GaboonGrabber Scenario: Healthcare Implementation Crisis

MedTech Solutions: Healthcare technology, 200 employees
Phishing • GaboonGrabber
STAKES
Patient safety data + HIPAA compliance + Life-critical medical device networks
HOOK
MedTech Solutions is in the final week of their largest client implementation, with Riverside General Hospital going live Monday morning. The attacker has been monitoring email traffic and knows that IT staff are working overtime, making them more likely to click through security warnings to keep the project on track.
PRESSURE
Riverside General Hospital goes live with new EMR system in 3 days - delays risk patient safety
FRONT • 90 minutes • Intermediate
MedTech Solutions: Healthcare technology, 200 employees
Phishing • GaboonGrabber
NPCs
  • Sarah Chen (IT Director): Extremely stressed about hospital go-live, knows about recent security warnings but hasn't investigated thoroughly, primarily concerned about meeting project deadline
  • Mike Rodriguez (Head Nurse, Riverside General): Frustrated with EMR training delays, pressuring for system stability, doesn't understand IT security concerns
  • Jennifer Park (Chief Operating Officer): Unaware of security incident, focused on regulatory compliance, will resist anything that delays client implementation
  • David Kim (Riverside General CIO): Calling hourly for project updates, threatens contract penalties if go-live delayed, represents $2M annual revenue
SECRETS
  • IT department bypassed normal software approval process for 'critical updates' during crunch time, removing key defense layer
  • Management has been pressuring IT to prioritize 'user experience' over security to improve client satisfaction scores
  • Attacker specifically targets healthcare implementations knowing security awareness drops during high-pressure project phases

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

GaboonGrabber Healthcare Phishing Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

GaboonGrabber Healthcare Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

MedTech Solutions: Healthcare Implementation Crisis During Hospital Go-Live

Quick Reference

  • Organization: Healthcare technology consulting and implementation firm, 200 employees across 4 offices, 25-person implementation team working on Riverside General Hospital EMR deployment
  • Key Assets at Risk: Proprietary EMR platform and implementation methodologies, Client healthcare data and hospital network VPN access, $2M annual recurring revenue contract, Regional healthcare market reference case
  • Business Pressure: Monday 8am hospital go-live deadline (72 hours away)—CEO personally invested in hospital leadership relationship, strategic importance for regional healthcare market expansion
  • Core Dilemma: Meet go-live deadline maintaining client satisfaction and contract revenue BUT deploy potentially compromised systems into hospital environment, OR Delay deployment for security verification protecting patient safety BUT lose CEO relationship and damage regional market reputation
Detailed Context
Organization Profile

Type: Healthcare technology consulting and implementation Size: 200 employees across 4 offices Implementation Team: 25 staff working on Riverside General

Key Assets: - Proprietary EMR platform - Implementation methodologies - Client healthcare data - Hospital network access (VPN)

Business Pressure

Contract Value: $2M annual recurring revenue Strategic Importance: Reference case for regional healthcare market expansion Executive Involvement: CEO personally invested in hospital leadership relationship Regulatory Environment: HIPAA, SOC 2, healthcare vendor security requirements Timeline: Monday 8am go-live (72 hours away)

Cultural Factors
  • High-pressure project culture: Deadlines frequently override normal processes
  • Client-first mentality: Customer satisfaction prioritized over internal procedures
  • Recent management push: “User experience” over security for client satisfaction scores
  • IT culture: Staff click through security warnings during crunch periods

Hook

*“It’s Friday afternoon at MedTech Solutions, and the mood should be celebratory - your biggest implementation ever goes live Monday morning at St. Mary’s Hospital. But instead of champagne, there’s growing concern. Multiple staff members are reporting computer slowdowns, and the help desk has received several calls about unexpected pop-ups. Yesterday during the final push, several IT staff received what appeared to be critical security updates. With everything riding on Monday’s go-live, investigate what’s happening.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “Computers running 30% slower since yesterday afternoon”
  • “Help desk reports 5 calls about unexpected pop-ups appearing”
  • “IT staff mention receiving ‘urgent security update’ emails Thursday evening”
  • “Some applications taking longer to start than usual”

Key Discovery Paths:

Detective Investigation Leads:

  • Email logs show suspicious ‘SecurityUpdate.exe’ attachments from fake IT security vendor
  • Process monitoring reveals unfamiliar executables running from temp directories
  • Registry analysis shows new startup entries for legitimate-sounding but suspicious processes

Protector System Analysis:

  • Memory scans reveal process injection into legitimate Windows processes
  • Network monitoring shows unusual outbound connections to suspicious domains
  • System performance metrics indicate hidden processes consuming CPU and memory

Tracker Network Investigation:

  • DNS logs show queries to recently registered domains mimicking security vendors
  • Network traffic analysis reveals encrypted communication to command and control servers
  • Email flow analysis shows phishing campaign specifically targeted during implementation stress

Communicator Stakeholder Interviews:

  • IT staff admit clicking on urgent security updates due to project pressure
  • Hospital staff expressing concerns about system stability before go-live
  • Management inquiry reveals pressure to approve software quickly for client satisfaction

Mid-Scenario Pressure Points:

Evolution Triggers:

Resolution Pathways:

Technical Success Indicators:

Business Success Indicators:

Learning Success Indicators:

Common IM Facilitation Challenges:

If Team Focuses Too Heavily on Technical Details:

“That’s excellent analysis of the process injection techniques. How does this information help you communicate the urgency to hospital leadership who are calling for updates?”

If Business Stakeholders Are Ignored:

“While you’re conducting this thorough investigation, Sarah just got another call from the hospital CIO asking for go-live confirmation. How do you handle that conversation?”

If Social Engineering Aspect Is Missed:

“The technical indicators are clear, but what made the IT staff click on these particular emails during this specific time period?”

Success Metrics for Session:

Template Compatibility

Quick Demo (35-40 min)

Lunch & Learn (75-90 min)

Full Game (120-140 min)

Advanced Challenge (150-170 min)

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “You discover an email from ‘Microsoft Security’ with the subject ‘CRITICAL UPDATE: Please install immediately.’ It was sent to all IT staff working on the Riverside General project.”

Clue 2 (Minute 10): “Analyzing the email header reveals that the sender’s domain is ‘micr0soft-security.com’ - with a zero instead of an ‘o’. It’s a well-crafted phishing attempt.”

Clue 3 (Minute 15): “You find a new process running on several workstations: ‘SecurityUpdate.exe’. It’s communicating with a suspicious IP address located in a foreign country.”

Pre-Defined Response Options

Option A: Isolate & Re-image

Option B: Network Segmentation

Option C: Block Malicious Domain

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Discovery & Identification (30-35 min)

Investigation Clues:

Response Options (Choose One):

Round Transition Guidance:

After Round 1 response, GaboonGrabber’s next stage activates based on team’s choice:

Round 2: Scope Assessment & Response (30-35 min)

Investigation Clues:

Response Options (Choose One):

IM Facilitation Notes:

This round introduces regulatory compliance and ethical dimensions. Players must balance:

Key Discussion Points:

Full Game Materials (120-140 min, 3 rounds)

Investigation Sources Catalog

System Logs & Forensics:

Email & Communications:

Stakeholder Interviews:

System Analysis:

Network Traffic Analysis:

External Research & Context:

Response Evaluation Criteria

Type-Effective Approaches (Trojan/Stealth Malmons):

Common Effective Strategies:

Common Pitfalls:

Adjudicating Novel Approaches

Hybrid Solutions (Encourage with Guidance):

Creative But Problematic (Redirect Thoughtfully):

Risk Assessment Framework:

When players propose novel approaches, evaluate:

  1. Legal Compliance: Does this meet HIPAA breach notification requirements?
  2. Patient Safety: Could remaining malware compromise hospital operations or patient data?
  3. Business Viability: Does this preserve key relationships while addressing root issues?
  4. Technical Effectiveness: Does this actually remove GaboonGrabber or just hide symptoms?
  5. Ethical Soundness: Can the team defend this decision to patients whose data was breached?

Example Adjudication:

Player Proposal: “We’ll implement kill-switch domain registration to disable GaboonGrabber C2, then do phased remediation over 2 weeks while go-live proceeds.”

IM Response: “Interesting approach - you’re thinking about active defense. However, GaboonGrabber’s threat intelligence indicates it uses domain generation algorithms (DGA) for backup C2s - killing one domain may not be sufficient. Additionally, Sarah reports memory forensics shows it’s already deployed persistence mechanisms. How does phased remediation address the already-established backdoor? And what do you tell David Kim about the 2-week window?”

Guidance for Players: Encourage them to consider multi-layered approach: C2 disruption + immediate isolation + forensic verification of DGA domains + accelerated remediation with external help.

Advanced Challenge Materials (150-170 min, 3 rounds)

Complexity Layer: Ambiguous Evidence

Subtle Indicators:

Incomplete Information:

Technical Ambiguity:

Complexity Layer: Red Herrings

Legitimate Anomalies:

Coincidental Timing:

Previous Incidents:

Expert-Level Insights

Advanced Trojan TTPs:

Operational Security Patterns:

Strategic Implications:

Innovation Requirements

Why Standard Approaches Are Insufficient:

  1. Time-Security Tradeoff: Standard “wipe and re-image” approach takes 48+ hours, guaranteeing go-live delay and contract loss
  2. Forensic Completeness: Need definitive proof of data theft scope for HIPAA notification, but malware’s anti-forensics and encryption make this extremely difficult
  3. Multi-Party Coordination: Standard incident response assumes single organization - this requires coordinating between MedTech, Riverside General, HIPAA counsel, and potentially federal regulators
  4. Business Continuity Paradox: Can’t guarantee security without thorough remediation, but can’t maintain business viability without meeting go-live deadline

Creative Solutions Needed:

Emergency “Parallel Clean Infrastructure” Approach:

“Transparent Collaboration” Breach Response:

“Security-as-Remediation” Upgrade:

Network Security Status Tracking

Initial State (100%):

Degradation Triggers:

Recovery Mechanisms:

Critical Thresholds:

Time Pressure Dynamics:

Success Metrics: