financial security investments during revenue decline from incident impact - Facilitating difficult conversations about responsibility, liability, and security trade-offs
Advanced Challenge Materials (150-170 min, 3+ rounds)
Advanced Challenge Modifications
Pre-Game IM Preparation:
The Advanced Challenge version adds significant complexity through: 1. Ambiguous technical indicators requiring interpretation 2. Conflicting stakeholder information and unreliable witnesses 3. Red herrings and legitimate incidents creating noise 4. Incomplete information forcing decisions under uncertainty 5. Removed reference materials testing knowledge internalization 6. Compressed timelines increasing pressure 7. Reputational consequences from decision-making process, not just outcomes
Setup Modifications:
- Remove access to MITRE ATT&CK framework, FakeBat reference materials, and malware family guides during gameplay
- Introduce legitimate software updates happening simultaneously (real Adobe update, actual browser patches)
- Add unrelated performance issues (aging hardware, network configuration problems) creating diagnostic noise
- Include misleading witness accounts (members confusing symptoms, attributing unrelated issues to malware)
- Compress business timelines (prospective members touring during Round 1, renewal decisions happening mid-incident)
Round 1: Ambiguous Detection & Conflicting Priorities (45-50 minutes)
Modified Opening (Minute 0)
“It’s Friday at 2:00 PM at Innovation Hub, and you’re responding to what’s been described as ‘some kind of computer problems.’ The initial brief from Jennifer is vague: ‘We have members reporting browser issues, but it’s unclear if this is malware, network problems, or just user error. Carlos is investigating, but he’s getting contradictory information. Diana says the community is confused—some members think it’s serious, others think people are overreacting. Robert is concerned about prospective tours starting in 90 minutes. We need you to figure out what’s actually happening and whether we have a crisis or just normal IT noise.’
Your challenge: Make high-stakes decisions with incomplete and potentially contradictory information. Justify your reasoning under pressure.”
Ambiguous Investigation Clues
Minute 5 - Conflicting Initial Reports: Carlos shows you preliminary findings: “I’m seeing browser modifications on some systems, but I’m also seeing legitimate browser extension updates from Google and Mozilla that happened yesterday. Some members report installing ‘productivity software’—but we also pushed legitimate workspace management software on Tuesday. I can’t immediately tell what’s malicious versus normal activity. We need deeper analysis, but that takes time we might not have.”
Minute 10 - Red Herring Introduction: “Network monitoring shows unusual traffic patterns—but it correlates with the video podcast a member is recording today using high-bandwidth streaming. DNS logs show queries to recently registered domains—but also queries to legitimate new SaaS tools several members adopted this week. You’re seeing indicators that COULD be malicious but also have innocent explanations. How do you decide what to investigate first?”
Minute 15 - Unreliable Witness Accounts: Diana shares member interviews: “I talked to five affected members. Three say they installed ‘collaboration software’ from a website—but when I asked for the URL, they couldn’t remember exactly. One insists they didn’t install anything, but their browser is definitely modified. Another member says their browser issues started ‘last week sometime’ but also mentions they recently upgraded from Windows 10 to 11. Their timelines don’t match the other reports. I can’t establish a consistent infection timeline.”
Minute 20 - Legitimate Activity Masking Malicious: “You discover that Adobe released a legitimate Creative Suite update on Wednesday that 15 freelancers installed. Eight of those 15 ALSO have browser issues—but seven don’t. Did the Adobe update somehow interact badly with malware? Is the Adobe update itself suspicious? Or is this correlation without causation? Meanwhile, Microsoft pushed browser security updates for Edge yesterday that modified extension permissions. Some members think THAT’S causing problems, not malware.”
Advanced Challenge Questions (Present throughout Round 1):
Minute 12: “You have indicators that could represent malware or could be legitimate activity. If you declare this a security incident and you’re wrong, you disrupt 120 freelancers unnecessarily and damage workspace credibility. If you downplay it as normal IT issues and you’re wrong, malware spreads further. What’s your decision-making threshold for incident declaration?”
Minute 18: “Carlos needs to quarantine systems for deeper analysis, but that requires taking freelancers offline during business hours. Jennifer points out that false positive quarantines damage member trust as much as missing real incidents. How many systems do you quarantine for analysis, and what’s your justification?”
Minute 25: “The prospective members touring in 65 minutes might see quarantined workstations and active investigation. Robert asks: Do we reschedule and look evasive, proceed normally and risk them witnessing incident response, or brief them transparently and risk losing contracts? Your decision must account for the possibility you still don’t know if this is a real incident.”
Pressure-Driven Decision Point (Minute 30)
Forced Decision with Incomplete Information:
Jennifer demands a decision: “I need a recommendation RIGHT NOW because the tour group is 60 minutes out. Your options:
Option 1: Declare security incident, quarantine suspected systems, cancel today’s tours, and communicate workspace-wide about potential malware. Risk: If wrong, massive disruption and reputation damage.
Option 2: Continue investigation quietly, maintain normal operations, proceed with tours while your team investigates in background. Risk: If there IS malware, it spreads during investigation delay.
Option 3: Split approach—quarantine only the highest-confidence compromised systems (maybe 5-8), allow most operations to continue, brief tour group about ‘isolated’ investigation. Risk: Half-measure that might be too weak for real incident or too disruptive for false positive.
You must choose with the information you have now, knowing it’s incomplete. Justify your decision.”
Round 1 Advanced Debrief (Minutes 40-50)
“Your decision will have consequences in Round 2, but first: How did you handle the ambiguity? What was your confidence level in your decision, and what would have increased that confidence? When you had to balance false positive risks (over-reacting) against false negative risks (under-reacting), what factors drove your choice?”
Round 2: Cascading Consequences & Stakeholder Conflict (50-60 minutes)
Evolution Based on Round 1 Decision
If players declared full incident (Option 1): “Your aggressive response is revealing the truth—you WERE correct, this is FakeBat malware across 30+ systems. Carlos confirms malicious software and secondary payloads. However, your full quarantine approach disrupted 35 freelancers, and 8 of them are now complaining that they were false positives—their systems were clean, and you interrupted their client work unnecessarily. Were those 8 actually clean or did you miss something in initial assessment? Jennifer is fielding complaints: ‘You made the right call overall, but these 8 members don’t care about the 27 correctly identified infections—they care that you disrupted them wrongly. How do we handle their complaints?’”
If players chose quiet investigation (Option 2): “Your cautious approach avoided disruption but gave malware time to spread. Carlos’s deep investigation confirms FakeBat—but while you investigated quietly over 3 hours, the infection count grew from estimated 20 systems to confirmed 41 systems. Additionally, the tour group unknowingly saw compromised workstations during their visit. They didn’t recognize anything wrong, but Robert worries: ‘If they later learn they toured during an active unannounced malware incident, they’ll question our transparency. Do we notify them retroactively that there was an incident we hadn’t disclosed during their visit?’”
If players chose split approach (Option 3): “Your middle-ground approach partially worked but created complications. The 8 systems you quarantined were correct—definitely malware. But your ‘isolated incident’ messaging to tour group and members was undermined when Carlos discovered an additional 22 compromised systems during continued investigation. Diana reports: ‘Members are confused. You said isolated incident, but people are comparing notes and realizing dozens of systems were affected. Your messaging looks like downplaying rather than incomplete information at the time. They’re questioning whether they can trust workspace communication during incidents.’”
Advanced Pressure: Stakeholder Reliability Issues
Minute 55 - NPC Agenda Revelation:
Introduce complexity where NPC priorities create misinformation:
Jennifer (Workspace Manager) admits bias: “I need to be honest with you—when I was pushing back on full quarantine earlier, I wasn’t just worried about member experience. We have a cash flow situation this month. Losing even four memberships due to security concerns would create serious financial problems. I may have been unconsciously minimizing the incident severity because I couldn’t afford for this to be a major crisis. I apologize if my input led you astray.”
Carlos (Network Administrator) reveals capability limits: “I need to admit something. When I said I could quickly determine which systems were compromised, I oversold our monitoring capabilities. We don’t have endpoint detection on member-owned devices, and our network visibility is limited. The reason I’ve been giving you uncertain answers isn’t just because this is complex—it’s because our tooling isn’t adequate for this kind of investigation. I’ve been improvising with tools we have rather than tools we need.”
Diana (Community Manager) shares conflicting loyalty: “I’m getting direct messages from affected members asking me to keep their compromise confidential because they’re worried about professional reputation damage. They want their systems cleaned but don’t want workspace-wide communication that identifies them. I’m caught between transparency that protects the broader community and privacy requests from individual members. I may have filtered what I’ve been telling you based on what members asked me to keep quiet.”
Robert (Member Services) discloses revenue pressure: “I need to tell you something that affects our decision-making. Three of the affected freelancers are VIP members—they pay premium rates, refer new members, and essentially anchor our community. If we handle this wrong and they leave, we lose not just $1,000/month each in direct revenue but the referrals they bring. My instinct has been to prioritize their satisfaction over perfect security response. I haven’t been neutral in my recommendations.”
Advanced Challenge: “Now that you know your primary NPCs have been providing information filtered through their biases and limitations, how does that change your assessment of earlier decisions? What questions should you have asked that would have revealed these issues sooner?”
Complex Technical Escalation
Minute 65 - Sophisticated Adversary Adaptation:
“Carlos discovers something concerning: FakeBat appears to be adapting. After you implemented DNS blocking of known C2 domains, the malware switched to a Domain Generation Algorithm (DGA)—it’s now generating new domain names every few hours. Your blocklist approach is already obsolete. Additionally, on systems where you removed browser extensions, the malware is reinstalling them from encoded payloads stored in registry keys you hadn’t identified. The adversary’s infrastructure is more sophisticated than initial assessment suggested. Your containment approach may have been too simplistic.”
Minute 70 - Third-Party Complication:
“You receive an email from an external security researcher: ‘I noticed traffic from your IP range connecting to infrastructure associated with an active FakeBat campaign. I’m researching this threat actor group for a conference presentation. I can provide detailed technical analysis if you’re interested—but I’ll also be presenting about organizations affected by this campaign publicly in two weeks. You may want to coordinate messaging.’ This researcher could be helpful or could publicize your incident to the security community. How do you engage?”
Forced Ethical Dilemma (Minute 75)
Credential Theft Client Notification Ambiguity:
“You’ve identified 8 systems with credential stealer deployment. Carlos provides probabilities: ‘I’m certain these 8 had stealers installed. I’m 80% confident credentials were exfiltrated from 6 of them based on network traffic analysis. I’m 60% confident credentials from the remaining 2 were also stolen, but I don’t have definitive proof—just suspicious indicators. The problem? I ALSO found suspicious indicators on 4 additional systems, but I’m only 40% confident those had credential theft. Do we advise client notification for the certain 6, the probable 8, or the possible 12?’
Diana adds social context: ‘Each notification carries professional consequences. The affected freelancers are asking for certainty before they notify clients and potentially damage relationships. But waiting for certainty might delay notification beyond the point where clients can effectively respond to compromised credentials. What’s your recommendation?’”
Advanced Challenge Question: “You must recommend notification strategy knowing that false positives (notifying when credentials weren’t stolen) and false negatives (not notifying when credentials were stolen) both have serious consequences. Walk through your risk assessment and decision rationale.”
Round 2 Advanced Debrief (Minutes 85-95)
“How did discovering NPC biases and limitations change your approach to stakeholder input? What questions do you now ask when NPCs provide recommendations?”
“The adversary adapted to your containment measures. In what ways was your initial response too simplistic, and how do you handle sophisticated adversaries in resource-constrained environments like coworking spaces?”
“The client notification dilemma required decision-making under uncertainty with probability ranges rather than definitive answers. How did you approach that ethical decision? What role does probability threshold play in notification obligations?”
“The external security researcher presented both opportunity (technical help) and risk (public disclosure). How did you evaluate engaging with third parties during active incidents?”
Round 3: Long-Term Consequences & Systemic Learning (50-60 minutes)
Final Evolution (Minute 95)
“It’s two weeks post-incident. Your immediate technical response is complete—malware removed, systems cleaned, monitoring enhanced. But you’re now experiencing the delayed consequences of decisions made under pressure and uncertainty during the incident. This round focuses on the AFTERMATH: reputation impacts, relationship damage, policy questions, and systemic learning. Your previous decisions created the situation you’re now managing.”
Consequence Scenarios (Based on Player Decisions)
Consequence Thread 1 - If False Positives Occurred: “The 8 freelancers whose systems were quarantined but turned out to be clean have filed a formal complaint with workspace management. Their letter states: ‘We understand security is important, but the disruption to our client work was not justified. Our systems were clean, our work was interrupted unnecessarily, and our professional reputations suffered from missed deadlines. We request compensation for business lost during incorrect quarantine.’ Jennifer asks: ‘Do we compensate them for our false positive? What’s the precedent that sets?’”
Consequence Thread 2 - If Delayed Response Occurred: “Your cautious approach during initial detection allowed the infection to spread to 41 systems instead of the initial 20. A member whose system was compromised during your investigation period hired an attorney. The attorney’s letter argues: ‘Our client’s workstation became infected during your investigation phase when you were aware of potential malware but had not implemented network-wide protections. Had you acted more aggressively upon initial indicators, our client’s system would not have been compromised. We assert negligence in incident response timing.’ This is potential legal liability from delayed action.”
Consequence Thread 3 - If Messaging Was Inconsistent: “Your incident communication evolved as you learned more—but members interpreted changes as inconsistency or dishonesty. A detailed post appeared on a freelancer community forum: ‘Innovation Hub told us it was an isolated incident, then it turned out to be 30+ systems. They said they had it contained, then we learned malware was adapting to their blocks. Their messaging throughout was either incompetent or deliberately deceptive. I don’t know which is worse.’ Robert shows you this post with 47 comments, mostly negative. How do you address public reputation damage from communication perceived as misleading?”
Consequence Thread 4 - If Client Notifications Were Delayed: “You advised credential theft notifications after gathering certainty. That took 5 days for definitive forensic confirmation. One affected freelancer’s client experienced unauthorized access to their project management system during those 5 days. The client’s attorney contacted workspace management: ‘Had we been notified immediately upon suspicion of credential theft, we would have rotated credentials and prevented unauthorized access. The delay between suspected compromise and notification resulted in actual data breach for our organization. We are exploring legal recourse.’ This is the notification timing dilemma manifesting as actual consequences.”
Systemic Learning Phase (Minutes 95-125)
Strategic Assessment Questions:
1. Incident Response Process Evaluation:
“Knowing what you know now, what would you change about your incident response process? Consider:
- Decision-making under uncertainty: What thresholds do you use for declaring incidents versus continuing investigation?
- Stakeholder information filtering: How do you account for NPC biases and limitations when making decisions based on their input?
- False positive tolerance: What level of disruption from false positives is acceptable to avoid false negatives from missed threats?
- Communication evolution: How do you message ongoing incidents when information is incomplete and changing?
- External party engagement: When do you involve third parties like security researchers, law enforcement, or specialized IR firms?”
2. Coworking-Specific Policy Development:
“FakeBat exposed gaps in workspace security policies. Develop comprehensive policies addressing:
- Shared infrastructure security: What network-level protections are workspace responsibility versus member responsibility?
- Endpoint security standards: Can/should workspace require security software on member-owned devices?
- Incident notification: What triggers workspace-wide communication versus targeted affected-member-only notification?
- Liability and compensation: When is workspace liable for member business impact from shared infrastructure compromise?
- Client data protection: What guidance does workspace provide members about protecting client information in shared environments?”
3. Technical Architecture Reassessment:
“Your response revealed technical capability gaps. Carlos identified insufficient monitoring, limited endpoint visibility, and inadequate containment tools. Design improved technical architecture:
- Monitoring and detection: What visibility do you need into member-owned devices sharing workspace network?
- Network segmentation: How do you isolate members from each other while maintaining collaborative workspace feel?
- Incident response tools: What capabilities would have changed your response effectiveness during this incident?
- Budget constraints: Workspace has limited security budget—prioritize improvements with cost-benefit analysis.”
4. Community Trust Rebuilding:
“The freelancer community forum post damaged reputation beyond immediate member base. Develop comprehensive reputation recovery strategy:
- Transparency versus privacy: How do you publicly address the incident while protecting affected members’ professional reputations?
- Accountability demonstration: What actions prove you learned from mistakes rather than just defended your response?
- Competitive differentiation: Can you transform this incident into demonstration of security commitment that attracts security-conscious freelancers?
- Industry leadership: Do you share lessons learned with broader coworking community to establish thought leadership?”
Final Pressure Event (Minute 115)
Board of Directors Review:
“Jennifer convenes workspace leadership and board members for incident review. Board members ask pointed questions:
Board Member 1 (Finance Focus): ‘This incident cost us $23,000 in remediation, compensation, and lost revenue. Your proposed improvements cost an additional $30,000. We’re a small business operating on thin margins. Justify this security investment when we’ve already spent heavily on an incident that, frankly, could happen again despite our improvements.’
Board Member 2 (Liability Focus): ‘We have potential legal exposure from three separate claims: false positive disruption, delayed response negligence, and notification timing. Our insurance may not cover all of these. Before we invest in security improvements, shouldn’t we invest in legal protection and liability limitation? Maybe tighter membership agreements that disclaim workspace responsibility for member device security?’
Board Member 3 (Growth Focus): ‘I’m concerned this incident has permanently damaged our brand in the freelancer community. That forum post has 47 negative comments. Maybe rather than trying to rebuild reputation here, we should pivot our business model—target different client segments less concerned about security, or franchise our workspace model to other cities where this incident isn’t known. Why fight this reputation battle?’
Board Member 4 (Security Focus): ‘I’m the only board member with technical background, and I’m frustrated. This incident was preventable with basic security practices we should have had from day one. The question isn’t whether we invest in security—it’s whether we stay in business without it. But I also recognize the other board members’ concerns are legitimate. How do we balance security requirements with financial reality and legal risk?’
You must respond to this board meeting, defending your incident response AND your forward-looking recommendations despite criticism from multiple angles. This is not a technical debrief—this is business leadership justification.”
Round 3 Advanced Debrief (Minutes 130-150)
Comprehensive Advanced Challenge Debrief:
Decision-Making Under Uncertainty: “Throughout this scenario, you made high-stakes decisions with incomplete information, conflicting stakeholder input, and time pressure. Walk through your decision-making framework—what factors did you weight most heavily, and how did you manage the discomfort of deciding without certainty?”
False Positive vs. False Negative Trade-offs: “Security involves balancing two types of errors: false positives (treating benign activity as threats, causing unnecessary disruption) and false negatives (missing real threats, allowing damage). You experienced both in this scenario. What’s your philosophy on acceptable false positive rates to minimize false negatives, and how does business context affect that balance?”
Stakeholder Bias Recognition: “All four NPCs revealed biases and limitations that affected their recommendations. In real incident response, you rarely have perfect information from perfectly objective sources. What questions or approaches help you identify when stakeholders are filtering information through their agendas or limitations?”
Adaptive Adversaries: “FakeBat adapted to your containment measures using DGA and alternate persistence mechanisms. Many incident responders develop a containment plan and execute it—but sophisticated adversaries require iterative response. How do you build adaptive thinking into incident response when threats evolve faster than your remediation?”
Ethical Dilemmas: “The credential notification scenario required deciding whether to notify clients based on probability ranges rather than certainty. You had 60%, 80%, and 40% confidence levels for different systems. What’s your ethical framework for notification decisions—do you notify on any suspicion, wait for high confidence, or require certainty? How do you defend that position?”
Communication Evolution: “Your understanding of the incident evolved across three rounds, and your communication evolved accordingly. Some members perceived this as inconsistency or dishonesty rather than appropriate information updates. How do you communicate evolving situations without creating perception of changing stories or hidden information?”
Long-Term Consequence Integration: “Round 3 presented delayed consequences from earlier decisions—legal claims, reputation damage, board criticism. In real incidents, you often don’t experience these consequences until weeks or months later. How do you integrate long-term consequence prediction into urgent incident response decision-making?”
Resource Constraints: “Throughout this scenario, you faced budget limitations, insufficient technical tooling, and business pressure to minimize security investments. Most incident responders work in resource-constrained environments. How do you advocate for necessary security resources while acknowledging legitimate business limitations? What’s your approach to security on a budget?”
Systemic Learning: “Beyond technical lessons (FakeBat’s pay-per-install model, loader/dropper capabilities, browser hijacking), what systemic lessons do you take from this scenario about coworking security, shared responsibility models, community-based business incident response, and incident communication in semi-public environments?”
Personal Reflection: “This Advanced Challenge version removed reference materials, introduced ambiguity, and pressured you with incomplete information. How did that feel compared to scenarios with clear answers? In your actual professional environment, what percentage of security decisions feel like the ambiguous Advanced Challenge versus clear-cut scenarios? What does that suggest about how we should practice and prepare for real incident response?”
Advanced Challenge Key Learning Objectives
Mastery-Level Technical Concepts: - Multi-stage malware behavior across different infection phases - Adaptive threat actor TTPs and countermeasure evolution - Forensic analysis under uncertainty with probability-based conclusions - Coworking/shared environment security architecture challenges
Complex Business & Ethical Reasoning: - Decision-making under uncertainty with incomplete and conflicting information - Stakeholder bias recognition and information source evaluation - False positive/false negative trade-off philosophy in business contexts - Notification ethics when probability rather than certainty governs - Resource constraint navigation while maintaining security effectiveness - Legal liability implications of incident response timing and thoroughness
Advanced Soft Skills: - Board-level communication justifying security decisions to non-technical leadership - Managing stakeholder relationships when their biases affected incident response - Reputation recovery following communication perceived as inconsistent - Defending decisions made under pressure when better options exist in hindsight - Facilitation of difficult post-incident learning without defensiveness
Meta-Skills (Learning How to Learn): - Recognition of when scenarios feel artificially clean versus realistic ambiguity - Integration of long-term consequence prediction into urgent decision-making - Development of personal decision-making frameworks for uncertainty - Calibration of confidence levels and acknowledgment of knowledge limits - Adaptive thinking when threats evolve faster than planned responses