Gh0st RAT Scenario: Defense Contractor Surveillance

Gh0st RAT Scenario: Defense Contractor Surveillance

Northfield Defense Systems: Defense contractor, 3,000 employees, classified DoD programs

Nation-State Espionage • GhostRAT

STAKES

National security + Classified design integrity + Defense program continuity + Counterintelligence readiness

HOOK

Engineering teams working on classified systems report unexplained workstation behavior: design files open on their own, cursor activity appears without user input, and secure project folders show access events during restricted meetings. Outbound encrypted traffic from engineering segments is rising at the same time change-control records show no approved remote sessions.

PRESSURE

Classified program milestone in 72 hours — unresolved surveillance risk can invalidate delivery and trigger clearance action

FRONT • 180 minutes • Expert

Northfield Defense Systems: Defense contractor, 3,000 employees, classified DoD programs

Nation-State Espionage • GhostRAT

NPCs

• General (ret.) William Archer (CEO): Accountable for defense program execution while national security risk is still being scoped
• Dr. Helen Park (CTO): Leading engineering integrity review across affected design workstations and toolchains
• James Rodriguez (CISO): Running containment, evidence preservation, and regulator-facing incident governance
• Colonel (ret.) Frank Morrison (VP Programs): Coordinating classified schedule decisions with Department of Defense program stakeholders

SECRETS

• Initial access likely came through a spear-phishing lure themed as defense technical coordination
• Monitoring data suggests surveillance was active before responders noticed workstation anomalies
• Compromise timing aligns with final integration milestones for sensitive subsystems

Gh0st RAT Scenario: Defense Contractor Surveillance

Sovereign Defense Technologies: MoD contractor, 2,500 employees, classified programs

Nation-State Espionage • GhostRAT

STAKES

National security + Classified design integrity + Defense program continuity + Counterintelligence readiness

HOOK

Engineering teams working on classified systems report unexplained workstation behavior: design files open on their own, cursor activity appears without user input, and secure project folders show access events during restricted meetings. Outbound encrypted traffic from engineering segments is rising at the same time change-control records show no approved remote sessions.

PRESSURE

Classified program milestone in 72 hours — unresolved surveillance risk can invalidate delivery and trigger clearance action

FRONT • 180 minutes • Expert

Sovereign Defense Technologies: MoD contractor, 2,500 employees, classified programs

Nation-State Espionage • GhostRAT

NPCs

• Air Marshal (ret.) Richard Blackwood (CEO): Accountable for defense program execution while national security risk is still being scoped
• Dr. Deepa Kaur (CTO): Leading engineering integrity review across affected design workstations and toolchains
• Michael Thornton (CISO): Running containment, evidence preservation, and regulator-facing incident governance
• Brigadier (ret.) Sarah Crawford (VP Programs): Coordinating classified schedule decisions with Ministry of Defence program stakeholders

SECRETS

• Initial access likely came through a spear-phishing lure themed as defense technical coordination
• Monitoring data suggests surveillance was active before responders noticed workstation anomalies
• Compromise timing aligns with final integration milestones for sensitive subsystems

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Gh0st RAT Defense Contractor Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Gh0st RAT Defense Contractor Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

“It’s Monday morning and engineering teams are in final design review for a classified delivery cycle. During restricted meetings, multiple CAD workstations begin showing unauthorized cursor movement, unexplained file access, and screen capture indicators. Security telemetry also shows sustained encrypted outbound traffic from systems that should not initiate external sessions during this phase. The signs point to active remote surveillance inside the classified engineering environment.”

“It’s Monday morning and engineering teams are in final design review for a classified delivery cycle. During restricted meetings, multiple CAD workstations begin showing unauthorized cursor movement, unexplained file access, and screen capture indicators. Security telemetry also shows sustained encrypted outbound traffic from systems that should not initiate external sessions during this phase. The signs point to active remote surveillance inside the classified engineering environment.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• “Engineering workstations show remote cursor movement during restricted design sessions”
• “Classified project files open without user action and close before analysts can capture full context”
• “Screen capture and keystroke-monitoring artifacts appear on secure development systems”
• “Outbound encrypted sessions from engineering segments continue despite no approved remote operations”

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• Forensic triage links anomalous workstation behavior to persistent remote-access tooling.
• Timeline reconstruction shows attacker dwell time across multiple project milestones.
• Access pattern review indicates targeted collection of high-value subsystem documentation.

Protector System Analysis:

Note🛡️ Protector System Analysis

• Segmentation checks reveal surveillance traffic crossing boundaries expected to isolate classified engineering assets.
• Endpoint control gaps expose credential reuse and delayed host hardening on key design systems.
• Containment planning must balance rapid isolation with evidence preservation for attribution support.

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• Beaconing cadence and destination clustering indicate organized command infrastructure.
• Encrypted exfiltration windows align with restricted design review periods.
• Traffic suppression attempts trigger fallback channels, indicating resilient adversary tradecraft.

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• Engineering leadership reports confidence impact across teams handling sensitive designs.
• Program leadership requests a delivery feasibility assessment under active surveillance risk.
• Security leadership needs a clear external-communication sequence for law enforcement and defense stakeholders.

Mid-Scenario Pressure Points:

• Hour 1: Program management asks whether current builds can still be trusted for classified delivery.
• Hour 2: Threat intelligence indicates similar targeting across peer defense suppliers.
• Hour 3: Internal audits find unexplained archive jobs in project directories.
• Hour 4: Leadership must decide whether to pause integration milestones pending deeper forensic validation.

Evolution Triggers:

• If containment is delayed, surveillance expands into additional engineering enclaves.
• If evidence handling is weak, attribution confidence drops and external coordination slows.
• If delivery decisions are rushed, compromised design assumptions can propagate into downstream programs.

Resolution Pathways:

Technical Success Indicators:

• Remote-access persistence is removed from engineering endpoints and supporting infrastructure.
• Classification boundaries are revalidated with stronger access controls and monitoring.
• Forensic outputs are complete enough to support sustained counterintelligence operations.

Business Success Indicators:

• Program milestones are rebaselined without losing mission-critical delivery credibility.
• Leadership communicates a clear risk posture to defense customers and oversight bodies.
• Incident governance improvements are funded and scheduled beyond immediate containment.

Learning Success Indicators:

• Players distinguish espionage-motivated surveillance from commodity intrusion behavior.
• Teams practice making delivery decisions under uncertainty with national security consequences.
• Response roles remain coordinated across engineering, security, legal, and program leadership.

Common IM Facilitation Challenges:

If Surveillance Scope Is Underestimated:

“Your containment plan is solid, but telemetry still shows outbound encrypted sessions from two classified design segments. What changes in your immediate priorities?”

If Counterintelligence Coordination Is Delayed:

“You can isolate systems now, but evidence quality may degrade. How are you sequencing isolation and preservation so external partners can still act on your data?”

If Delivery Pressure Dominates Decision-Making:

“Leadership wants schedule certainty today. What minimum technical and governance evidence do you require before confirming any classified milestone?”

Success Metrics for Session:

• Team identifies and contains persistent surveillance in classified engineering systems.
• Response decisions explicitly balance delivery pressure with national security risk.
• Evidence handling supports credible external coordination.
• Participants apply role-specific decisions without losing cross-team synchronization.
• Debrief captures long-term resilience actions, not only immediate containment.

Template Compatibility

Quick Demo (35-40 min)

• Rounds: 1
• Actions per Player: 1
• Investigation: Guided
• Response: Pre-defined
• Focus: Fast recognition of surveillance indicators and first containment decision.

Lunch & Learn (75-90 min)

• Rounds: 2
• Actions per Player: 2
• Investigation: Guided
• Response: Pre-defined
• Focus: Connect technical evidence to governance, reporting, and program-risk decisions.

Full Game (120-140 min)

• Rounds: 3
• Actions per Player: 2
• Investigation: Open
• Response: Creative
• Focus: Full arc from active surveillance containment to strategic recovery and customer confidence.

Advanced Challenge (150-170 min)

• Rounds: 3+
• Actions per Player: 2
• Investigation: Open
• Response: Creative
• Complexity: Add conflicting telemetry, partial forensic gaps, and hard delivery deadlines to force explicit tradeoff reasoning.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

• Clue 1 (Minute 5): Endpoint telemetry confirms remote-control behavior on classified engineering systems.
• Clue 2 (Minute 10): Network analysis reveals persistent command-and-control channels with periodic encrypted exfiltration bursts.
• Clue 3 (Minute 15): Host artifact review links suspicious archive creation to directories containing mission-critical design files.

Pre-Defined Response Options

Option A: Immediate Isolation with Evidence Preservation

• Action: Isolate affected engineering segments while preserving forensic integrity for external coordination.
• Pros: Stops active surveillance quickly and retains high-quality evidence.
• Cons: Causes immediate disruption to ongoing integration work.
• Type Effectiveness: Super effective against APT surveillance persistence.

Option B: Targeted Containment and Continuous Monitoring

• Action: Apply selective host/network controls while sustaining limited operations under intensive monitoring.
• Pros: Reduces operational impact on program schedules.
• Cons: Leaves some attacker pathways active during mitigation.
• Type Effectiveness: Moderately effective, with higher residual risk.

Option C: Delivery-First Phased Remediation

• Action: Prioritize milestone continuity and defer broader containment until after key delivery gates.
• Pros: Preserves short-term schedule commitments.
• Cons: Extends surveillance window and increases compromise risk.
• Type Effectiveness: Partially effective and strategically risky.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Active Surveillance Containment (35-40 min)

Investigation Clues:

• Clue 1 (Minute 5): Multiple secure design workstations show unauthorized remote interaction patterns.
• Clue 2 (Minute 10): Endpoint and network evidence indicate persistence that survives routine credential resets.
• Clue 3 (Minute 15): Archived bundles from sensitive project folders appear in outbound transfer staging paths.

Response Options:

• Option A: Full containment now, accept schedule disruption, preserve complete forensic chain.
• Option B: Partial containment with guarded continuation of critical engineering tasks.
• Option C: Continue operations with tightened monitoring while preparing delayed deep remediation.

Round 2: Compliance, Coordination, and Program Impact (35-40 min)

Legal and security leadership confirm the response must satisfy ITAR handling requirements, DFARS incident obligations, and CMMC control expectations while coordinating with FBI Counterintelligence and DCSA.

Legal and security leadership confirm the response must satisfy the Official Secrets Act and Defence Security Framework while coordinating with NCSC and MoD Defence Cyber.

Investigation Clues:

• Clue 4 (Minute 30): Additional forensic artifacts suggest compromise scope includes prior design review cycles.
• Clue 5 (Minute 40): Stakeholders request quantified impact on classified delivery confidence.
• Clue 6 (Minute 50): Peer-industry intelligence indicates coordinated targeting beyond one contractor.

Facilitation questions:

• “What evidence threshold is sufficient before you brief defense stakeholders on likely compromise scope?”
• “How do you maintain evidence quality while leadership requests immediate operational certainty?”
• “Which decision today most reduces strategic risk one month from now?”

Round Transition Narrative

• Early containment quality determines whether Round 2 focuses on controlled recovery or escalating uncertainty.
• If evidence is incomplete, external coordination slows and trust in impact assessments declines.
• If delivery pressure overrides forensic discipline, strategic recovery costs increase sharply in Round 3.

Full Game Materials (120-140 min, 3 rounds)

TipFull Game vs. Lunch & Learn

The Full Game adds open investigation and creative responses, then extends into strategic recovery with defense-customer confidence management.

Round 1: Initial Discovery and Decision Window (35-40 min)

The incident starts inside the secure engineering enclave. Multiple project leads report unauthorized workstation behavior while final design files are open. Security analysts confirm persistent command-and-control beacons from engineering subnets and suspicious archive creation tied to classified project directories. Leadership needs an immediate containment decision that protects evidence while stopping further surveillance.

The incident starts inside the secure engineering enclave. Multiple project leads report unauthorized workstation behavior while final design files are open. Security analysts confirm persistent command-and-control beacons from engineering subnets and suspicious archive creation tied to classified project directories. Leadership needs an immediate containment decision that protects evidence while stopping further surveillance.

If team stalls: “You have confirmed active surveillance but not full scope. What is your immediate command decision in the next 15 minutes, and why?”

Round 2: Program Integrity Under Scrutiny (35-40 min)

• Leadership requests a defendable statement on whether current build artifacts remain trustworthy.
• Engineering and security teams must reconcile conflicting priorities between uptime and deep validation.
• External stakeholders want confidence metrics, not only technical activity logs.

Round 3: Strategic Recovery and Defense Confidence (40-45 min)

By Round 3, leadership is preparing a strategic briefing for the Department of Defense on program risk, redesign options, and contractor resilience after a potential classified technology compromise.

By Round 3, leadership is preparing a strategic briefing for the Ministry of Defence on program risk, redesign options, and contractor resilience after a potential classified technology compromise.

Pressure events:

• Board governance review asks for accountable ownership of identified control gaps.
• External defense stakeholders request a timeline for validated remediation completion.
• Program teams need a clear decision on redesign scope versus milestone deferral.

Facilitation questions:

• “Which long-term control investments are mandatory before you resume full classified engineering velocity?”
• “How will you prove to defense stakeholders that containment was real, durable, and evidence-driven?”
• “What criteria decide whether redesign is required versus controlled continuation?”

Debrief Focus

• Distinguishing persistent espionage surveillance from short-lived opportunistic intrusion.
• Managing the tension between classified delivery pressure and forensic certainty.
• Building an evidence posture that supports both technical remediation and strategic coordination.
• Aligning engineering, security, and leadership decisions under national security stakes.

Advanced Challenge Materials (150-170 min)

Red Herrings & Misdirection

1. Approved remote engineering sessions overlap with malicious activity windows.
2. Maintenance telemetry mimics low-volume exfiltration patterns.
3. Legacy monitoring rules suppress high-fidelity alerts on critical hosts.
4. Threat actor infrastructure rotates faster than standard blocklist cycles.

Removed Resources & Constraints

• No external playbook access during active rounds.
• Limited forensic staffing with competing operational requests.
• Incomplete baseline data for one high-value project segment.
• Delayed third-party support until after initial containment decisions.

Enhanced Pressure

• Leadership requests delivery confidence statements every 30 minutes.
• External stakeholders challenge compromise-scope assumptions.
• Engineering teams push to reopen systems before deep validation completes.
• Audit oversight requests immediate governance evidence trails.

Ethical Dilemmas

1. Preserve evidence depth or restore operations faster when both cannot be maximized at once.
2. Report a wider uncertainty range early or wait for cleaner data with delayed transparency.
3. Prioritize one critical program for recovery if doing so slows coverage for others.
4. Assign individual accountability now or defer until full investigative closure.

Advanced Debrief Topics

• How defense-sector incident response differs when strategic intelligence value drives attacker behavior.
• What “acceptable uncertainty” means when classified engineering confidence is at stake.
• Governance patterns that prevent schedule pressure from weakening security decisions.
• Why resilient response design must include both technical controls and decision architecture.