Scenario Card Collection

This appendix contains 52 ready-to-use scenario cards that provide specific organizational contexts and incident setups for each malmon. Each card includes stakeholders, timeline pressures, and discovery hooks tailored to different industries and organizational types.

How Scenario Cards Work

Scenario cards transform generic malmon encounters into specific, relatable incidents by providing:

Organizational Context: Realistic workplace settings with industry-specific details
Key Stakeholders: Named NPCs with clear motivations and concerns
Timeline Pressure: Realistic deadlines that drive decision-making urgency
Discovery Hooks: Multiple starting points for player investigation
Success Metrics: Clear objectives for incident resolution

Scenario Cards by Malmon

Gaboon Grabber (Phishing Specialist)

GaboonGrabber Scenario: Healthcare Implementation Crisis

MedTech Solutions: Healthcare technology, 200 employees

Phishing • GaboonGrabber

STAKES

Patient safety data + HIPAA compliance + Life-critical medical device networks

HOOK

MedTech Solutions is in the final week of their largest client implementation, with Riverside General Hospital going live Monday morning. The attacker has been monitoring email traffic and knows that IT staff are working overtime, making them more likely to click through security warnings to keep the project on track.

PRESSURE

Riverside General Hospital goes live with new EMR system in 3 days - delays risk patient safety

FRONT • 90 minutes • Intermediate

MedTech Solutions: Healthcare technology, 200 employees

Phishing • GaboonGrabber

NPCs

Sarah Chen (IT Director): Extremely stressed about hospital go-live, knows about recent security warnings but hasn't investigated thoroughly, primarily concerned about meeting project deadline
Mike Rodriguez (Head Nurse, Riverside General): Frustrated with EMR training delays, pressuring for system stability, doesn't understand IT security concerns
Jennifer Park (Chief Operating Officer): Unaware of security incident, focused on regulatory compliance, will resist anything that delays client implementation
David Kim (Riverside General CIO): Calling hourly for project updates, threatens contract penalties if go-live delayed, represents $2M annual revenue

SECRETS

IT department bypassed normal software approval process for 'critical updates' during crunch time, removing key defense layer
Management has been pressuring IT to prioritize 'user experience' over security to improve client satisfaction scores
Attacker specifically targets healthcare implementations knowing security awareness drops during high-pressure project phases

Scenario Details for IMs

Opening Presentation

“It’s Friday afternoon at MedTech Solutions, and the mood should be celebratory - your biggest implementation ever goes live Monday morning at St. Mary’s Hospital. But instead of champagne, there’s growing concern. Multiple staff members are reporting computer slowdowns, and the help desk has received several calls about unexpected pop-ups. Yesterday during the final push, several IT staff received what appeared to be critical security updates. With everything riding on Monday’s go-live, investigate what’s happening.”

Initial Symptoms to Present:

“Computers running 30% slower since yesterday afternoon”
“Help desk reports 5 calls about unexpected pop-ups appearing”
“IT staff mention receiving ‘urgent security update’ emails Thursday evening”
“Some applications taking longer to start than usual”

Key Discovery Paths:

Detective Investigation Leads:

Email logs show suspicious ‘SecurityUpdate.exe’ attachments from fake IT security vendor
Process monitoring reveals unfamiliar executables running from temp directories
Registry analysis shows new startup entries for legitimate-sounding but suspicious processes

Protector System Analysis:

Memory scans reveal process injection into legitimate Windows processes
Network monitoring shows unusual outbound connections to suspicious domains
System performance metrics indicate hidden processes consuming CPU and memory

Tracker Network Investigation:

DNS logs show queries to recently registered domains mimicking security vendors
Network traffic analysis reveals encrypted communication to command and control servers
Email flow analysis shows phishing campaign specifically targeted during implementation stress

Communicator Stakeholder Interviews:

IT staff admit clicking on urgent security updates due to project pressure
Hospital staff expressing concerns about system stability before go-live
Management inquiry reveals pressure to approve software quickly for client satisfaction

Mid-Scenario Pressure Points:

Hour 2: Hospital calls asking for system status update and go-live confirmation
Hour 3: COO demands explanation for why “IT problems” might delay major implementation
Hour 4: CEO receives call from hospital threatening to find alternative vendor

Evolution Triggers:

If containment takes longer than 4 hours, GaboonGrabber begins deploying secondary payloads
If network isolation is incomplete, malware spreads to additional systems
If hospital connectivity isn’t secured, threat extends to client environment

Resolution Pathways:

Technical Success Indicators:

Team identifies GaboonGrabber through behavioral analysis rather than signature detection
Comprehensive network isolation prevents spread while maintaining business continuity
Memory forensics and process injection analysis confirms complete threat removal

Business Success Indicators:

Stakeholder communication maintains hospital relationship despite security incident
Implementation timeline adjusted with minimal impact on patient safety preparations
Security improvements integrated into go-live process without compromising deadline

Learning Success Indicators:

Team understands how organizational pressure creates social engineering vulnerabilities
Participants recognize importance of maintaining security controls during high-stress periods
Group demonstrates effective communication between technical and business stakeholders

Common IM Facilitation Challenges:

If Team Focuses Too Heavily on Technical Details:

“That’s excellent analysis of the process injection techniques. How does this information help you communicate the urgency to hospital leadership who are calling for updates?”

If Business Stakeholders Are Ignored:

“While you’re conducting this thorough investigation, Sarah just got another call from the hospital CIO asking for go-live confirmation. How do you handle that conversation?”

Success Metrics for Session:

Team identifies social engineering component and organizational pressure factors
Business continuity concerns are balanced with security thoroughness
Stakeholder communication addresses both technical and business perspectives
Response strategy considers both immediate threat and long-term client relationship
Learning includes organizational security culture and process improvement insights

GaboonGrabber Scenario: RegionalBank Compliance Crisis

RegionalBank: Community banking, 350 employees across 12 locations

Social Engineering + Compliance Pressure • GaboonGrabber

STAKES

Customer financial data + Banking regulations + 24/7 transaction processing

HOOK

RegionalBank faces their annual federal banking examination next month, creating intense pressure to demonstrate robust security controls. The attacker is exploiting this compliance focus by sending fake 'regulatory security audit' emails that bypass normal skepticism because they appear to support compliance efforts.

PRESSURE

Federal banking examination in 4 weeks - regulatory deficiencies could trigger enforcement action

FRONT • 3-4 hours • Intermediate

RegionalBank: Community banking, 350 employees across 12 locations

Social Engineering + Compliance Pressure • GaboonGrabber

NPCs

Amanda Torres (Chief Compliance Officer): Extremely anxious about upcoming examination, demanding evidence of security improvements, doesn't understand that urgent compliance can create vulnerabilities
Robert Chen (IT Director): Overwhelmed by compliance requests, approved several 'audit tools' quickly to demonstrate security responsiveness, now questioning those decisions
Maria Rodriguez (Branch Manager): Frustrated with new security 'requirements' affecting customer service, clicked on audit emails to show compliance cooperation
James Park (Federal Banking Examiner): Expects comprehensive security documentation, will arrive in 3 weeks for intensive examination, represents regulatory authority

SECRETS

IT bypassed normal vendor verification for 'regulatory audit tools' to demonstrate quick compliance response
Management created culture where compliance questions are answered immediately without security review
Attacker researched banking examination cycles and targets institutions during pre-examination stress periods

Scenario Details for IMs

Opening Presentation

“It’s Tuesday morning at RegionalBank, and the quarterly board meeting just ended with one clear message: the upcoming federal examination must go perfectly. With just four weeks to prepare, every department is scrambling to demonstrate compliance improvements. But yesterday, several staff members reported computer slowdowns, and the IT help desk has been fielding calls about new ‘audit software’ that appeared after staff responded to what seemed like legitimate regulatory security requirements.”

Initial Symptoms to Present:

“Computers experiencing 25% performance degradation across multiple departments”
“Help desk reports 6 calls about unfamiliar ‘compliance monitoring’ software”
“Staff mention receiving ‘federal banking security audit’ emails Monday evening”
“Customer service terminals occasionally freezing during peak hours”

Key Discovery Paths:

Detective Investigation Leads:

Email analysis reveals sophisticated spoofing of federal banking regulator communications
File system examination shows “ComplianceMonitor.exe” and “AuditTool.exe” in system directories
Registry forensics reveals persistence mechanisms disguised as regulatory compliance tools

Protector System Analysis:

Network monitoring detects encrypted communication to command servers registered recently
Process analysis shows memory injection into banking software and customer service applications
Security log review reveals unauthorized access attempts to customer database systems

Tracker Network Investigation:

DNS query analysis shows lookups to domains mimicking federal banking regulator websites
Traffic analysis reveals data exfiltration patterns targeting customer account information
Email flow investigation shows targeted phishing campaign during examination preparation

Communicator Stakeholder Interviews:

Compliance staff admit clicking on “urgent audit requirements” to demonstrate cooperation
Branch managers reveal pressure to respond immediately to any regulatory communications
IT staff explain expedited approval of “compliance tools” to meet examination deadlines

Mid-Scenario Pressure Points:

Hour 1: Compliance officer demands confirmation that all “audit tools” are properly installed
Hour 2: Federal examiner calls to confirm examination schedule and document preparation
Hour 3: Board chair inquires about compliance readiness and any potential issues
Hour 4: Customer service reports intermittent access issues affecting transaction processing

Evolution Triggers:

If containment exceeds 6 hours, GaboonGrabber deploys secondary payload targeting customer data
If network isolation affects compliance systems, regulatory documentation becomes inaccessible
If customer-facing systems show instability, transaction processing integrity becomes questionable

Resolution Pathways:

Technical Success Indicators:

Team identifies social engineering exploitation of compliance pressure and culture
Network segmentation protects customer data while maintaining transaction processing
Behavioral analysis and memory forensics confirm complete malware removal

Business Success Indicators:

Incident response demonstrates robust security controls to federal examiner
Compliance documentation includes security incident as evidence of effective monitoring
Customer transaction processing maintains integrity throughout response process

Learning Success Indicators:

Team understands how compliance pressure creates exploitable organizational vulnerabilities
Participants recognize balance needed between compliance responsiveness and security verification
Group demonstrates effective coordination between compliance, security, and operational teams

Common IM Facilitation Challenges:

If Team Ignores Compliance Context:

“Your technical analysis is solid, but Amanda just received a call from the federal examiner asking about your bank’s security posture. How do you explain this incident as evidence of strong security controls?”

If Business Impact Is Underestimated:

“While you’re investigating, the customer service system just froze during peak banking hours. Customers are waiting in line and Maria needs to know if the systems are safe to use.”

If Regulatory Complexity Overwhelms:

“The regulatory details are complex, but the core question is simple: how do you maintain security when everyone feels pressure to demonstrate immediate compliance?”

Success Metrics for Session:

Team identifies compliance culture vulnerability and social engineering exploitation
Balance achieved between thorough security response and regulatory examination preparation
Customer data protection prioritized while maintaining business operations
Response strategy addresses both immediate threat and long-term compliance posture
Learning includes organizational culture change and compliance-security integration insights

GaboonGrabber Scenario: StateU Financial Aid Crisis

StateU: State university system, 25,000 students, 3,500 faculty/staff

Social Engineering + Educational Pressure • GaboonGrabber

STAKES

Student financial records + FERPA compliance + Academic operations continuity

HOOK

StateU is in the final week of spring semester financial aid disbursement, with thousands of students depending on aid payments for summer housing and tuition. The attacker has been monitoring academic calendar timing and knows that financial aid staff are processing maximum volume while students are anxiously awaiting fund distribution.

PRESSURE

Spring financial aid disbursement deadline in 48 hours - delays affect student housing and summer enrollment

FRONT • 3-4 hours • Intermediate

StateU: State university system, 25,000 students, 3,500 faculty/staff

Social Engineering + Educational Pressure • GaboonGrabber

NPCs

Rebecca Turner (Financial Aid Director): Under enormous pressure to complete spring disbursements on time, approved several 'emergency FAFSA processing tools' yesterday to meet student deadlines
Marcus Johnson (Student, Senior): Desperate for financial aid to pay summer housing deposit due tomorrow, clicked on 'urgent financial aid update' email from what appeared to be university system
Dr. Lisa Thompson (IT Director): Concerned about security but pressured to support 'critical student services,' expedited approval of financial aid software without full review
Christopher Bennett (Student Services VP): Demanding that all financial aid be processed on schedule, will resist any delays that affect student success and retention

SECRETS

Financial aid office bypassed normal software approval to install 'emergency processing tools' during deadline crunch
Student pressure created culture where financial aid emails are processed immediately without verification
Attacker specifically targets universities during financial aid deadline periods when security awareness is lowest

Scenario Details for IMs

Opening Presentation

“It’s Wednesday afternoon at StateU, and the financial aid office is in crisis mode. Spring semester aid disbursements must be completed by Friday to ensure students can pay summer housing deposits and register for fall classes. But starting yesterday, multiple computers in the financial aid office have been running slowly, and both staff and students are reporting issues with ‘financial aid processing software’ that appeared after responding to what seemed like urgent FAFSA system updates.”

Initial Symptoms to Present:

“Financial aid office computers running 40% slower during peak processing time”
“Students calling about ‘new financial aid software’ requiring personal information updates”
“Staff report receiving ‘emergency FAFSA processing’ emails Tuesday evening”
“University ID card systems experiencing intermittent connectivity issues”

Key Discovery Paths:

Detective Investigation Leads:

Email forensics reveal sophisticated spoofing of federal financial aid system communications
File analysis discovers “FAFSAProcessor.exe” and “AidDisbursement.exe” in financial aid workstations
Log analysis shows unauthorized access attempts to student information systems

Protector System Analysis:

Memory analysis reveals process injection into financial aid processing applications
Network monitoring detects unusual data flows from student records systems
System integrity scans show modifications to financial aid database access controls

Tracker Network Investigation:

DNS logs show queries to domains mimicking federal student aid websites
Traffic analysis reveals attempted exfiltration of student financial records
Email pattern analysis shows coordinated phishing targeting both staff and students

Communicator Stakeholder Interviews:

Financial aid staff admit clicking on urgent processing tools to meet student deadlines
Students report providing personal information to “verify financial aid eligibility”
IT staff explain expedited software approval due to “critical student service needs”

Mid-Scenario Pressure Points:

Hour 1: Students gathering outside financial aid office asking about disbursement delays
Hour 2: Student Services VP demands explanation for any delays affecting student payments
Hour 3: Local news contacts university about “financial aid processing problems”
Hour 4: Parent calls complaining about student unable to secure summer housing due to aid delays

Evolution Triggers:

If containment takes longer than 4 hours, GaboonGrabber begins targeting student personal data
If financial aid systems are taken offline, thousands of students miss payment deadlines
If student information system access is compromised, FERPA violations become inevitable

Resolution Pathways:

Technical Success Indicators:

Team identifies social engineering exploitation of academic deadline pressure
Student data protection maintains FERPA compliance throughout incident response
Financial aid processing continues safely while threat is contained and removed

Business Success Indicators:

Financial aid disbursements complete on schedule without compromising security
Student trust in university data protection maintained through transparent communication
Incident response demonstrates effective student data stewardship to regulatory authorities

Learning Success Indicators:

Team understands how academic calendar pressures create institutional vulnerabilities
Participants recognize importance of maintaining security controls during peak service periods
Group demonstrates coordination between academic services, IT security, and student affairs

Common IM Facilitation Challenges:

If Student Impact Is Minimized:

“While you’re conducting technical analysis, 200 students are waiting in line outside the financial aid office, and Marcus needs his disbursement to pay his housing deposit by tomorrow morning. How do you balance security with student success?”

If FERPA Complexity Is Ignored:

“The technical response looks good, but Dr. Thompson just reminded everyone that any student data breach requires federal notification within 48 hours. How does that change your approach?”

If Timeline Pressure Is Underestimated:

“Your investigation is thorough, but the Student Services VP just announced that any delays to financial aid will affect summer enrollment numbers and university revenue. What’s your response strategy?”

Success Metrics for Session:

Team identifies academic calendar vulnerability and social engineering targeting
Student data protection balanced with critical financial aid service delivery
FERPA compliance maintained throughout incident response process
Response strategy addresses both immediate threat and student success priorities
Learning includes institutional culture and student-centered security considerations

GaboonGrabber Scenario: SteelCorp Manufacturing Crisis

SteelCorp Manufacturing: Industrial steel processing, 400 employees

Social Engineering + Manufacturing Pressure • GaboonGrabber

STAKES

Worker safety systems + Production continuity + $2M weekly output

HOOK

SteelCorp Manufacturing just received their largest contract ever, requiring 50% increased production through Q4 to supply a major construction project. The attacker has been monitoring industry communications and knows that supply chain pressure makes staff more likely to quickly approve vendor software updates to avoid production delays.

PRESSURE

Production deadline Friday for major construction project - delays cost $200K per day in penalties

FRONT • 3-4 hours • Intermediate

SteelCorp Manufacturing: Industrial steel processing, 400 employees

Social Engineering + Manufacturing Pressure • GaboonGrabber

NPCs

Carlos Martinez (Plant Manager): Under extreme pressure to meet production quotas, approved 'vendor efficiency software' yesterday to optimize supply chain, now concerned about system stability
Linda Zhang (Operations Director): Focused entirely on meeting contract deadlines, will resist any interruptions to production schedule, doesn't understand cybersecurity implications
Mike Johnson (IT/OT Coordinator): Stretched thin managing both information technology and operational technology, expedited approval of 'vendor coordination tools' during production crunch
Sarah Park (Major Client Project Manager): Calling twice daily for production updates, threatens contract penalties if delivery schedule is missed, represents $15M annual relationship

SECRETS

IT bypassed normal vendor software verification process to avoid production delays
Management created culture where production schedule takes absolute priority over security procedures
Attacker researched manufacturing industry contracts and targets companies during high-pressure delivery periods

Scenario Details for IMs

Opening Presentation

“It’s Wednesday morning at SteelCorp Manufacturing, and the production floor is running at maximum capacity to meet Friday’s critical delivery deadline. The largest contract in company history depends on this schedule, with $200K daily penalties for delays. But since yesterday, several computers controlling production scheduling and vendor coordination have been running slowly, and supervisors are reporting issues with new ‘vendor efficiency software’ that appeared after responding to what seemed like legitimate supply chain optimization updates.”

Initial Symptoms to Present:

“Production scheduling computers experiencing 30% performance degradation”
“Supervisors report new ‘vendor coordination software’ requesting system access”
“Plant staff received ‘supply chain optimization’ emails Tuesday evening”
“Industrial control system displays showing intermittent connectivity warnings”

Key Discovery Paths:

Detective Investigation Leads:

Email analysis reveals sophisticated spoofing of major manufacturing vendor communications
File system investigation shows “VendorOptimizer.exe” and “SupplyChainTool.exe” on production systems
Network forensics reveal unauthorized connections between office IT and operational technology networks

Protector System Analysis:

Process monitoring detects unusual activity on systems connected to industrial controls
Memory analysis shows injection attempts targeting production scheduling software
Safety system integrity checks reveal potential access to critical control systems

Tracker Network Investigation:

Network traffic analysis shows data flows from production planning systems to external servers
DNS logs reveal queries to domains mimicking legitimate manufacturing vendor sites
Communication pattern analysis shows coordinated targeting during peak production periods

Communicator Stakeholder Interviews:

Plant supervisors admit installing vendor software quickly to optimize production efficiency
Operations staff explain pressure to approve anything that might prevent production delays
IT coordinator reveals expedited software approval due to “critical production requirements”

Mid-Scenario Pressure Points:

Hour 1: Production line supervisor reports scheduling system glitches affecting shift coordination
Hour 2: Major client calls demanding production status update and Friday delivery confirmation
Hour 3: Operations director threatens to override any IT restrictions that slow production
Hour 4: Safety system alerts indicate potential issues with environmental monitoring

Evolution Triggers:

If containment affects production systems, daily output drops below contract requirements
If OT network compromise occurs, worker safety systems become unreliable
If response takes longer than 6 hours, production schedule cannot meet Friday deadline

Resolution Pathways:

Technical Success Indicators:

Team identifies social engineering exploitation of production pressure and vendor trust
Operational technology systems protected while maintaining production safety and efficiency
Network segmentation prevents spread between IT and OT environments

Business Success Indicators:

Production schedule maintained without compromising worker safety or system security
Major client relationship preserved through effective crisis management and communication
Contract delivery commitments met despite security incident challenges

Learning Success Indicators:

Team understands how production pressure creates industrial cybersecurity vulnerabilities
Participants recognize critical importance of OT/IT security integration
Group demonstrates coordination between production operations, safety systems, and cybersecurity

Common IM Facilitation Challenges:

If Production Impact Is Ignored:

“Your security analysis is thorough, but the production floor just reported that scheduling delays might force overtime shifts, and Linda is demanding to know why ‘IT problems’ are affecting the contract delivery.”

If Safety Systems Are Overlooked:

“While you’re investigating network issues, the environmental monitoring system just displayed a safety alert. How do you ensure worker safety while responding to the cybersecurity incident?”

If Business Pressure Is Underestimated:

“The major client just called threatening contract cancellation if delivery is delayed. Sarah needs to know: can production continue safely, or do we risk losing our biggest customer?”

Success Metrics for Session:

Team identifies production deadline vulnerability and vendor trust exploitation
Worker safety systems maintained as highest priority throughout response
Production continuity balanced with cybersecurity threat containment
Response strategy addresses both immediate threat and critical business deliverables
Learning includes industrial cybersecurity and operational technology protection insights

WannaCry (Network Ransomware)

WannaCry Scenario: Memorial Health System Emergency

Memorial Health System: 400-bed hospital, 1,800 employees

Worm • WannaCry

STAKES

Patient life safety + Critical care operations + Emergency services continuity

HOOK

Memorial Health System is in the middle of flu season surge, with the emergency department at 150% capacity and ICU completely full. The hospital just activated surge protocols when computer systems began failing across multiple departments. The worm is spreading rapidly through the network during the most critical period when patient care cannot be interrupted.

PRESSURE

Emergency department surge - any system downtime directly threatens patient lives

FRONT • 120 minutes • Advanced

Memorial Health System: 400-bed hospital, 1,800 employees

Worm • WannaCry

NPCs

Dr. Susan Williams (Chief Medical Officer): Managing critical patient surge, every minute of system downtime affects patient care decisions, must balance security response with life-saving operations
Thomas Anderson (IT Director): Watching systems fail in real-time across hospital network, trying to contain spread while maintaining life-critical medical devices and patient monitoring
Dr. Patricia Lee (Emergency Department Director): Has 35 patients waiting, cannot access patient records or lab results, demanding immediate system restoration for patient safety
Brian Martinez (Network Administrator): Discovering that hospital's legacy Windows systems lack critical security patches, realizes scope of vulnerability while attack spreads

SECRETS

Hospital delayed Windows security updates on medical device networks to avoid disrupting patient care
Legacy medical equipment runs on unpatched Windows systems that cannot be easily updated
Network segmentation between clinical and administrative systems was incomplete due to operational convenience

Scenario Details for IMs

Opening Presentation

“It’s Tuesday evening at Memorial Health System, and the hospital is operating under surge conditions. The emergency department is packed with flu patients, the ICU is at capacity, and surgical teams are working overtime. Suddenly, computer screens across the hospital begin displaying ransom demands, and critical patient care systems start failing. Medical staff are reporting they cannot access patient records, lab results, or medication orders. In a hospital, every second counts, and systems are failing faster than they can be contained.”

Initial Symptoms to Present:

“Patient record systems displaying ransom messages instead of medical data”
“Laboratory computers cannot send test results to clinical staff”
“Nursing stations losing access to medication administration records”
“New systems failing every few minutes across different hospital departments”

Key Discovery Paths:

Detective Investigation Leads:

Network forensics reveal rapid lateral movement using SMB vulnerability exploitation
File system analysis shows systematic encryption of patient data and medical records
Log analysis reveals attack origination from single unpatched workstation in administrative area

Protector System Analysis:

Real-time monitoring shows worm spreading through hospital network faster than containment
Critical system assessment reveals medical devices and patient monitors at risk
Network topology analysis shows incomplete segmentation between clinical and administrative systems

Tracker Network Investigation:

Traffic analysis reveals massive SMB scanning and exploitation across hospital subnets
Network propagation patterns show attack moving toward life-critical medical device networks
Communication flow analysis indicates potential spread to ambulance and emergency service networks

Communicator Stakeholder Interviews:

Medical staff report immediate patient care impact from system failures
IT staff explain delayed patching on medical systems due to FDA device regulations
Hospital administration reveals network design compromises made for operational convenience

Mid-Scenario Pressure Points:

Hour 1: Emergency department physician cannot access patient allergy information for critical treatment
Hour 2: Surgical team loses access to patient imaging during ongoing surgery
Hour 3: ICU monitoring systems showing connectivity issues affecting patient safety
Hour 4: Ambulance services report inability to transmit patient data to receiving hospital

Evolution Triggers:

If network segmentation fails, life-critical medical devices become compromised
If containment takes longer than 2 hours, patient care operations face dangerous disruption
If backup systems are accessed, hospital loses all redundancy for critical patient data

Resolution Pathways:

Technical Success Indicators:

Team implements emergency network segmentation protecting life-critical systems
Worm propagation contained through rapid patch deployment and network isolation
Kill switch discovery and activation halts ransomware spread before complete compromise

Business Success Indicators:

Patient care operations maintained with minimal disruption to life-safety systems
Emergency department continues operations using manual backup procedures when necessary
Hospital maintains regulatory compliance while managing cybersecurity crisis

Learning Success Indicators:

Team understands rapid worm propagation mechanics and network-based attacks
Participants recognize critical importance of patch management in healthcare environments
Group demonstrates crisis coordination between cybersecurity, medical operations, and patient safety

Common IM Facilitation Challenges:

If Technical Focus Overwhelms Patient Safety:

“Your network analysis is excellent, but Dr. Williams just reported that the emergency department cannot access patient medication allergies for incoming trauma cases. How do you balance technical investigation with immediate patient safety?”

If Propagation Speed Is Underestimated:

“While you’re planning your response, Thomas is watching three more departments lose system access in real-time. This worm is spreading faster than traditional malware - what’s your immediate containment strategy?”

If Healthcare Complexity Is Avoided:

“Dr. Lee needs to know: can the emergency department safely treat patients without electronic medical records, or should they consider diverting ambulances to other hospitals?”

Success Metrics for Session:

Team understands worm propagation mechanics and rapid network spread
Patient safety maintained as absolute priority throughout cybersecurity response
Network segmentation and isolation implemented to protect critical medical systems
Response strategy balances immediate containment with healthcare operational continuity
Learning includes healthcare cybersecurity challenges and life-critical system protection

WannaCry Scenario: Municipality Payroll Crisis

Springfield City Government: 1,200 employees across 15 departments

Worm • WannaCry

STAKES

Employee payroll + Public services + Municipal operations continuity

HOOK

Springfield City is in the final 48 hours before quarterly payroll processing, with 1,200 city employees depending on Friday paychecks. The attack began Wednesday evening when finance staff were working late to finalize payroll calculations, and the worm is now spreading rapidly through city networks connecting police, fire, utilities, and administrative systems.

PRESSURE

Payroll processing deadline Friday - missing payroll affects all city employees and public services

FRONT • 120 minutes • Advanced

Springfield City Government: 1,200 employees across 15 departments

Worm • WannaCry

NPCs

Maria Rodriguez (City Finance Director): Desperate to complete payroll processing, watching financial systems encrypt in real-time, must balance employee needs with security response
Chief Robert Taylor (Police Chief): Police dispatch and records systems affected, concerned about public safety impact, needs immediate assessment of emergency service capabilities
William Harrison (IT Director): Discovering that city's shared network infrastructure connects all departments, realizes worm spread threatens entire municipal operation
Mayor Diana Foster: Fielding calls from employees about paychecks, media about city services, and state officials about emergency response capabilities

SECRETS

City network was designed for convenience with minimal segmentation between departments
Legacy Windows systems in multiple departments lack security patches due to budget constraints and operational dependencies
Shared file servers contain both payroll data and critical public safety information

Scenario Details for IMs

Opening Presentation

“It’s Thursday morning at Springfield City Hall, and what started as routine payroll preparation has become a municipal crisis. Finance staff working late Wednesday night began seeing ransom messages on their screens, and by morning, the attack has spread to police dispatch, fire department communications, and utility management systems. With 1,200 city employees expecting paychecks tomorrow and public safety systems affected, this cybersecurity incident has become a city-wide emergency.”

Initial Symptoms to Present:

“Finance department computers showing ransom demands instead of payroll data”
“Police dispatch systems experiencing connectivity issues affecting emergency response”
“Fire department reporting communication system failures”
“Utility management networks showing signs of compromise and system encryption”

Key Discovery Paths:

Detective Investigation Leads:

Network forensics reveal worm exploitation of shared municipal network infrastructure
File system analysis shows encryption of payroll, personnel, and public safety databases
Timeline analysis reveals attack origin in finance department during late-night payroll processing

Protector System Analysis:

Network monitoring shows rapid lateral movement across city department boundaries
Critical system assessment reveals public safety and emergency services at risk
Infrastructure analysis shows minimal network segmentation between municipal departments

Tracker Network Investigation:

Traffic analysis reveals worm scanning and exploitation across all city network segments
Propagation mapping shows attack moving toward emergency services and utility control systems
Communication pattern analysis indicates potential spread to county and state government networks

Communicator Stakeholder Interviews:

Finance staff describe working late on payroll when systems began failing
Police and fire departments report increasing operational impact on emergency services
IT staff explain budget constraints and operational needs that prevented network segmentation

Mid-Scenario Pressure Points:

Hour 1: Police dispatch center reports intermittent system failures affecting emergency response
Hour 2: Mayor receives calls from employees asking about paycheck delays
Hour 3: Fire department loses access to building inspection and safety records
Hour 4: Local media reports “city computer systems held hostage” affecting public services

Evolution Triggers:

If public safety systems are compromised, emergency response capabilities become unreliable
If payroll processing cannot be completed, 1,200 employees miss critical paychecks
If utility systems are affected, water and power services to citizens are threatened

Resolution Pathways:

Technical Success Indicators:

Team implements emergency network segmentation protecting critical public safety systems
Worm propagation contained through strategic network isolation and rapid patching
Backup systems activated to maintain essential city services during recovery

Business Success Indicators:

Payroll processing completed through alternative methods ensuring employee payments
Public safety services maintained throughout cybersecurity incident response
Municipal operations continue with minimal disruption to citizen services

Learning Success Indicators:

Team understands worm mechanics and cross-network propagation in shared infrastructure
Participants recognize public sector cybersecurity challenges and resource constraints
Group demonstrates coordination between IT security, public safety, and municipal operations

Common IM Facilitation Challenges:

If Public Safety Impact Is Minimized:

“While you’re analyzing the technical details, Chief Park reports that police dispatch is experiencing delays in emergency calls. How do you ensure public safety while containing the cybersecurity threat?”

If Employee Impact Is Ignored:

“Your containment strategy is sound, but Maria just calculated that 1,200 city employees won’t receive paychecks tomorrow if payroll systems aren’t restored. What’s your plan for the human impact?”

If Municipal Complexity Is Overwhelming:

“The Mayor needs a simple answer: can the city continue to provide essential services to citizens, or should emergency protocols be activated?”

Success Metrics for Session:

Team understands worm propagation across interconnected municipal infrastructure
Public safety services prioritized and protected throughout cybersecurity response
Employee payroll continuity balanced with security threat containment
Response strategy addresses both immediate threats and long-term municipal security
Learning includes public sector cybersecurity and critical infrastructure protection

WannaCry Scenario: Morrison & Associates Case Crisis

Morrison & Associates Law Firm: 150 attorneys across 3 offices, specialized litigation

Worm • WannaCry

STAKES

Client case files + Attorney-client privilege + Court deadline compliance

HOOK

Morrison & Associates is 72 hours from filing critical motions in their biggest class-action lawsuit ever, representing 10,000 plaintiffs against a major corporation. The legal team has been working around the clock to meet court deadlines when ransomware begins encrypting case files, depositions, and expert witness reports that cannot be recreated before the filing deadline.

PRESSURE

Court filing deadline Monday 5 PM - missing deadline dismisses $500M class-action case

FRONT • 120 minutes • Advanced

Morrison & Associates Law Firm: 150 attorneys across 3 offices, specialized litigation

Worm • WannaCry

NPCs

Patricia Morrison (Managing Partner): Leading $500M class-action case with Monday filing deadline, watching years of legal work encrypt in real-time, must balance case preservation with security response
James Liu (IT Director): Discovering that law firm's case management systems lack proper network segmentation, watching worm spread through client files and legal databases
Dr. Sarah Kim (Expert Witness): Critical economic analysis stored on law firm servers, report needed for Monday filing cannot be reconstructed in time, represents years of specialized research
Michael Rodriguez (Opposing Counsel): Will argue for case dismissal if filing deadline is missed, represents corporate defendant with billions at stake

SECRETS

Law firm delayed security updates on case management systems to avoid disrupting ongoing litigation
Client files, depositions, and expert reports stored on interconnected systems without proper access controls
Network designed for attorney convenience with minimal security segmentation between practice areas

Scenario Details for IMs

Opening Presentation

“It’s Friday morning at Morrison & Associates, and the law firm is in the final sprint toward Monday’s critical court filing deadline. The $500M class-action case represents two years of work by 20 attorneys, and the case management systems contain irreplaceable depositions, expert witness reports, and legal research. But since Thursday evening, computers throughout the firm have been displaying ransom messages, and critical case files are being encrypted faster than they can be backed up. In the legal profession, missing a court deadline can mean losing a case entirely.”

Initial Symptoms to Present:

“Case management systems displaying ransom demands instead of legal documents”
“Attorney workstations losing access to client files and litigation materials”
“Document servers encrypting depositions and expert witness reports”
“New systems failing across different practice areas and client matters”

Key Discovery Paths:

Detective Investigation Leads:

Network forensics reveal worm spreading through document management and case file systems
File analysis shows systematic encryption of legal documents, depositions, and client communications
Timeline analysis reveals attack began during late-night document preparation for Monday deadline

Protector System Analysis:

Real-time monitoring shows ransomware spreading through attorney work files and client databases
System integrity analysis reveals potential compromise of attorney-client privileged communications
Network architecture assessment shows inadequate segmentation between client matters and practice areas

Tracker Network Investigation:

Traffic analysis reveals worm exploiting shared network infrastructure across law firm offices
Propagation patterns show movement toward email servers containing client communications
Network scanning shows potential spread to cloud-based legal research and e-filing systems

Communicator Stakeholder Interviews:

Attorneys report loss of access to critical case documents needed for Monday filing
IT staff explain security update delays due to concerns about disrupting ongoing litigation
Expert witnesses describe irreplaceable research data stored on compromised systems

Mid-Scenario Pressure Points:

Hour 1: Senior associate reports inability to access key depositions needed for motion drafting
Hour 2: Expert witness calls reporting economic analysis files are inaccessible
Hour 3: Opposing counsel files motion requesting dismissal due to “plaintiff preparation failures”
Hour 4: Court clerk confirms no extensions available - Monday 5 PM deadline is absolute

Evolution Triggers:

If document recovery fails, two years of legal work becomes inaccessible before deadline
If network isolation affects e-filing systems, court submissions cannot be completed
If attorney-client communications are compromised, ethical violations and malpractice claims arise

Resolution Pathways:

Technical Success Indicators:

Team implements emergency document recovery protecting critical case files
Worm containment prevents spread to email servers and attorney-client communications
Network segmentation preserves legal research and court filing capabilities

Business Success Indicators:

Critical case documents recovered enabling Monday court filing deadline compliance
Attorney-client privilege maintained throughout cybersecurity incident response
Law firm operations continue without malpractice exposure or ethical violations

Learning Success Indicators:

Team understands worm propagation through professional service networks and shared file systems
Participants recognize unique cybersecurity challenges in legal profession and privileged communications
Group demonstrates coordination between IT security, legal operations, and professional compliance

Common IM Facilitation Challenges:

If Legal Deadline Pressure Is Underestimated:

“Your technical analysis is thorough, but Patricia just confirmed that missing Monday’s deadline will result in automatic case dismissal, and 10,000 plaintiffs will lose their legal recourse. How does this change your response priority?”

If Attorney-Client Privilege Is Ignored:

“While you’re containing the worm, James just realized that encrypted systems may contain privileged attorney-client communications. How do you ensure professional ethical compliance during incident response?”

If Professional Service Context Is Missed:

“Dr. Kim’s expert economic analysis represents two years of specialized research that cannot be recreated by Monday. What’s your strategy for protecting irreplaceable professional work product?”

Success Metrics for Session:

Team understands worm propagation through professional service networks and document systems
Critical legal documents and case files protected to enable court deadline compliance
Attorney-client privilege maintained throughout cybersecurity incident response
Response strategy balances immediate threat containment with professional service continuity
Learning includes professional service cybersecurity and privileged information protection

WannaCry Scenario: Transportation Peak Season

TransGlobal Logistics: Regional shipping hub, 800 employees, 24/7 operations

Worm • WannaCry

STAKES

Package delivery operations + Supply chain continuity + Holiday shipping commitments

HOOK

TransGlobal Logistics is in the peak of holiday shipping season, processing 300% normal package volume with delivery commitments to major retailers. The worm began spreading Tuesday evening during overnight shift operations when the network carries maximum load, and is now affecting sorting systems, delivery routing, and customer tracking across the regional hub.

PRESSURE

Holiday delivery commitments - system failures affect thousands of businesses and millions of packages

FRONT • 120 minutes • Advanced

TransGlobal Logistics: Regional shipping hub, 800 employees, 24/7 operations

Worm • WannaCry

NPCs

Carlos Martinez (Operations Manager): Managing peak season logistics with 300% volume increase, watching package sorting and routing systems fail during busiest shipping period of the year
Linda Zhang (IT Director): Realizing that 24/7 operations network was designed for maximum uptime, not security, as worm spreads through interconnected logistics systems
Robert Johnson (Customer Service Director): Fielding calls from major retail clients about delayed shipments, must balance customer relationships with security response
Sarah Park (Regional VP): Responsible for holiday season performance affecting annual revenue, will resist operational disruptions that impact delivery commitments

SECRETS

Logistics network prioritized operational uptime over security updates to maintain 24/7 package processing
Package sorting, routing, and tracking systems share network infrastructure without proper segmentation
Peak season temporary systems and contractors introduced additional vulnerabilities

Scenario Details for IMs

Opening Presentation

“It’s Wednesday morning at TransGlobal Logistics, and the regional hub is operating at peak holiday capacity with conveyor belts running 24/7 and trucks departing every hour for delivery routes. But since Tuesday evening, package sorting systems have been displaying ransom messages, customer tracking databases are becoming inaccessible, and delivery routing systems are failing across the facility. With thousands of businesses depending on holiday deliveries and millions of packages in the system, this cybersecurity incident threatens to disrupt the entire regional supply chain.”

Initial Symptoms to Present:

“Package sorting systems showing ransom demands instead of routing information”
“Customer tracking databases becoming inaccessible affecting service inquiries”
“Delivery route optimization systems failing across different transportation zones”
“Warehouse management systems losing connectivity to package scanning and inventory control”

Key Discovery Paths:

Detective Investigation Leads:

Network forensics reveal worm spreading through logistics and package management systems
File system analysis shows encryption of delivery routes, customer data, and operational databases
Timeline analysis reveals attack began during overnight shift when network traffic is highest

Protector System Analysis:

Real-time monitoring shows ransomware spreading through interconnected logistics infrastructure
Critical system assessment reveals package sorting and delivery systems at risk of complete failure
Network topology analysis shows minimal segmentation between operational and administrative systems

Tracker Network Investigation:

Traffic analysis reveals worm exploiting shared network infrastructure across shipping operations
Propagation patterns show movement toward vehicle tracking and customer communication systems
Network scanning indicates potential spread to partner carrier and retail client networks

Communicator Stakeholder Interviews:

Operations staff report immediate impact on package processing and delivery scheduling
Customer service team describes inability to provide tracking updates to worried customers
IT staff explain security update challenges during continuous 24/7 operations requirements

Mid-Scenario Pressure Points:

Hour 1: Major retail client calls demanding explanation for delayed holiday shipment tracking
Hour 2: Package sorting facility reports 50% reduction in processing capacity
Hour 3: Delivery drivers unable to access route optimization, causing traffic delays and missed deliveries
Hour 4: Regional VP warns that operational disruptions will affect annual performance and customer contracts

Evolution Triggers:

If package sorting systems fail completely, thousands of packages cannot be processed or delivered
If customer tracking remains down, service commitments to major retail clients are violated
If delivery routing is compromised, operational efficiency drops below sustainable levels

Resolution Pathways:

Technical Success Indicators:

Team implements emergency network segmentation protecting critical package processing systems
Worm propagation contained through strategic isolation and backup system activation
Alternative tracking and routing procedures maintain operational continuity during recovery

Business Success Indicators:

Package delivery operations maintained at sufficient capacity to meet holiday commitments
Customer service capabilities preserved through manual tracking and communication procedures
Major retail client relationships protected through effective crisis communication and alternative solutions

Learning Success Indicators:

Team understands worm propagation through logistics networks and interconnected operational systems
Participants recognize cybersecurity challenges in 24/7 operations and supply chain management
Group demonstrates coordination between IT security, logistics operations, and customer service

Common IM Facilitation Challenges:

If Operational Impact Is Underestimated:

“While you’re analyzing network traffic, Carlos reports that package sorting capacity has dropped by 60%, and thousands of holiday packages are backing up in the facility. How do you balance cybersecurity response with operational continuity?”

If Customer Impact Is Ignored:

“Robert just received calls from three major retail clients threatening to switch carriers if their holiday shipments aren’t tracked and delivered on schedule. What’s your customer communication strategy?”

If Supply Chain Complexity Is Overwhelming:

“Sarah needs to know: can TransGlobal meet its holiday delivery commitments, or should backup contingency plans with partner carriers be activated immediately?”

Success Metrics for Session:

Team understands worm propagation through logistics networks and operational technology
Package delivery operations maintained to meet critical holiday shipping commitments
Customer service capabilities preserved through alternative tracking and communication methods
Response strategy balances immediate threat containment with supply chain continuity
Learning includes logistics cybersecurity and supply chain resilience considerations

Stuxnet (Industrial Sabotage)

Stuxnet Scenario: Power Plant Maintenance Window

Columbia River Power Station: Nuclear facility, 1,200 employees, critical infrastructure

APT • Stuxnet

STAKES

Regional power grid + Nuclear safety systems + Critical infrastructure protection

HOOK

Columbia River Power Station is in the middle of their scheduled annual maintenance outage, with multiple safety systems temporarily bypassed for equipment upgrades. The sophisticated attack began when contractors introduced infected USB drives during the maintenance window, and the malware is now spreading through air-gapped industrial control networks while safety systems are at their most vulnerable.

PRESSURE

Maintenance window ends in 72 hours - plant must restart safely or region faces power shortages

FRONT • 150 minutes • Expert

Columbia River Power Station: Nuclear facility, 1,200 employees, critical infrastructure

APT • Stuxnet

NPCs

Dr. Catherine Walsh (Plant Manager): Responsible for safe plant restart after maintenance, discovering that control systems show anomalous behavior during critical safety testing
Robert Chen (Chief Nuclear Officer): Oversees all nuclear safety systems, must balance cybersecurity response with nuclear regulatory requirements and public safety
Maria Rodriguez (Control Systems Engineer): Detecting unusual behavior in centrifuge and cooling system controls, realizes sophisticated malware may have compromised industrial safety systems
Andrew Thompson (Contractor Supervisor): Leading maintenance team that may have inadvertently introduced attack vector, represents third-party vendor relationships and supply chain security

SECRETS

Air-gapped industrial control networks were bridged during maintenance for software updates and diagnostic access
Nation-state adversary specifically targeted nuclear facilities during maintenance periods when security is reduced
Sophisticated malware uses four zero-day exploits and can manipulate industrial control systems while appearing normal

Scenario Details for IMs

Opening Presentation

“It’s Wednesday morning at Columbia River Power Station, and the annual maintenance outage is in its final phase. Nuclear reactors are offline, safety systems are being tested, and the plant must restart within 72 hours to meet regional power demands. But during routine control system testing, engineers are discovering anomalous behavior in critical safety systems. Preliminary investigation suggests sophisticated malware has somehow penetrated the air-gapped industrial control networks, potentially compromising nuclear safety systems during the most vulnerable maintenance period.”

Initial Symptoms to Present:

“Industrial control systems showing subtle anomalies during safety system testing”
“Centrifuge and cooling system controls responding differently than expected to operator commands”
“Network monitoring detecting unexpected traffic on supposedly air-gapped industrial networks”
“Contractor USB drives triggering security alerts when scanned by updated antivirus systems”

Key Discovery Paths:

Detective Investigation Leads:

Forensic analysis reveals sophisticated malware designed specifically for industrial control systems
USB device examination shows infection vector through contractor maintenance equipment
Timeline analysis reveals compromise occurred during maintenance window when air-gap security was reduced

Protector System Analysis:

Industrial control system monitoring reveals subtle manipulation of centrifuge speeds and cooling controls
Nuclear safety system integrity checks show potential compromise of critical safety functions
Network architecture assessment reveals temporary bridging of air-gapped networks during maintenance

Tracker Network Investigation:

Traffic analysis reveals covert communication channels established across supposedly isolated networks
Command and control analysis shows sophisticated nation-state-level operational security
Attribution investigation suggests advanced persistent threat group targeting critical infrastructure

Communicator Stakeholder Interviews:

Nuclear engineers report subtle but concerning changes in control system behavior
Maintenance contractors explain procedures that may have introduced USB-based infection vectors
Regulatory affairs staff describe federal requirements for nuclear incident reporting and response

Mid-Scenario Pressure Points:

Hour 1: Nuclear Regulatory Commission inspector arrives for scheduled post-maintenance safety verification
Hour 2: Regional power grid operator inquires about plant restart schedule due to increasing electricity demand
Hour 3: Control systems engineer reports that centrifuge systems are operating outside normal parameters
Hour 4: Plant manager must decide whether to proceed with reactor restart or extend maintenance outage

Evolution Triggers:

If malware remains undetected, plant restart could trigger physical damage to critical systems
If maintenance deadline is missed, regional power grid faces potential shortages affecting millions
If attack attribution involves nation-state adversary, federal counterintelligence and national security agencies become involved

Resolution Pathways:

Technical Success Indicators:

Team identifies sophisticated malware and industrial control system compromise
Air-gapped network security restored through comprehensive malware removal and system validation
Advanced attribution analysis provides intelligence on nation-state threat actor capabilities and objectives

Business Success Indicators:

Nuclear safety systems verified clean and functional before reactor restart authorization
Plant maintenance schedule adjusted to accommodate cybersecurity response without compromising safety
Federal regulatory compliance maintained throughout incident response and recovery process

Learning Success Indicators:

Team understands advanced persistent threat capabilities and nation-state attack sophistication
Participants recognize critical infrastructure cybersecurity challenges and air-gapped network vulnerabilities
Group demonstrates coordination between cybersecurity, nuclear safety, and national security considerations

Common IM Facilitation Challenges:

If Nuclear Safety Context Is Overwhelming:

“The nuclear technical details are complex, but the core question is simple: can the team ensure that control systems are safe and trustworthy before the reactor restarts and begins generating power for millions of people?”

If Nation-State Attribution Is Avoided:

“Your technical analysis suggests this isn’t ordinary cybercrime - the sophistication and targeting suggest state-sponsored activity. How does this change your investigation and response approach?”

If Air-Gapped Network Compromise Is Misunderstood:

“Maria just confirmed that the affected systems were supposed to be completely isolated from any network connections. How did this malware cross the air gap, and what does that tell you about the sophistication of this threat?”

Success Metrics for Session:

Team understands advanced persistent threat capabilities and sophisticated attack techniques
Nuclear safety and critical infrastructure protection prioritized throughout cybersecurity response
Air-gapped network security concepts and vulnerabilities clearly understood
Response strategy addresses both immediate threats and long-term national security implications
Learning includes critical infrastructure cybersecurity and nation-state threat analysis

Stuxnet Scenario: Water Treatment SCADA Deployment

Metro Water Authority: Regional water treatment, 300 employees, serves 500,000 residents

APT • Stuxnet

STAKES

Public water safety + EPA compliance + Critical infrastructure protection

HOOK

Metro Water Authority is completing the installation of a new SCADA system to modernize their water treatment operations and meet updated EPA monitoring requirements. The sophisticated attack began when the new system was brought online last week, and malware is now manipulating water treatment chemical dosing while hiding its activities from monitoring systems.

PRESSURE

EPA compliance deadline in 2 weeks - new SCADA system must be operational or face federal penalties

FRONT • 150 minutes • Expert

Metro Water Authority: Regional water treatment, 300 employees, serves 500,000 residents

APT • Stuxnet

NPCs

Linda Zhang (Water Operations Manager): Noticing subtle anomalies in water treatment chemical levels, must balance public safety with system modernization and EPA compliance
Dr. Samuel Foster (Water Quality Director): Responsible for ensuring treated water meets all safety standards, discovering that monitoring systems may not be showing accurate chemical dosing information
Alexandra Wu (SCADA Systems Engineer): Leading new control system deployment, realizing that sophisticated malware may have compromised industrial controls during installation phase
Michael Park (EPA Regional Administrator): Expecting compliance demonstration with new monitoring systems, represents federal regulatory authority and public health protection

SECRETS

New SCADA system installation created temporary vulnerabilities in air-gapped water treatment networks
Nation-state adversary specifically targets water infrastructure during system modernization and upgrade periods
Sophisticated malware manipulates chemical dosing controls while providing false normal readings to operators

Scenario Details for IMs

Opening Presentation

“It’s Monday morning at Metro Water Authority, and the new SCADA system that will modernize water treatment operations for 500,000 residents is nearly operational. The system must demonstrate EPA compliance within two weeks, but water operations staff are noticing subtle inconsistencies between chemical dosing commands and actual treatment levels. Initial investigation suggests that sophisticated malware may have compromised the industrial control systems during the installation process, potentially threatening both public water safety and federal regulatory compliance.”

Initial Symptoms to Present:

“Water treatment chemical dosing showing slight discrepancies between commanded and actual levels”
“SCADA monitoring displays showing normal operations while field measurements suggest different chemical concentrations”
“Network monitoring detecting unexpected communication patterns on water treatment control networks”
“System installation contractors reporting unusual behavior during recent SCADA deployment activities”

Key Discovery Paths:

Detective Investigation Leads:

Forensic analysis reveals sophisticated malware specifically designed for water treatment industrial controls
SCADA system examination shows manipulation of chemical dosing controls with concealed monitoring
Installation timeline analysis reveals compromise during system modernization and network integration

Protector System Analysis:

Water treatment monitoring reveals discrepancies between control commands and actual chemical processes
Industrial control system integrity analysis shows potential manipulation of safety-critical treatment functions
Network security assessment reveals compromise of air-gapped water treatment control networks

Tracker Network Investigation:

Traffic analysis reveals covert command and control communication through water treatment networks
Chemical process monitoring shows subtle manipulation patterns designed to avoid detection
Attribution analysis suggests nation-state-level sophistication targeting critical water infrastructure

Communicator Stakeholder Interviews:

Water treatment operators describe subtle inconsistencies in chemical dosing and system responses
SCADA installation contractors explain procedures that may have introduced compromise vectors
Regulatory compliance staff describe federal requirements for water safety monitoring and incident reporting

Mid-Scenario Pressure Points:

Hour 1: Water quality lab reports trace chemical levels slightly outside normal treatment parameters
Hour 2: EPA regional administrator calls to schedule compliance verification for new SCADA system
Hour 3: Operations manager discovers that backup monitoring systems show different readings than primary SCADA displays
Hour 4: Public health department inquires about water quality reports after receiving citizen complaints about taste changes

Evolution Triggers:

If malware manipulation continues, water quality could degrade beyond safe drinking standards
If EPA compliance deadline is missed, federal penalties and regulatory intervention become inevitable
If attack involves nation-state adversary targeting water infrastructure, federal security agencies and critical infrastructure protection protocols activate

Resolution Pathways:

Technical Success Indicators:

Team identifies sophisticated malware and industrial control system manipulation
Water treatment process integrity restored through comprehensive system validation and malware removal
SCADA system security enhanced to prevent future compromise while maintaining EPA compliance capabilities

Business Success Indicators:

Public water safety maintained throughout cybersecurity incident response and system recovery
EPA compliance demonstration completed on schedule with verified system integrity
Federal regulatory requirements met while addressing sophisticated cybersecurity threat

Learning Success Indicators:

Team understands nation-state threats to critical infrastructure and advanced persistent threat capabilities
Participants recognize water treatment cybersecurity challenges and public safety implications
Group demonstrates coordination between cybersecurity, public health, and regulatory compliance

Common IM Facilitation Challenges:

If Public Safety Impact Is Minimized:

“While you’re analyzing the technical details, Dr. Kim just confirmed that water treatment chemical levels are outside normal parameters, potentially affecting drinking water for 500,000 residents. How do you balance cybersecurity investigation with immediate public health protection?”

If Regulatory Complexity Is Overwhelming:

“The EPA compliance details are complex, but the fundamental question is simple: can the water authority demonstrate that their new monitoring systems are accurate and trustworthy for protecting public health?”

If Critical Infrastructure Context Is Missed:

“Alexandra just realized that this attack specifically targets water treatment controls - not random systems. What does this suggest about the threat actor’s objectives and the broader implications for critical infrastructure?”

Success Metrics for Session:

Team understands sophisticated threats to critical water infrastructure and nation-state attack capabilities
Public water safety prioritized and protected throughout cybersecurity incident response
Industrial control system security and integrity concepts clearly demonstrated
Response strategy addresses both immediate threats and long-term critical infrastructure protection
Learning includes water treatment cybersecurity and critical infrastructure defense considerations

Stuxnet Scenario: TechCore Semiconductors Defense Contract

TechCore Semiconductors: Advanced manufacturing, 600 employees, defense contractor

APT • Stuxnet

STAKES

Defense contract delivery + National security + Industrial IP protection

HOOK

TechCore Semiconductors is 96 hours from delivering critical semiconductor components for a major defense system, with contract penalties of $50M for delays. The sophisticated attack began when new manufacturing equipment was installed last month, and malware is now subtly manipulating precision manufacturing processes while hiding its activities from quality control systems.

PRESSURE

Defense contract deadline Thursday - delays affect national security and company survival

FRONT • 150 minutes • Expert

TechCore Semiconductors: Advanced manufacturing, 600 employees, defense contractor

APT • Stuxnet

NPCs

Dr. Sarah Park (Manufacturing Director): Overseeing final production run for defense contract, discovering that precision manufacturing equipment is producing components with subtle quality deviations
James Liu (Quality Control Manager): Detecting microscopic defects in semiconductor components that could compromise defense system performance, must balance delivery deadline with product integrity
Maria Rodriguez (Industrial Security Officer): Investigating sophisticated attack targeting defense manufacturing, realizing nation-state adversary may be attempting to compromise U.S. defense capabilities
Colonel Michael Kim (Defense Contract Officer): Representing Department of Defense, expecting delivery of critical components that cannot be sourced elsewhere within required timeframe

SECRETS

New manufacturing equipment installation created vulnerabilities in air-gapped production control networks
Nation-state adversary specifically targets defense contractors to compromise U.S. military technology supply chains
Sophisticated malware manipulates precision manufacturing while providing false quality control readings to conceal sabotage

Scenario Details for IMs

Opening Presentation

“It’s Monday morning at TechCore Semiconductors, and the final production run for a critical defense contract is underway. The components must be delivered by Thursday to meet national security requirements, with no alternative suppliers available. But quality control is detecting microscopic anomalies in semiconductor components that could compromise defense system performance. Initial investigation suggests that sophisticated malware may have compromised precision manufacturing equipment, potentially representing a nation-state attack on U.S. defense supply chains.”

Initial Symptoms to Present:

“Precision manufacturing equipment producing components with subtle dimensional variations outside specification”
“Quality control systems showing normal readings while physical measurements detect manufacturing defects”
“Network monitoring detecting unusual communication patterns on manufacturing control networks”
“New equipment installation documentation showing potential compromise during system integration”

Key Discovery Paths:

Detective Investigation Leads:

Forensic analysis reveals sophisticated malware designed specifically for precision manufacturing equipment
Manufacturing control system examination shows subtle manipulation of production parameters
Equipment installation timeline reveals compromise during integration of new manufacturing systems

Protector System Analysis:

Manufacturing process monitoring reveals discrepancies between control commands and actual production output
Quality control system integrity analysis shows potential manipulation of defect detection systems
Industrial network security assessment reveals compromise of air-gapped manufacturing control systems

Tracker Network Investigation:

Traffic analysis reveals covert command and control communication through manufacturing networks
Production data analysis shows subtle sabotage patterns designed to introduce defects while avoiding detection
Attribution investigation suggests nation-state-level sophistication targeting defense manufacturing supply chains

Communicator Stakeholder Interviews:

Manufacturing engineers describe subtle inconsistencies in production equipment behavior and output quality
Equipment installation contractors explain procedures that may have introduced compromise vectors
Defense security staff describe federal requirements for supply chain integrity and incident reporting

Mid-Scenario Pressure Points:

Hour 1: Quality control reports that 15% of produced components show microscopic defects that could affect performance
Hour 2: Defense contract officer calls to confirm delivery schedule and component specifications
Hour 3: Manufacturing director discovers that backup quality systems show different readings than primary control displays
Hour 4: CEO informs team that contract cancellation would result in layoffs and potential company closure

Evolution Triggers:

If malware manipulation continues, defense components will fail quality standards and compromise military systems
If delivery deadline is missed, national security implications and $50M contract penalties threaten company survival
If attack involves nation-state adversary targeting defense supply chains, federal counterintelligence and national security protocols activate

Resolution Pathways:

Technical Success Indicators:

Team identifies sophisticated malware and manufacturing control system sabotage
Production process integrity restored through comprehensive system validation and malware removal
Manufacturing security enhanced to prevent future supply chain compromise while meeting defense contract requirements

Business Success Indicators:

Defense component quality and delivery schedule maintained throughout cybersecurity incident response
Contract obligations fulfilled with verified component integrity and performance specifications
National security implications addressed while preserving critical defense manufacturing capability

Learning Success Indicators:

Team understands nation-state threats to defense industrial base and supply chain security
Participants recognize precision manufacturing cybersecurity challenges and national security implications
Group demonstrates coordination between cybersecurity, manufacturing operations, and national security considerations

Common IM Facilitation Challenges:

If National Security Context Is Overwhelming:

“The defense contract details are complex, but the core issue is clear: sophisticated adversaries are trying to compromise U.S. defense capabilities by sabotaging the components that go into military systems. How do you protect national security while maintaining production?”

If Supply Chain Impact Is Underestimated:

“James just confirmed that defective components could cause defense system failures in the field, potentially putting military personnel at risk. How does this change your response priorities?”

If Manufacturing Precision Requirements Are Missed:

“Dr. Park explains that semiconductor manufacturing tolerances are measured in nanometers - tiny changes can have huge impacts. What does this tell you about the sophistication and objectives of this attack?”

Success Metrics for Session:

Team understands sophisticated nation-state threats to defense industrial base and supply chain security
Manufacturing integrity and national security prioritized throughout cybersecurity incident response
Precision manufacturing control system security concepts clearly demonstrated
Response strategy addresses both immediate threats and long-term defense supply chain protection
Learning includes defense manufacturing cybersecurity and national security implications

Stuxnet Scenario: Research Facility Milestone

Advanced Energy Research Institute: Federal research lab, 400 scientists, classified projects

APT • Stuxnet

STAKES

Classified research data + National competitive advantage + Scientific intellectual property

HOOK

The Advanced Energy Research Institute is 48 hours from presenting breakthrough renewable energy research to Congress that could revolutionize U.S. energy independence. The sophisticated attack began when international research collaboration systems were established last month, and malware is now manipulating experimental data while exfiltrating classified research to foreign adversaries.

PRESSURE

Congressional presentation Wednesday - breakthrough research represents decades of work and billions in investment

FRONT • 150 minutes • Expert

Advanced Energy Research Institute: Federal research lab, 400 scientists, classified projects

APT • Stuxnet

NPCs

Dr. Elena Vasquez (Lead Research Scientist): Discovering that experimental data shows inconsistencies that could invalidate years of breakthrough renewable energy research
Dr. James Morrison (Laboratory Director): Responsible for protecting classified research while maintaining international scientific collaboration, must balance security with research mission
Linda Park (Research Security Officer): Investigating sophisticated espionage attack targeting national laboratory research data and intellectual property
Senator Michael Brooks (Energy Committee Chair): Expecting groundbreaking research presentation that could influence national energy policy and billions in federal funding

SECRETS

International research collaboration created vulnerabilities in previously air-gapped classified research networks
Nation-state adversary specifically targets U.S. national laboratories to steal breakthrough technologies and scientific advantages
Sophisticated malware manipulates research data while exfiltrating classified information to compromise U.S. scientific and economic competitiveness

Scenario Details for IMs

Opening Presentation

“It’s Monday morning at the Advanced Energy Research Institute, and final preparations are underway for Wednesday’s presentation to Congress on breakthrough renewable energy technology. The research represents a decade of work by 50 scientists and could revolutionize U.S. energy independence. But during final data validation, researchers are discovering inconsistencies in experimental results that could invalidate the entire project. Initial investigation suggests sophisticated malware may have compromised research systems, potentially representing a nation-state attack targeting U.S. scientific advantages.”

Initial Symptoms to Present:

“Experimental data showing subtle inconsistencies that could invalidate breakthrough research findings”
“Research computing systems displaying normal operations while data integrity checks reveal manipulation”
“Network monitoring detecting unexpected communication patterns on classified research networks”
“International collaboration system logs showing unusual access patterns and data transfer activities”

Key Discovery Paths:

Detective Investigation Leads:

Forensic analysis reveals sophisticated malware designed specifically for research data manipulation and theft
Research system examination shows covert data exfiltration targeting classified renewable energy breakthrough technology
Collaboration timeline analysis reveals compromise during establishment of international research partnership systems

Protector System Analysis:

Research data integrity monitoring reveals systematic manipulation of experimental results and scientific calculations
Classified information systems analysis shows potential compromise of national laboratory intellectual property
Network security assessment reveals breach of air-gapped classified research computing environments

Tracker Network Investigation:

Traffic analysis reveals covert data exfiltration channels targeting classified research and breakthrough technologies
Research collaboration monitoring shows unauthorized access to scientific data and intellectual property
Attribution investigation suggests nation-state-level espionage targeting U.S. scientific and technological advantages

Communicator Stakeholder Interviews:

Research scientists describe subtle anomalies in experimental data that could compromise research validity
International collaboration partners explain data sharing procedures that may have introduced compromise vectors
Classification security staff describe federal requirements for protecting national laboratory research and intellectual property

Mid-Scenario Pressure Points:

Hour 1: Lead scientist reports that 30% of critical experimental data shows manipulation that could invalidate research conclusions
Hour 2: Congressional staff calls to confirm research presentation schedule and breakthrough technology demonstration
Hour 3: Laboratory director discovers that backup research systems show different results than primary computing displays
Hour 4: Research security officer finds evidence that classified breakthrough technology data may have been exfiltrated to foreign adversaries

Evolution Triggers:

If data manipulation continues, breakthrough research presentation will be based on compromised and invalid scientific results
If Congressional presentation is cancelled, years of research investment and national energy policy development are delayed
If classified research has been exfiltrated to foreign adversaries, U.S. scientific and economic competitive advantages are compromised

Resolution Pathways:

Technical Success Indicators:

Team identifies sophisticated malware and research data manipulation and theft
Research data integrity restored through comprehensive validation and malware removal
Classified information protection enhanced while maintaining legitimate international scientific collaboration

Business Success Indicators:

Research integrity and Congressional presentation timeline maintained throughout cybersecurity incident response
Breakthrough technology development protected from foreign espionage and competitive compromise
National laboratory mission fulfilled while addressing sophisticated nation-state cybersecurity threats

Learning Success Indicators:

Team understands nation-state espionage threats to research institutions and intellectual property
Participants recognize scientific research cybersecurity challenges and classified information protection requirements
Group demonstrates coordination between cybersecurity, research operations, and national security considerations

Common IM Facilitation Challenges:

If Research Integrity Impact Is Minimized:

“While you’re conducting technical analysis, Dr. Martinez just confirmed that experimental data manipulation could invalidate the entire breakthrough research project, potentially wasting a decade of scientific work and billions in federal investment. How do you protect research integrity?”

If Espionage Implications Are Avoided:

“Linda just found evidence that classified renewable energy technology data may have been stolen and transferred to foreign competitors. What does this mean for U.S. energy independence and scientific advantages?”

If Congressional Pressure Is Underestimated:

“Senator Kim’s office just called to confirm that Wednesday’s presentation will demonstrate revolutionary technology that could change national energy policy. Can you guarantee the research data is valid and hasn’t been compromised?”

Success Metrics for Session:

Team understands sophisticated nation-state espionage threats to research institutions and scientific intellectual property
Research data integrity and classified information protection prioritized throughout cybersecurity response
Scientific research cybersecurity and national laboratory security concepts clearly demonstrated
Response strategy addresses both immediate threats and long-term protection of U.S. scientific advantages
Learning includes research institution cybersecurity and national competitiveness protection considerations

Stuxnet Scenario: Smart Grid Infrastructure Sabotage

PowerGrid Dynamics: Regional electrical utility, 800 employees, serving 2.3 million customers across three states

APT • Stuxnet

STAKES

Regional power stability + National security + Critical infrastructure protection + Economic continuity

HOOK

PowerGrid Dynamics has been modernizing their electrical grid with IoT sensors, automated switching systems, and cloud-connected infrastructure management. Nation-state attackers have infiltrated their smart grid systems through compromised vendor software updates, installing sophisticated malware designed to manipulate power distribution while hiding the attack from operators. The malware is specifically targeting renewable energy integration systems during peak demand periods.

PRESSURE

Federal oversight and potential national security implications - any grid instability could cascade to critical services

FRONT • 150 minutes • Advanced

PowerGrid Dynamics: Regional electrical utility, 800 employees, serving 2.3 million customers across three states

APT • Stuxnet

NPCs

Director Janet Walsh (Grid Operations): Former DOE official managing coordination with federal agencies while maintaining operational stability, balancing national security requirements with customer service
Chief Engineer David Liu (Control Systems): Discovering sophisticated malware specifically designed to manipulate smart grid automation, realizing attackers have detailed knowledge of their proprietary systems
Cybersecurity Manager Lisa Rodriguez (NERC CIP Compliance): Coordinating with CISA and FBI while managing regulatory compliance requirements and potential enforcement actions
Operations Manager Robert Kim (24/7 Grid Control): Watching real-time grid monitoring systems show anomalous behavior that could destabilize regional power distribution

SECRETS

Smart grid vendor provided software updates containing sophisticated nation-state malware
Attackers have detailed intelligence about proprietary grid control systems and renewable energy integration protocols
Malware designed to create cascading grid failures while appearing as normal operational adjustments

Scenario Details for IMs

Opening Presentation

“You’re at PowerGrid Dynamics, a major regional utility serving 2.3 million customers across three states. Your smart grid modernization has been a flagship project, integrating renewable energy sources with automated distribution systems. This morning, grid operators noticed unusual behavior in the renewable energy integration systems - solar and wind farms are receiving unexpected commands that could destabilize power distribution. Initial analysis suggests sophisticated malware specifically designed to manipulate your proprietary control systems. The FBI cybersecurity unit is en route.”

Initial Symptoms to Present:

“Smart grid automation systems issuing unexpected commands to renewable energy facilities”
“Grid control software showing normal operation while actual system behavior becomes anomalous”
“Vendor security updates appear legitimate but contain sophisticated hidden payloads”
“Attack patterns suggest nation-state level sophistication and detailed infrastructure knowledge”

Key Discovery Paths:

Detective Investigation Leads:

Digital forensics reveal sophisticated malware designed specifically for electrical grid manipulation
Supply chain analysis discovers compromise of trusted vendor software update process
Attack attribution suggests nation-state capabilities and extensive reconnaissance of grid systems

Protector System Analysis:

Critical infrastructure assessment reveals malware targeting renewable energy integration systems
Control system security analysis shows sophisticated evasion of industrial cybersecurity measures
Grid stability analysis reveals potential for coordinated attacks causing cascading power failures

Tracker Intelligence Analysis:

Threat intelligence coordination reveals similar attacks on electrical infrastructure globally
Network monitoring discovers command and control infrastructure using legitimate cloud services
International intelligence sharing reveals broader campaign targeting critical infrastructure

Communicator Federal Coordination:

CISA and FBI coordination for critical infrastructure protection and national security response
NERC CIP compliance management and potential regulatory enforcement during active attack
Multi-state coordination for regional grid stability and emergency response planning

Crisis Manager Strategic Response:

National security incident coordination between private utility and federal agencies
Regional grid stability management during active nation-state cyber attack
Strategic decision-making about disclosure and public communication during ongoing threat

Evolution Triggers:

Intermediate → Advanced: Additional utilities report similar attacks, indicating coordinated campaign
Advanced → Critical: Malware begins actively destabilizing grid during peak demand period

Success Metrics:

Effective coordination with federal agencies and national security apparatus
Technical containment preventing grid destabilization
Successful attribution and threat intelligence development
Coordinated response protecting regional electrical infrastructure

Learning Objectives:

Nation-state cyber attacks on critical infrastructure
Public-private coordination during national security incidents
Advanced persistent threat techniques and attribution
Critical infrastructure protection and incident response

Historical Context for IMs:

This scenario modernizes the 2010 Stuxnet attack, which targeted Iranian nuclear facilities through sophisticated malware designed to manipulate industrial control systems. The contemporary version adapts this to modern smart grid infrastructure, where nation-state attackers target renewable energy integration systems to destabilize electrical grids, maintaining the same level of sophisticated targeting and physical world impact that made Stuxnet historically significant.

Stuxnet Scenario: Nuclear Engineering Corporation Crisis (2010)

Nuclear Engineering Corporation: Private nuclear facility contractor, 350 employees, providing uranium enrichment services

APT • Stuxnet

STAKES

Nuclear facility safety + International relations + Industrial control security + National security

HOOK

It's June 2010. Your facility provides uranium enrichment services using sophisticated centrifuge arrays controlled by Siemens SCADA systems. Security researchers have discovered an unprecedented piece of malware specifically designed to target industrial control systems. The malware, dubbed 'Stuxnet,' uses multiple zero-day exploits and stolen digital certificates to spread through air-gapped networks and manipulate centrifuge operations while hiding its activities from operators.

PRESSURE

International scrutiny and potential nuclear security implications - any control system manipulation could have catastrophic consequences

FRONT • 150 minutes • Advanced

Nuclear Engineering Corporation: Private nuclear facility contractor, 350 employees, providing uranium enrichment services

APT • Stuxnet

NPCs

Dr. Helen Carter (Nuclear Safety Director): Former NRC official coordinating with federal agencies while ensuring continued safe operations, balancing transparency with national security concerns\
Engineer Thomas Mueller (Control Systems Specialist): Discovering that sophisticated attackers have detailed knowledge of proprietary Siemens systems and nuclear enrichment processes\
Security Manager Rachel Kim (Industrial Cybersecurity): Learning that traditional IT security doesn't apply to industrial control networks, realizing air-gapped systems aren't truly isolated\
Operations Supervisor Mark Johnson (Centrifuge Operations): Watching control systems show normal readings while actual centrifuge behavior becomes increasingly erratic

SECRETS

Attackers used stolen digital certificates from legitimate technology companies to bypass security controls\
Malware specifically targets Siemens S7 PLCs with exact configuration used in uranium enrichment facilities\
Multiple zero-day exploits indicate nation-state level resources and intelligence gathering capabilities

Historical Context & Modernization Prompts

Understanding 2010 Technology Context

This scenario represents the actual Stuxnet attack discovered in 2010. Key historical elements to understand:

Industrial Control Systems: SCADA networks considered secure through “air-gapping” and obscurity
Cybersecurity Paradigm: IT and OT (operational technology) security completely separate disciplines
Nation-State Capabilities: First widely-recognized cyber weapon targeting physical infrastructure
Digital Certificates: Trusted signing mechanism with limited validation and revocation processes
Zero-Day Exploits: Extremely rare and valuable, typically reserved for highest-priority operations

Collaborative Modernization Questions for Players

Present these questions after initial investigation to guide modernization:

“How has IoT and Industry 4.0 changed industrial control system security?”
- Guide toward: Connected factories, cloud-based monitoring, remote access capabilities
“What critical infrastructure would be most vulnerable to similar attacks today?”
- Guide toward: Smart grids, water treatment, transportation systems, healthcare networks
“How have nation-state cyber capabilities evolved since 2010?”
- Guide toward: Supply chain attacks, living-off-the-land techniques, cloud infrastructure targeting
“What would ‘air-gapped’ networks look like in today’s connected world?”
- Guide toward: Vendor remote access, cloud integrations, mobile device connections
“How would modern threat detection identify this type of sophisticated attack?”
- Guide toward: Behavioral analysis, machine learning, threat hunting, international intelligence sharing

Modernization Discovery Process

After historical investigation, facilitate modernization discussion:

Infrastructure Evolution: Explore how critical infrastructure has become more connected
Attack Sophistication: Discuss how nation-state techniques have become more accessible
Detection Capabilities: Compare 2010 reactive detection to modern proactive threat hunting
Response Coordination: Examine how public-private coordination has evolved
Physical Impact: Consider how cyber attacks on different infrastructure create different consequences

Learning Objectives

Nation-State Threats: Understanding sophisticated adversary capabilities and motivations
Critical Infrastructure Protection: Recognizing vulnerabilities in essential services
OT/IT Convergence: Appreciating security challenges as operational technology becomes connected
International Coordination: Learning how cyber attacks require diplomatic and technical response

IM Facilitation Notes

Emphasize Sophistication: Help players understand the unprecedented nature of the 2010 attack
Physical Consequences: Highlight how cyber attacks can cause real-world damage
Attribution Complexity: Discuss challenges of identifying nation-state attackers
Evolution Discussion: Guide conversation toward how similar attacks might work today
Ethical Considerations: Address dual-use nature of cybersecurity knowledge

This historical foundation provides insight into the first major cyber weapon while helping teams understand how nation-state threats continue to evolve and target critical infrastructure.

Code Red (Web Server Worm)

Code Red Scenario: Web Hosting Company Crisis

NetHost Solutions: Web hosting provider serving 15,000 client websites, 180 employees

Worm • Code Red

STAKES

Client website availability + Business reputation + Internet infrastructure stability

HOOK

NetHost Solutions is managing peak summer traffic for their e-commerce clients when automated scanning begins hitting their IIS web servers. Within hours, hundreds of client websites are compromised and displaying defacement messages, while the infected servers begin participating in coordinated DDoS attacks against internet infrastructure targets.

PRESSURE

Summer e-commerce peak season - client website downtime causes immediate revenue loss + Reputation damage threatens business survival

FRONT • 120 minutes • Advanced

NetHost Solutions: Web hosting provider serving 15,000 client websites, 180 employees

Worm • Code Red

NPCs

Michael Chen (Operations Director): Managing 15,000 client websites during peak season, watching servers get compromised in real-time, must balance immediate response with business continuity
Sandra Williams (Network Administrator): Discovering that IIS servers are scanning the entire internet for vulnerable targets, realizing the company's infrastructure is participating in global attacks
Jennifer Lopez (Client Relations Manager): Fielding angry calls from e-commerce clients whose websites are defaced during peak sales season, must manage customer retention during security crisis
David Thompson (Security Engineer): Analyzing the buffer overflow exploit targeting IIS servers, coordinating with ISPs and security community about internet-wide threat

SECRETS

Web hosting company delayed IIS security patches to avoid disrupting client websites during peak season
Hundreds of client websites share vulnerable server infrastructure with minimal security segmentation
Company's infected servers are now participating in coordinated internet-wide scanning and DDoS attacks

Scenario Details for IMs

Opening Presentation

“It’s Tuesday afternoon at NetHost Solutions during peak summer e-commerce season, and the company is managing record traffic for their 15,000 client websites. Suddenly, the operations center receives alerts that hundreds of client websites are displaying the message ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ instead of their normal content. Network monitoring shows their IIS servers are generating massive amounts of scanning traffic targeting other web servers across the internet.”

Initial Symptoms to Present:

“Client websites displaying identical defacement messages instead of normal content”
“IIS web servers generating massive amounts of outbound scanning traffic”
“Network bandwidth consumption spiking due to automated scanning activity”
“Multiple client websites affected simultaneously across different server clusters”

Key Discovery Paths:

Detective Investigation Leads:

Web server log analysis reveals buffer overflow exploitation targeting IIS vulnerability
File system examination shows memory-only infection with no persistent files created
Timeline analysis indicates rapid automated propagation across vulnerable server infrastructure

Protector System Analysis:

Real-time monitoring shows infected servers participating in coordinated internet scanning
Web server security assessment reveals unpatched IIS systems vulnerable to buffer overflow
Network traffic analysis indicates participation in distributed coordinated attack infrastructure

Tracker Network Investigation:

Internet traffic analysis reveals coordinated scanning patterns targeting global web server infrastructure
DNS and network flow data shows communication with other infected systems worldwide
Attack source analysis indicates automated worm propagation rather than targeted attacks

Communicator Stakeholder Interviews:

Client communications regarding website defacements and business impact during peak season
ISP coordination about malicious traffic originating from company infrastructure
Security community information sharing about internet-wide worm propagation

Mid-Scenario Pressure Points:

Hour 1: Major e-commerce client threatens contract termination due to website defacement during peak sales period
Hour 2: ISP contacts company about malicious scanning traffic violating terms of service
Hour 3: Security community reports company’s servers participating in coordinated DDoS attack preparation
Hour 4: News media reports widespread internet worm affecting web hosting providers

Evolution Triggers:

If response takes longer than 6 hours, infected servers participate in massive coordinated DDoS attack
If patch deployment is delayed, worm continues spreading to additional client websites
If network isolation fails, company infrastructure continues contributing to internet-wide attacks

Resolution Pathways:

Technical Success Indicators:

Emergency patch deployment stops worm propagation across server infrastructure
Network isolation prevents further participation in coordinated internet attacks
Server restart and patching removes memory-only infection while maintaining client services

Business Success Indicators:

Client relationships maintained through rapid response and transparent communication
Business operations restored with minimal impact on hosting service availability
Company reputation protected through professional incident management and coordinated response

Learning Success Indicators:

Team understands internet-scale worm propagation and infrastructure targeting
Participants recognize shared responsibility for internet security and coordinated defense
Group demonstrates crisis management balancing business continuity with infrastructure security

Common IM Facilitation Challenges:

If Internet-Scale Impact Is Underestimated:

“Your server response is good, but Sandra just discovered that your infected systems are scanning the entire internet and participating in attacks against other organizations. How does this change your response priorities?”

If Client Impact Is Ignored:

“While you’re investigating the technical details, Jennifer has 50 angry clients on hold whose e-commerce websites are defaced during their peak sales season. How do you balance technical response with client relations?”

If Coordinated Nature Is Missed:

“David just realized this isn’t a targeted attack on NetHost - it’s an internet-wide worm that’s turning web hosting infrastructure into a coordinated attack platform. What does this mean for your response strategy?”

Success Metrics for Session:

Team understands internet-scale worm behavior and infrastructure targeting
Client service continuity maintained as priority throughout security incident response
Coordinated response demonstrates understanding of shared internet security responsibility
Learning includes web server security and vulnerability management in hosting environments
Response strategy addresses both immediate threats and internet infrastructure protection

Code Red Scenario: State University System Crisis

State University System: 50,000 students, 8,000 faculty/staff, managing 200+ departmental websites

Worm • Code Red

STAKES

Student services continuity + Academic research data + University reputation + Internet infrastructure responsibility

HOOK

State University is in the middle of fall semester registration when their IIS web servers hosting departmental websites, student services, and research portals begin showing defacement messages. The infected university servers are now participating in internet-wide scanning and coordinated attacks, threatening both campus operations and the university's role as a responsible internet citizen.

PRESSURE

Fall registration period - student services disruption affects 50,000 students + University reputation and internet responsibility at stake

FRONT • 120 minutes • Advanced

State University System: 50,000 students, 8,000 faculty/staff, managing 200+ departmental websites

Worm • Code Red

NPCs

Dr. Patricia Moore (Chief Information Officer): Managing critical student services during registration period, must balance immediate campus needs with university's responsibility as internet infrastructure provider
Robert Garcia (Web Services Director): Overseeing 200+ departmental websites that are now defaced, trying to restore services while preventing further worm propagation
Lisa Chang (Student Services Director): Managing registration crisis as student portal and course management systems display defacement messages instead of critical academic services
Professor Alan Davis (Computer Science): Analyzing the worm's technical behavior and coordinating with academic security research community about internet-wide threat

SECRETS

University delayed IIS patches during registration period to avoid disrupting critical student services
Academic departments host research data and student services on shared vulnerable web server infrastructure
University's infected servers are now participating in coordinated attacks against other educational and government institutions

Scenario Details for IMs

Opening Presentation

“It’s Monday morning during State University’s peak fall registration period, and 50,000 students are trying to access course registration, student services, and departmental websites. Instead of academic content, hundreds of university web pages are displaying ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ Network administrators discover that the university’s IIS servers are generating massive scanning traffic, effectively turning the institution’s infrastructure into part of a global attack network.”

Initial Symptoms to Present:

“Student registration portal displaying defacement message instead of course enrollment system”
“Departmental websites across campus showing identical ‘Hacked By Chinese!’ messages”
“University IIS servers generating massive internet scanning traffic overwhelming network bandwidth”
“Academic research portals and faculty websites simultaneously compromised”

Key Discovery Paths:

Detective Investigation Leads:

Web server forensics reveal buffer overflow exploitation targeting university’s IIS infrastructure
Academic network analysis shows memory-only infection spreading across departmental web servers
Registration system logs indicate compromise occurred during peak student access period

Protector System Analysis:

Campus network monitoring reveals infected servers participating in coordinated internet attacks
Web server vulnerability assessment shows delayed patch management affecting critical student services
Academic data integrity analysis indicates potential research data exposure through compromised web services

Tracker Network Investigation:

Internet traffic analysis reveals university infrastructure participating in global worm propagation
Academic network communication patterns show coordination with other infected educational institutions
Research collaboration network analysis indicates potential spread to partner universities and government labs

Communicator Stakeholder Interviews:

Student communications regarding registration disruption and academic service availability
Faculty concerns about research data exposure and academic website compromise
Academic community coordination with other universities experiencing similar attacks

Mid-Scenario Pressure Points:

Hour 1: 10,000 students unable to complete course registration due to defaced enrollment portal
Hour 2: Faculty research data becomes inaccessible through compromised departmental websites
Hour 3: Other universities report that State University servers are attacking their infrastructure
Hour 4: University administration faces media questions about academic data security and internet responsibility

Evolution Triggers:

If response exceeds 8 hours, university misses registration deadline affecting student academic progress
If worm containment fails, infection spreads to other universities through academic collaboration networks
If patch deployment is delayed, university continues participating in coordinated attacks against educational infrastructure

Resolution Pathways:

Technical Success Indicators:

Emergency patch deployment stops worm propagation across university web infrastructure
Student services restored through secure backup systems while maintaining registration deadline
University servers removed from coordinated attack network through network isolation and system restart

Business Success Indicators:

Academic operations maintained with minimal impact on student registration and faculty research
University reputation protected through transparent communication and responsible incident response
Academic community relationships maintained through coordinated response and information sharing

Learning Success Indicators:

Team understands university’s dual role as service provider and internet infrastructure participant
Participants recognize academic institution cybersecurity responsibilities during critical operational periods
Group demonstrates coordination between academic mission priorities and internet security obligations

Common IM Facilitation Challenges:

If Academic Mission Is Ignored:

“Your technical analysis is excellent, but Lisa reports that 10,000 students can’t register for classes and the registration deadline is tomorrow. How do you balance worm response with critical academic deadlines?”

If Internet Responsibility Is Missed:

“While you’re restoring student services, Professor Davis just received calls from three other universities saying that State University servers are attacking their infrastructure. How does this change your response approach?”

If Research Data Impact Is Overlooked:

“Robert discovered that some of the compromised servers host faculty research data and collaboration portals. How do you assess whether sensitive academic research has been exposed?”

Success Metrics for Session:

Team understands academic institution’s role in internet infrastructure security
Student services and academic mission maintained as priority throughout incident response
Coordinated response demonstrates understanding of educational community cybersecurity responsibility
Learning includes university web services security and academic data protection
Response strategy balances immediate academic needs with internet infrastructure obligations

Code Red Scenario: Department of Public Services Crisis

Department of Public Services: State agency serving 2.5 million citizens, managing 40+ government service websites

Worm • Code Red

STAKES

Citizen service delivery + Government operations + National security implications + Public trust

HOOK

The Department of Public Services is managing peak tax season traffic when their IIS servers hosting citizen portals for tax filing, license renewals, and benefit applications begin displaying defacement messages. The compromised government servers are now participating in coordinated internet attacks, creating both immediate service disruption and serious national security concerns.

PRESSURE

Tax filing deadline in 48 hours - citizen service disruption affects millions + Government infrastructure compromised threatens national security

FRONT • 150 minutes • Expert

Department of Public Services: State agency serving 2.5 million citizens, managing 40+ government service websites

Worm • Code Red

NPCs

Director Margaret Foster (Agency Director): Managing critical citizen services during tax season while addressing national security implications of government infrastructure compromise
Captain James Mitchell (Information Security Officer): Coordinating with federal cybersecurity agencies about government server compromise and participation in internet-wide attacks
Sarah Reynolds (Public Services Manager): Managing citizen communications as tax filing, license renewal, and benefit portals display defacement messages instead of government services
Agent Nicole Park (FBI Cyber Division): Investigating potential national security implications of government infrastructure participating in coordinated internet attacks

SECRETS

Government agency delayed IIS patches during tax season to avoid disrupting critical citizen services
Citizen service portals and government infrastructure share vulnerable web servers without proper security segmentation
Government servers are now participating in coordinated attacks against other government and critical infrastructure targets

Scenario Details for IMs

Opening Presentation

“It’s Tuesday morning at the Department of Public Services during the final 48 hours of tax season, with millions of citizens trying to file taxes and access government services online. Instead of tax portals and license renewal systems, government websites are displaying ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ Federal cybersecurity agencies are calling because the state’s government servers are now attacking other government infrastructure across the internet.”

Initial Symptoms to Present:

“Tax filing portal displaying defacement message instead of citizen tax services”
“License renewal and benefit application websites showing identical compromise messages”
“Government IIS servers generating massive scanning traffic targeting other government agencies”
“Federal agencies reporting attacks originating from state government infrastructure”

Key Discovery Paths:

Detective Investigation Leads:

Government network forensics reveal buffer overflow exploitation targeting citizen service infrastructure
Public service system analysis shows memory-only worm infection across government web servers
Tax season timeline analysis indicates compromise during peak citizen service demand

Protector System Analysis:

Government network monitoring reveals infected servers attacking federal infrastructure and other agencies
Citizen service system assessment shows delayed patch management affecting critical government operations
National security analysis indicates potential classified system exposure through government network compromise

Tracker Network Investigation:

Internet traffic analysis reveals government infrastructure participating in coordinated attacks against critical infrastructure
Government network communication patterns show coordination with other infected government and military systems
Federal coordination reveals multi-agency impact and national security implications

Communicator Stakeholder Interviews:

Citizen communications regarding tax filing disruption and government service unavailability
Federal agency coordination about government infrastructure attacks and national security implications
Public trust management through transparent communication about government cybersecurity incident

Mid-Scenario Pressure Points:

Hour 1: 500,000 citizens unable to file taxes due to defaced government portals with 48-hour deadline approaching
Hour 2: Federal agencies report state government servers attacking Department of Defense and critical infrastructure
Hour 3: Governor’s office demands immediate restoration of citizen services and explanation of security failure
Hour 4: News media reports government cybersecurity incident affecting citizen services and national security

Evolution Triggers:

If response exceeds 24 hours, citizens miss tax filing deadline creating massive public service crisis
If government network isolation fails, infection spreads to other agencies and classified systems
If federal coordination is inadequate, government infrastructure continues participating in attacks against national security targets

Resolution Pathways:

Technical Success Indicators:

Emergency patch deployment stops worm propagation across government web infrastructure
Citizen services restored through secure backup systems maintaining tax filing deadline
Government servers removed from coordinated attack network through federal cybersecurity coordination

Business Success Indicators:

Government operations maintained with minimal impact on citizen services and tax season completion
Public trust protected through transparent communication and professional incident management
Federal relationships maintained through coordinated response and national security cooperation

Learning Success Indicators:

Team understands government infrastructure’s critical role in national cybersecurity
Participants recognize government cybersecurity responsibilities during critical service periods
Group demonstrates coordination between citizen service delivery and national security obligations

Common IM Facilitation Challenges:

If National Security Implications Are Minimized:

“Your citizen service restoration is important, but Agent Park just reported that your government servers are attacking Department of Defense infrastructure. How does this change your response priorities and coordination requirements?”

If Citizen Impact Is Ignored:

“While you’re coordinating with federal agencies, Sarah has 500,000 citizens calling about tax filing with the deadline in 36 hours. How do you balance national security response with critical citizen service delivery?”

If Government Responsibility Is Overlooked:

“Captain Mitchell discovered that your compromised servers are attacking other state agencies and federal systems. How do you address your government’s role in attacking other government infrastructure?”

Success Metrics for Session:

Team understands government infrastructure’s national security responsibilities
Citizen services and public trust maintained as priority throughout incident response
Federal coordination demonstrates understanding of government cybersecurity obligations
Learning includes government web services security and national security implications
Response strategy balances immediate citizen needs with national security coordination

Code Red Scenario: E-commerce Platform Crisis

ShopCore Technologies: E-commerce platform serving 5,000 online retailers, 320 employees

Worm • Code Red

STAKES

Retailer revenue + Customer shopping data + Platform reputation + Holiday shopping season

HOOK

ShopCore Technologies is managing Black Friday weekend traffic for 5,000 online retailers when their IIS web servers hosting e-commerce platforms begin displaying defacement messages instead of shopping websites. The infected servers are now participating in coordinated internet attacks while retailers lose critical holiday revenue during the most important shopping period of the year.

PRESSURE

Black Friday weekend - peak shopping season revenue loss threatens retailer businesses + Platform reputation damage affects company survival

FRONT • 120 minutes • Advanced

ShopCore Technologies: E-commerce platform serving 5,000 online retailers, 320 employees

Worm • Code Red

NPCs

Victoria Chen (Platform Operations Director): Managing peak holiday shopping traffic for 5,000 retailers, watching e-commerce platforms get defaced during the most critical revenue period of the year
Mark Rodriguez (Security Engineer): Discovering that platform servers are participating in internet-wide attacks while retailer websites display defacement messages instead of products
Amanda Johnson (Client Success Manager): Managing crisis communications with thousands of retailers losing holiday revenue due to platform compromise during Black Friday weekend
Kevin Wu (Infrastructure Manager): Coordinating emergency response while maintaining platform availability for retailers dependent on holiday shopping revenue

SECRETS

E-commerce platform delayed IIS security patches during holiday preparation to avoid disrupting critical shopping season
Thousands of retailer websites share vulnerable server infrastructure with minimal security isolation
Platform's infected servers are now attacking other e-commerce and financial services infrastructure across the internet

Scenario Details for IMs

Opening Presentation

“It’s Black Friday morning at ShopCore Technologies, and the platform is handling record traffic for 5,000 online retailers during the most critical shopping weekend of the year. Instead of product catalogs and shopping carts, retailer websites are displaying ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ while the platform’s servers are generating massive internet scanning traffic, effectively turning the e-commerce infrastructure into part of a coordinated attack network.”

Initial Symptoms to Present:

“Retailer e-commerce websites displaying defacement messages instead of product catalogs”
“Shopping cart and payment systems showing ‘Hacked By Chinese!’ messages during peak sales”
“Platform IIS servers generating massive scanning traffic affecting internet bandwidth”
“5,000 retailers unable to process holiday sales through compromised platform infrastructure”

Key Discovery Paths:

Detective Investigation Leads:

E-commerce platform forensics reveal buffer overflow exploitation targeting holiday shopping infrastructure
Shopping transaction system analysis shows memory-only worm infection across platform web servers
Holiday shopping timeline analysis indicates compromise during peak Black Friday traffic

Protector System Analysis:

E-commerce network monitoring reveals infected servers participating in coordinated attacks against financial infrastructure
Platform security assessment shows delayed patch management affecting critical holiday shopping operations
Customer shopping data integrity analysis indicates potential exposure through compromised e-commerce systems

Tracker Network Investigation:

Internet traffic analysis reveals e-commerce platform participating in attacks against other shopping and financial services
Retail network communication patterns show coordination with other infected e-commerce and payment systems
Holiday shopping traffic analysis indicates massive revenue impact across thousands of dependent retailers

Communicator Stakeholder Interviews:

Retailer communications regarding holiday revenue loss and customer shopping disruption
Customer service management dealing with shoppers unable to complete purchases during Black Friday
E-commerce industry coordination about platform security and holiday shopping protection

Mid-Scenario Pressure Points:

Hour 1: Major retailer reports $2 million in lost Black Friday sales due to defaced e-commerce platform
Hour 2: Payment processing companies report attacks originating from ShopCore’s infrastructure
Hour 3: 5,000 retailers demanding immediate platform restoration as holiday shopping weekend continues
Hour 4: News media reports widespread e-commerce disruption affecting Black Friday shopping nationwide

Evolution Triggers:

If response exceeds 12 hours, retailers lose entire Black Friday weekend revenue affecting annual business results
If worm containment fails, infection spreads to payment processing and financial services infrastructure
If platform restoration is delayed, customer shopping data exposure threatens long-term business relationships

Resolution Pathways:

Technical Success Indicators:

Emergency patch deployment stops worm propagation across e-commerce platform infrastructure
Retailer websites restored through secure backup systems maintaining holiday shopping capabilities
Platform servers removed from coordinated attack network while preserving shopping transaction processing

Business Success Indicators:

E-commerce operations restored with minimal impact on retailer holiday revenue and customer shopping
Platform reputation protected through rapid response and transparent communication with retail partners
Customer shopping data secured preventing long-term damage to e-commerce trust and relationships

Learning Success Indicators:

Team understands e-commerce platform’s critical role in holiday retail economy and internet infrastructure
Participants recognize platform cybersecurity responsibilities during peak commercial periods
Group demonstrates coordination between business continuity and internet security obligations

Common IM Facilitation Challenges:

If Retailer Impact Is Underestimated:

“Your technical response is solid, but Amanda just reported that 5,000 retailers are losing Black Friday revenue and threatening to switch platforms. How do you balance worm investigation with critical business relationships?”

If Internet Attack Participation Is Ignored:

“While you’re restoring shopping platforms, Mark discovered that your servers are attacking payment processing companies and other e-commerce infrastructure. How does this change your response strategy?”

If Holiday Timeline Is Overlooked:

“Victoria needs to know: can the platform be restored in time to capture Cyber Monday traffic, or will retailers lose the entire holiday shopping weekend?”

Success Metrics for Session:

Team understands e-commerce platform’s role in holiday retail economy and internet security
Retailer business continuity maintained as priority throughout incident response
Internet security coordination demonstrates understanding of e-commerce infrastructure responsibility
Learning includes e-commerce platform security and customer shopping data protection
Response strategy balances immediate business needs with internet infrastructure obligations

Code Red Scenario: Cloud Infrastructure Mass Exploitation

CloudCore Solutions: SaaS provider, 250 employees, 50,000+ customer organizations

Worm • Code Red

STAKES

Multi-tenant customer data + Service availability + Reputation damage + Regulatory compliance

HOOK

CloudCore provides cloud-based business management software to thousands of small and medium businesses. A newly discovered vulnerability in their API gateway is being mass-exploited by an automated worm that spreads between customer environments, defacing customer websites and stealing business data across their entire platform. The attack is escalating from dozens to hundreds of affected customers per hour.

PRESSURE

Customer panic and media attention - each compromised customer represents potential data breach and regulatory violation

FRONT • 90 minutes • Intermediate

CloudCore Solutions: SaaS provider, 250 employees, 50,000+ customer organizations

Worm • Code Red

NPCs

Sarah Chen (CTO): Managing technical response while fielding calls from panicked customers and board members, trying to balance customer communication with technical containment
Marcus Rodriguez (Lead DevOps Engineer): Watching infrastructure monitoring as attack spreads across microservices, struggling to contain automated exploitation in containerized environment
Jennifer Kim (Customer Success Director): Receiving hundreds of support tickets from customers reporting defaced websites and missing business data, demanding immediate restoration and explanations
Alex Thompson (Security Architect): Discovering that recent API changes introduced vulnerability that bypassed automated security scanning, realizing scope of platform-wide exposure

SECRETS

New API endpoint deployed without security review bypassed standard penetration testing procedures
Automated vulnerability scanning missed the critical flaw due to authentication bypass in the exploit chain
Shared infrastructure means single vulnerability affects thousands of customer environments simultaneously

Scenario Details for IMs

Opening Presentation

“It’s 2:30 PM on a Wednesday at CloudCore Solutions, and your cloud platform serves over 50,000 customer organizations. Customer support is being flooded with reports of defaced websites and missing business data. Your monitoring dashboard shows hundreds of API security alerts across different customer environments. What started as isolated incidents is accelerating - dozens of new customer compromises are appearing every hour, and the pattern suggests an automated attack spreading through your infrastructure.”

Initial Symptoms to Present:

“Customer websites showing hacker messages instead of business content”
“API security alerts increasing exponentially across customer environments”
“Customer business data being exfiltrated from multiple tenant environments”
“New customer compromises appearing every few minutes across the platform”

Key Discovery Paths:

Detective Investigation Leads:

API logs reveal mass exploitation of recently deployed authentication bypass vulnerability
Container forensics show worm spreading through shared infrastructure between customer environments
Attack pattern analysis reveals automated tool systematically targeting all platform customers

Protector System Analysis:

Real-time monitoring shows worm spreading through microservices architecture faster than isolation
Container security assessment reveals shared infrastructure allowing cross-customer contamination
Platform architecture analysis shows vulnerability in API gateway affecting all customer environments

Tracker Network Analysis:

API traffic analysis reveals coordinated attack pattern from multiple source IPs
Customer environment monitoring shows systematic data exfiltration across platform
Infrastructure monitoring reveals worm leveraging container orchestration for rapid spread

Communicator Stakeholder Assessment:

Customer communication reveals widespread panic and demands for immediate explanations
Legal analysis confirms data breach notification requirements across multiple jurisdictions
Reputation management assessment shows social media and news coverage beginning

Crisis Manager Strategic Coordination:

Platform-wide impact assessment reveals potential for complete customer data compromise
Business continuity planning for mass customer defection and legal liability
Incident response coordination between customer protection and technical containment

Evolution Triggers:

Intermediate → Advanced: Customers begin switching to competitors, platform reputation damaged
Advanced → Critical: Worm achieves platform-wide persistence, customer data destruction begins

Success Metrics:

Rapid isolation of vulnerable API endpoints
Effective customer communication maintaining trust
Technical containment preventing complete platform compromise
Coordinated response between technical and business teams

Learning Objectives:

Mass exploitation and automated attack propagation
Cloud infrastructure security and multi-tenant isolation
Customer communication during security incidents
Business impact of platform-wide vulnerabilities

Historical Context for IMs:

This scenario modernizes the 2001 Code Red worm, which exploited IIS buffer overflows to deface websites and spread automatically across the internet. The contemporary version translates this to modern cloud SaaS infrastructure, where API vulnerabilities can affect thousands of customers simultaneously, creating the same rapid propagation and mass impact that made Code Red significant.

Code Red Scenario: University Technology Services Crisis (2001)

University Technology Services: Medium-sized university, 15,000 students, managing campus network infrastructure

Worm • Code Red

STAKES

University operations + Student services + Academic reputation + Network stability

HOOK

It's July 2001. Your university's IT department manages hundreds of Windows servers running IIS web services for academic departments, student services, and research projects. A new automated attack is spreading across the internet, exploiting a buffer overflow vulnerability in Microsoft IIS. The attack is hitting university web servers, defacing academic websites with 'Hacked by Chinese!' messages, and consuming network bandwidth as infected servers scan for new targets.

PRESSURE

Summer session disruption and potential loss of academic credibility - university websites are the public face of the institution

FRONT • 90 minutes • Intermediate

University Technology Services: Medium-sized university, 15,000 students, managing campus network infrastructure

Worm • Code Red

NPCs

Dr. Patricia Williams (IT Director): Former Bell Labs engineer managing university technology infrastructure during early internet security crisis, trying to balance academic openness with security\
Kevin Zhang (Network Administrator): Recent CS graduate discovering that automated attacks can spread faster than manual response, learning network security under fire\
Professor Michael Johnson (Computer Science): Faculty member whose research web server was defaced, demanding explanations about university security practices\
Lisa Rodriguez (Student Services Manager): Fielding calls from students unable to access online registration and course materials

SECRETS

University policy prioritizes accessibility over security - most servers run with default configurations\
IT staff learned about buffer overflows from security mailing lists but haven't implemented patches consistently\
Academic culture values open networks and shared resources over strict access controls

Historical Context & Modernization Prompts

Understanding 2001 Technology Context

This scenario represents the actual Code Red worm attack from July 2001. Key historical elements to understand:

Internet Infrastructure: Much smaller, primarily academic and corporate networks
Security Awareness: Buffer overflow vulnerabilities were poorly understood outside expert circles
Patch Management: No automated update systems - all patches applied manually
Network Architecture: Flat networks with minimal segmentation or access controls
Response Capabilities: No dedicated incident response teams at most organizations

Collaborative Modernization Questions for Players

Present these questions after initial investigation to guide modernization:

“How would this attack work in today’s cloud infrastructure?”
- Guide toward: API vulnerabilities, container security, multi-tenant isolation
“What would be the equivalent of ‘website defacement’ for modern applications?”
- Guide toward: Data manipulation, service disruption, customer-facing impact
“How has automated scanning and exploitation evolved since 2001?”
- Guide toward: Modern vulnerability scanners, exploit kits, automated toolchains
“What would university IT infrastructure look like today?”
- Guide toward: SaaS services, cloud providers, mobile applications, remote learning
“How would incident response be different with modern tools and practices?”
- Guide toward: Automated detection, centralized logging, threat intelligence, coordination

Modernization Discovery Process

After historical investigation, facilitate modernization discussion:

Technology Translation: Help players identify modern equivalents to 2001 technology
Attack Vector Evolution: Explore how automated exploitation has advanced
Impact Amplification: Discuss how interconnected systems change incident scope
Response Evolution: Compare 2001 manual response to modern automated capabilities
Scenario Adaptation: Collaboratively develop contemporary version

Learning Objectives

Historical Perspective: Understanding how cybersecurity threats have evolved
Technology Evolution: Recognizing parallels between historical and modern vulnerabilities
Incident Response Development: Appreciating advances in security practices and tools
Collaborative Learning: Working together to modernize historical threats for current relevance

IM Facilitation Notes

Start Historical: Present the 2001 scenario authentically without modern context
Guide Discovery: Use questions to help players discover modern parallels
Encourage Creativity: Support player ideas for modernization even if unconventional
Maintain Learning Focus: Emphasize what the historical context teaches about current threats
Document Evolution: Capture player modernization ideas for future scenario development

This historical foundation approach allows teams to learn from cybersecurity history while developing skills to analyze how threats evolve and adapt to changing technology landscapes.

Ghost Rat (Long-term Espionage)

Ghost Rat Scenario: Meridian Capital Management Espionage

Meridian Capital Management: Investment firm managing $8 billion in assets, 250 employees

APT • GhostRAT

STAKES

Client investment data + Trading algorithms + Competitive intelligence + Regulatory compliance

HOOK

Meridian Capital is preparing for a major acquisition announcement when executives notice their computers occasionally behaving strangely - mouse cursors moving on their own, documents opening unexpectedly, and sensitive merger documents being accessed during off-hours. Unknown to them, sophisticated remote access tools have been providing attackers complete control over executive workstations for weeks.

PRESSURE

Merger announcement Monday - any data leak could affect $2 billion transaction and violate SEC regulations

FRONT • 150 minutes • Expert

Meridian Capital Management: Investment firm managing $8 billion in assets, 250 employees

APT • GhostRAT

NPCs

Charles Morrison (Managing Partner): Leading $2 billion merger negotiations, unaware that attackers have been monitoring confidential client meetings and transaction strategies through compromised executive systems
Dr. Elena Rodriguez (Chief Investment Officer): Discovering that proprietary trading algorithms and client portfolio data may have been accessed through sophisticated remote control malware
Marcus Thompson (Compliance Director): Investigating potential regulatory violations as confidential merger documents and client information appear to have been exfiltrated
Agent Sarah Kim (SEC Financial Crimes): Coordinating investigation of potential insider trading and market manipulation using stolen merger intelligence

SECRETS

Investment firm executives clicked on sophisticated spear-phishing emails containing merger-related documents during deal preparation
Attackers have had complete remote control over executive workstations for weeks, monitoring confidential meetings and accessing sensitive financial data
Stolen merger intelligence and trading strategies may have been used for illegal market manipulation and insider trading

Scenario Details for IMs

Opening Presentation

“It’s Thursday morning at Meridian Capital Management, and the firm is 72 hours from announcing a $2 billion merger that will reshape the financial services industry. But during final preparation meetings, executives notice disturbing signs: mouse cursors moving on their own during confidential discussions, documents opening unexpectedly, and computer screens occasionally flickering. The IT team discovers evidence of sophisticated remote access tools that have been providing attackers complete control over executive workstations for weeks.”

Initial Symptoms to Present:

“Executive computers showing signs of remote control - mouse cursors moving independently”
“Confidential merger documents being accessed during off-hours when offices are empty”
“Screen capture activity detected on workstations containing sensitive trading algorithms”
“Network traffic indicating data exfiltration from executive systems containing client portfolio information”

Key Discovery Paths:

Detective Investigation Leads:

Digital forensics reveal sophisticated remote access trojan with complete system control capabilities
Email analysis shows targeted spear-phishing campaign using convincing merger-related documents
Timeline analysis indicates weeks of undetected access to confidential financial data and trading strategies

Protector System Analysis:

Executive workstation monitoring reveals real-time screen capture and keystroke logging activity
Financial data system assessment shows unauthorized access to client portfolios and proprietary trading algorithms
Network security analysis indicates coordinated multi-target campaign affecting other financial institutions

Tracker Network Investigation:

Command and control traffic analysis reveals sophisticated APT infrastructure with centralized management capabilities
Financial intelligence coordination patterns suggest nation-state or organized criminal targeting of merger intelligence
Market activity analysis indicates potential use of stolen information for illegal trading and market manipulation

Communicator Stakeholder Interviews:

Executive interviews reveal suspicious computer behavior during confidential merger negotiations
Client communication assessment regarding potential exposure of investment data and trading strategies
Regulatory coordination with SEC regarding potential insider trading and market manipulation using stolen intelligence

Mid-Scenario Pressure Points:

Hour 1: Merger partner discovers potential data breach threatening $2 billion transaction completion
Hour 2: SEC investigators arrive to assess potential insider trading using stolen merger intelligence
Hour 3: Proprietary trading algorithms found on underground markets affecting competitive advantage
Hour 4: Client portfolio data exposure threatens regulatory compliance and customer trust

Evolution Triggers:

If investigation reveals market manipulation, SEC enforcement action affects merger completion
If remote access continues, attackers maintain persistent control for long-term financial espionage
If client data exposure is confirmed, regulatory penalties threaten firm survival and industry reputation

Resolution Pathways:

Technical Success Indicators:

Complete remote access trojan removal from executive systems with forensic preservation of evidence
Trading algorithm and client data security verified preventing further unauthorized access
APT infrastructure analysis provides intelligence on coordinated financial services targeting

Business Success Indicators:

Merger completion protected through secure evidence handling and regulatory coordination
Client relationships maintained through transparent communication and data protection verification
Regulatory compliance demonstrated preventing SEC enforcement action and industry penalties

Learning Success Indicators:

Team understands sophisticated APT capabilities and long-term corporate espionage operations
Participants recognize financial services targeting and regulatory implications of data theft
Group demonstrates coordination between cybersecurity response and financial regulatory compliance

Common IM Facilitation Challenges:

If Remote Control Sophistication Is Underestimated:

“Your malware analysis is good, but Dr. Rodriguez just discovered that attackers have been watching executive screens in real-time during confidential merger meetings. How does complete remote control change your investigation approach?”

If Regulatory Implications Are Ignored:

“While you’re removing the malware, Agent Kim needs to know: has stolen merger intelligence been used for illegal trading? How do you coordinate cybersecurity response with SEC investigation requirements?”

If Market Impact Is Overlooked:

“Charles just learned that trading strategies may have appeared on underground markets. How do you assess whether stolen financial intelligence has been used for market manipulation?”

Success Metrics for Session:

Team understands sophisticated remote access capabilities and long-term APT operations
Financial data protection and regulatory compliance maintained throughout investigation
Coordinated response demonstrates understanding of financial services cybersecurity obligations
Learning includes corporate espionage targeting and financial regulatory implications
Response strategy balances immediate threat containment with regulatory investigation coordination

Ghost Rat Scenario: Titan Defense Systems Surveillance

Titan Defense Systems: Military contractor developing classified weapons systems, 1,200 employees

APT • GhostRAT

STAKES

National security + Classified weapon designs + Defense contract integrity + Military operational security

HOOK

Titan Defense Systems is finalizing classified designs for next-generation military equipment when engineers notice their CAD workstations occasionally responding to commands they didn't issue - files opening automatically, designs being modified mysteriously, and classified documents being accessed during secure meetings. Sophisticated remote access tools have been providing foreign adversaries complete control over defense contractor systems.

PRESSURE

Classified weapons delivery deadline Thursday - any design theft compromises national security and threatens military operational advantage

FRONT • 150 minutes • Expert

Titan Defense Systems: Military contractor developing classified weapons systems, 1,200 employees

APT • GhostRAT

NPCs

General Patricia Wells (Program Director): Overseeing classified weapons development, unaware that foreign adversaries have been monitoring confidential defense meetings and stealing classified designs through compromised engineering workstations
Dr. Michael Chang (Lead Systems Engineer): Discovering that classified weapon designs and military specifications may have been accessed through sophisticated remote surveillance malware
Colonel Sandra Martinez (Defense Security Service): Coordinating counterintelligence investigation of potential foreign espionage targeting classified military technology development
Agent Robert Kim (FBI Counterintelligence): Leading investigation of suspected nation-state targeting of defense industrial base and classified weapons technology

SECRETS

Defense engineers clicked on sophisticated spear-phishing emails containing convincing military technical documents during classified project development
Foreign adversaries have had complete remote control over engineering workstations for months, monitoring classified meetings and stealing weapons designs
Stolen military technology and defense specifications may have been transferred to foreign military development programs

Scenario Details for IMs

Opening Presentation

“It’s Monday morning at Titan Defense Systems, and the company is completing final classified designs for next-generation military equipment that will be delivered to the Pentagon on Thursday. But during secure engineering meetings, staff notice disturbing anomalies: CAD workstations performing actions without user input, classified design files opening automatically, and computer screens flickering during confidential discussions. Security investigation reveals sophisticated remote access tools providing foreign adversaries complete surveillance capabilities over classified defense development.”

Initial Symptoms to Present:

“Engineering workstations showing signs of remote control during classified design work”
“Classified weapon designs being accessed automatically during secure engineering meetings”
“Screen capture and keystroke logging detected on systems containing military specifications”
“Network traffic indicating exfiltration of classified defense technology to foreign command infrastructure”

Key Discovery Paths:

Detective Investigation Leads:

Digital forensics reveal sophisticated nation-state remote access trojan with comprehensive surveillance capabilities
Classified network analysis shows targeted spear-phishing campaign using convincing military technical documents
Counterintelligence timeline indicates months of undetected foreign surveillance of classified weapons development

Protector System Analysis:

Engineering workstation monitoring reveals real-time screen surveillance and data theft of classified designs
Defense security assessment shows unauthorized foreign access to classified weapons specifications and military technology
Classified network security analysis indicates coordinated multi-target campaign affecting other defense contractors

Tracker Network Investigation:

Command and control traffic analysis reveals sophisticated foreign intelligence infrastructure targeting defense industrial base
Military technology intelligence patterns suggest nation-state coordination of classified weapons technology theft
Defense contractor communication analysis indicates systematic foreign targeting of classified military development programs

Communicator Stakeholder Interviews:

Defense engineer interviews reveal suspicious computer behavior during classified weapons development meetings
Military program coordination regarding potential compromise of classified weapons technology and operational security
Counterintelligence coordination with FBI and Defense Security Service regarding foreign espionage investigation

Mid-Scenario Pressure Points:

Hour 1: Pentagon security officials discover potential compromise of classified weapons delivery affecting national defense readiness
Hour 2: FBI counterintelligence investigation reveals evidence of foreign military intelligence targeting
Hour 3: Classified weapons designs found on foreign intelligence networks affecting military operational advantage
Hour 4: Defense Security Service assessment indicates potential compromise of multiple classified military programs

Evolution Triggers:

If investigation reveals foreign technology transfer, national security enforcement action affects defense industry
If remote surveillance continues, adversaries maintain persistent access for long-term classified intelligence collection
If classified design theft is confirmed, military operational security and national defense capabilities are compromised

Resolution Pathways:

Technical Success Indicators:

Complete foreign surveillance removal from classified engineering systems with preservation of counterintelligence evidence
Classified weapons technology security verified preventing further unauthorized foreign access
Nation-state infrastructure analysis provides intelligence on coordinated defense industrial targeting

Business Success Indicators:

Classified weapons delivery protected through secure forensic handling and counterintelligence coordination
Defense contract relationships maintained through professional incident response and security demonstration
National security compliance demonstrated preventing defense security penalties and clearance revocation

Learning Success Indicators:

Team understands sophisticated foreign intelligence capabilities and long-term defense industrial espionage
Participants recognize defense contractor targeting and national security implications of classified technology theft
Group demonstrates coordination between cybersecurity response and counterintelligence investigation requirements

Common IM Facilitation Challenges:

If Foreign Surveillance Sophistication Is Underestimated:

“Your malware removal is progressing, but Dr. Chang discovered that foreign adversaries have been watching classified engineering meetings in real-time for months. How does comprehensive foreign surveillance change your counterintelligence approach?”

If National Security Implications Are Ignored:

“While you’re cleaning infected systems, Agent Kim needs to know: have classified weapons designs been transferred to foreign military programs? How do you coordinate cybersecurity response with counterintelligence investigation?”

If Classified Information Impact Is Overlooked:

“General Wells just learned that next-generation weapons technology may be in foreign hands. How do you assess the national security impact of stolen classified military technology?”

Success Metrics for Session:

Team understands sophisticated foreign intelligence capabilities and long-term defense industrial espionage operations
Classified information protection and national security maintained throughout counterintelligence investigation
Coordinated response demonstrates understanding of defense contractor cybersecurity obligations to national security
Learning includes foreign espionage targeting and classified information protection requirements
Response strategy balances immediate threat containment with counterintelligence investigation coordination

Ghost Rat Scenario: Blackstone & Associates Surveillance

Blackstone & Associates: Corporate law firm representing Fortune 500 companies, 180 attorneys

APT • GhostRAT

STAKES

Attorney-client privilege + Corporate merger intelligence + Legal strategy confidentiality + Professional ethics

HOOK

Blackstone & Associates is preparing for a high-profile corporate lawsuit when attorneys notice their computers occasionally performing actions they didn't initiate - legal documents opening unexpectedly, case strategy files being accessed during confidential client meetings, and opposing counsel seeming to anticipate their legal arguments. Sophisticated surveillance tools have been providing adversaries complete access to privileged attorney-client communications.

PRESSURE

Trial begins Monday - any leak of legal strategy or client communications violates attorney-client privilege and threatens case outcome

FRONT • 150 minutes • Expert

Blackstone & Associates: Corporate law firm representing Fortune 500 companies, 180 attorneys

APT • GhostRAT

NPCs

Managing Partner Elizabeth Harper: Leading $500 million corporate litigation, unaware that opposing parties have been monitoring confidential legal strategy sessions and privileged client communications through compromised attorney workstations
Senior Associate Daniel Chen: Discovering that privileged legal documents and client confidential information may have been accessed through sophisticated legal surveillance malware
Ethics Counsel Maria Santos: Investigating potential attorney-client privilege violations as confidential legal strategies and client communications appear to have been compromised
Special Prosecutor Jennifer Wong: Coordinating investigation of potential corporate espionage and illegal surveillance targeting privileged attorney-client communications

SECRETS

Law firm attorneys clicked on sophisticated legal document attachments during high-profile case preparation and client communications
Corporate adversaries have had complete remote surveillance of attorney workstations for weeks, monitoring privileged communications and stealing legal strategies
Stolen legal intelligence and privileged client information may have been used to compromise case strategy and violate attorney-client confidentiality

Scenario Details for IMs

Opening Presentation

“It’s Thursday morning at Blackstone & Associates, and the firm is completing final preparations for a $500 million corporate lawsuit that begins Monday. But during confidential client strategy sessions, attorneys notice concerning anomalies: legal workstations performing unauthorized actions, case files opening during private meetings, and opposing counsel demonstrating uncanny knowledge of the firm’s legal strategies. Investigation reveals sophisticated surveillance tools providing adversaries complete access to privileged attorney-client communications.”

Initial Symptoms to Present:

“Attorney workstations showing signs of remote control during confidential client meetings”
“Privileged legal documents being accessed automatically during confidential case strategy sessions”
“Screen surveillance and keystroke logging detected on systems containing confidential client communications”
“Network traffic indicating exfiltration of privileged legal strategies to unauthorized external networks”

Key Discovery Paths:

Detective Investigation Leads:

Digital forensics reveal sophisticated corporate espionage remote access trojan targeting legal communications
Legal network analysis shows targeted spear-phishing campaign using convincing legal industry documents
Attorney-client privilege timeline indicates weeks of undetected surveillance of confidential legal communications

Protector System Analysis:

Legal workstation monitoring reveals real-time surveillance and theft of privileged attorney-client communications
Case strategy system assessment shows unauthorized access to confidential legal documents and client information
Legal network security analysis indicates coordinated campaign targeting multiple law firms and privileged communications

Tracker Network Investigation:

Command and control traffic analysis reveals corporate espionage infrastructure targeting legal industry communications
Legal intelligence coordination patterns suggest organized adversary targeting of privileged attorney-client information
Case strategy communication analysis indicates systematic targeting of high-value corporate litigation intelligence

Communicator Stakeholder Interviews:

Attorney interviews reveal suspicious computer behavior during confidential client meetings and case strategy sessions
Client communication assessment regarding potential exposure of privileged information and legal strategies
Professional ethics coordination regarding attorney-client privilege violations and professional responsibility requirements

Mid-Scenario Pressure Points:

Hour 1: Major corporate client discovers potential compromise of privileged communications threatening lawsuit strategy
Hour 2: Opposing counsel demonstrates detailed knowledge of confidential legal strategy indicating information leak
Hour 3: Privileged client documents found in unauthorized networks affecting attorney-client confidentiality
Hour 4: State bar investigation initiated regarding potential attorney-client privilege violations and professional ethics

Evolution Triggers:

If investigation reveals legal strategy compromise, case outcome and professional reputation are threatened
If surveillance continues, adversaries maintain persistent access to privileged attorney-client communications
If client information exposure is confirmed, attorney-client privilege violations threaten professional practice

Resolution Pathways:

Technical Success Indicators:

Complete legal surveillance removal from attorney systems with forensic preservation of professional ethics evidence
Attorney-client communication security verified preventing further unauthorized access to privileged information
Corporate espionage infrastructure analysis provides intelligence on coordinated legal industry targeting

Business Success Indicators:

Legal case integrity protected through secure evidence handling and professional ethics coordination
Client relationships maintained through transparent communication and privileged information protection verification
Professional ethics compliance demonstrated preventing state bar discipline and professional practice penalties

Learning Success Indicators:

Team understands sophisticated corporate espionage capabilities and long-term legal surveillance operations
Participants recognize legal profession targeting and attorney-client privilege implications of privileged communication theft
Group demonstrates coordination between cybersecurity response and professional ethics investigation requirements

Common IM Facilitation Challenges:

If Legal Surveillance Sophistication Is Underestimated:

“Your incident response is thorough, but Daniel discovered that adversaries have been watching confidential client meetings in real-time for weeks. How does comprehensive legal surveillance change your professional ethics approach?”

If Attorney-Client Privilege Implications Are Ignored:

“While you’re removing malware, Ethics Counsel Santos needs to know: have privileged client communications been compromised? How do you coordinate cybersecurity response with professional responsibility investigation?”

If Case Strategy Impact Is Overlooked:

“Managing Partner Harper just learned that opposing counsel seems to know confidential legal strategy details. How do you assess whether stolen legal intelligence has compromised case outcomes?”

Success Metrics for Session:

Team understands sophisticated corporate espionage capabilities and long-term legal surveillance operations
Attorney-client privilege protection and professional ethics maintained throughout investigation
Coordinated response demonstrates understanding of legal profession cybersecurity obligations to client confidentiality
Learning includes corporate espionage targeting and privileged communication protection requirements
Response strategy balances immediate threat containment with professional ethics investigation coordination

Ghost Rat Scenario: Metropolitan Research University Theft

Metropolitan Research University: Leading research institution with $200M in annual research funding, 15,000 students

APT • GhostRAT

STAKES

Research intellectual property + Grant funding + Academic collaboration + Scientific competitive advantage

HOOK

Metropolitan Research University is preparing to publish breakthrough medical research that could revolutionize cancer treatment when faculty notice their research workstations occasionally behaving strangely - data files opening without commands, research presentations being accessed during private meetings, and laboratory systems responding to unauthorized inputs. Sophisticated surveillance malware has been providing foreign competitors complete access to cutting-edge academic research.

PRESSURE

Research publication deadline Friday - any theft of intellectual property threatens scientific competitive advantage and millions in research funding

FRONT • 150 minutes • Expert

Metropolitan Research University: Leading research institution with $200M in annual research funding, 15,000 students

APT • GhostRAT

NPCs

Dr. Rachel Foster (Research Vice Provost): Overseeing breakthrough medical research, unaware that foreign competitors have been monitoring confidential research meetings and stealing intellectual property through compromised faculty workstations
Professor Alan Martinez (Lead Research Scientist): Discovering that confidential research data and scientific methodologies may have been accessed through sophisticated academic surveillance malware
Director Lisa Chen (Technology Transfer Office): Investigating potential intellectual property theft as valuable research discoveries and patent applications appear to have been compromised
Agent Kevin Park (FBI Economic Espionage Unit): Leading investigation of suspected foreign targeting of university research and systematic theft of American scientific intellectual property

SECRETS

Research faculty clicked on sophisticated academic collaboration emails containing convincing scientific documents during breakthrough research development
Foreign competitors have had complete remote surveillance of research workstations for months, monitoring confidential meetings and stealing scientific intellectual property
Stolen research data and scientific methodologies may have been transferred to foreign research institutions and commercial competitors

Scenario Details for IMs

Opening Presentation

“It’s Tuesday morning at Metropolitan Research University, and faculty are completing final preparations for publishing breakthrough medical research that could revolutionize cancer treatment and secure millions in follow-up funding. But during confidential research meetings, scientists notice troubling signs: workstations performing unauthorized actions, research data files opening automatically, and laboratory equipment responding to commands no one issued. Investigation reveals sophisticated surveillance tools providing foreign competitors complete access to cutting-edge academic research and intellectual property.”

Initial Symptoms to Present:

“Research workstations showing signs of remote control during confidential scientific meetings”
“Confidential research data being accessed automatically during private faculty collaboration sessions”
“Screen surveillance and data theft detected on systems containing breakthrough scientific discoveries”
“Network traffic indicating exfiltration of research intellectual property to foreign academic and commercial networks”

Key Discovery Paths:

Detective Investigation Leads:

Digital forensics reveal sophisticated foreign academic espionage remote access trojan targeting scientific research
University network analysis shows targeted spear-phishing campaign using convincing academic collaboration documents
Research intellectual property timeline indicates months of undetected foreign surveillance of breakthrough scientific development

Protector System Analysis:

Research workstation monitoring reveals real-time surveillance and theft of confidential scientific data and methodologies
Laboratory system assessment shows unauthorized foreign access to research discoveries and patent applications
Academic network security analysis indicates coordinated campaign targeting multiple research universities and scientific institutions

Tracker Network Investigation:

Command and control traffic analysis reveals foreign academic espionage infrastructure targeting American research institutions
Scientific intelligence coordination patterns suggest nation-state and commercial competitor targeting of research intellectual property
Research collaboration communication analysis indicates systematic foreign targeting of high-value scientific discoveries

Communicator Stakeholder Interviews:

Faculty interviews reveal suspicious computer behavior during confidential research meetings and scientific collaboration
Research funding coordination regarding potential compromise of intellectual property and grant applications
Academic community coordination with other universities experiencing similar research targeting and intellectual property theft

Mid-Scenario Pressure Points:

Hour 1: Major research funding agency discovers potential compromise of breakthrough discoveries affecting future grant awards
Hour 2: FBI economic espionage investigation reveals evidence of foreign targeting of American scientific competitive advantage
Hour 3: Research intellectual property found on foreign academic networks affecting scientific publication and patent applications
Hour 4: Technology transfer assessment indicates potential compromise of multiple valuable scientific discoveries and commercialization opportunities

Evolution Triggers:

If investigation reveals research theft, scientific competitive advantage and funding relationships are compromised
If surveillance continues, foreign competitors maintain persistent access to breakthrough scientific research
If intellectual property theft is confirmed, university research mission and academic collaboration are threatened

Resolution Pathways:

Technical Success Indicators:

Complete foreign surveillance removal from research systems with preservation of intellectual property protection evidence
Scientific research security verified preventing further unauthorized foreign access to confidential discoveries
Foreign espionage infrastructure analysis provides intelligence on coordinated academic targeting and intellectual property theft

Business Success Indicators:

Research publication and funding protected through secure forensic handling and intellectual property coordination
Academic relationships maintained through professional incident response and research security demonstration
Scientific competitive advantage preserved preventing loss of research leadership and commercialization opportunities

Learning Success Indicators:

Team understands sophisticated foreign academic espionage capabilities and long-term research targeting operations
Participants recognize university research targeting and intellectual property implications of scientific discovery theft
Group demonstrates coordination between cybersecurity response and academic research protection requirements

Common IM Facilitation Challenges:

If Foreign Academic Espionage Sophistication Is Underestimated:

“Your malware removal is progressing, but Professor Martinez discovered that foreign competitors have been watching confidential research meetings in real-time for months. How does comprehensive academic surveillance change your intellectual property protection approach?”

If Research Competitive Advantage Implications Are Ignored:

“While you’re cleaning infected systems, Agent Park needs to know: have breakthrough scientific discoveries been transferred to foreign research institutions? How do you coordinate cybersecurity response with economic espionage investigation?”

If Scientific Collaboration Impact Is Overlooked:

“Dr. Foster just learned that research methodologies and patent applications may be in foreign hands. How do you assess the impact on scientific competitive advantage and academic collaboration security?”

Success Metrics for Session:

Team understands sophisticated foreign academic espionage capabilities and long-term research targeting operations
Scientific research protection and intellectual property security maintained throughout investigation
Coordinated response demonstrates understanding of university cybersecurity obligations to research competitive advantage
Learning includes foreign targeting of academic research and intellectual property protection requirements
Response strategy balances immediate threat containment with academic research security coordination

Gh0st RAT Scenario: Advanced Corporate Espionage Campaign

InnovaTech Dynamics: Technology consulting firm, 450 employees, specializing in government and defense contracts

APT • Gh0st RAT

STAKES

Classified project data + Intellectual property theft + National security clearances + Client trust

HOOK

InnovaTech Dynamics provides cybersecurity consulting for defense contractors and government agencies. Advanced attackers have established persistent access to their network using sophisticated remote access tools that evade detection by living off legitimate administrative tools and cloud services. The attackers are systematically stealing intellectual property, client data, and sensitive project information while maintaining long-term access for ongoing espionage.

PRESSURE

Security clearance investigations and potential loss of government contracts - any data theft could compromise national security projects

FRONT • 120 minutes • Advanced

InnovaTech Dynamics: Technology consulting firm, 450 employees, specializing in government and defense contracts

APT • Gh0st RAT

NPCs

Security Director Amanda Foster (Former NSA): Managing incident response while coordinating with federal investigators, balancing operational security with government oversight requirements
Principal Consultant Michael Chen (Cloud Architecture): Discovering that attackers are using legitimate cloud services and administrative tools to maintain persistent access across client environments
Compliance Manager Jennifer Torres (Security Clearances): Coordinating with defense contractors and government agencies about potential compromise of classified project data and security clearance implications
Lead Engineer Ryan Park (Threat Hunting): Finding evidence of sophisticated adversary tradecraft using living-off-the-land techniques and legitimate remote administration tools

SECRETS

Attackers gained initial access through compromised vendor portal used for government contract bidding
Remote access tools disguised as legitimate system administration and cloud management utilities
Long-term persistent access established across multiple client networks through trusted consulting relationships

Scenario Details for IMs

Opening Presentation

“You’re at InnovaTech Dynamics, a cybersecurity consulting firm that works with defense contractors and government agencies. Your security operations team has detected unusual network activity that suggests long-term unauthorized access to your systems. Initial analysis reveals sophisticated remote access tools that appear to be legitimate administrative software but are actually advanced espionage tools. The attackers have potentially accessed sensitive client data, intellectual property, and classified project information over several months.”

Initial Symptoms to Present:

“Network monitoring reveals suspicious remote access patterns using legitimate cloud services”
“Administrative tools and system utilities showing signs of modification or misuse”
“Unusual data access patterns suggesting systematic theft of client project information”
“Remote access sessions occurring during non-business hours using legitimate credentials”

Key Discovery Paths:

Detective Investigation Leads:

Digital forensics reveal sophisticated remote access tools disguised as legitimate system administration utilities
Network analysis discovers persistent adversary presence using living-off-the-land techniques
Data access analysis shows systematic targeting of high-value intellectual property and client information

Protector System Analysis:

Endpoint security assessment reveals advanced evasion techniques using legitimate administrative tools
Network segmentation analysis shows lateral movement through trusted consulting relationships
Client environment security assessment reveals potential compromise of customer networks

Tracker Threat Intelligence:

Adversary behavior analysis reveals advanced persistent threat techniques and professional tradecraft
Command and control analysis discovers use of legitimate cloud services for covert communication
Attribution analysis suggests nation-state or corporate espionage capabilities

Communicator Stakeholder Management:

Client notification and damage assessment for potential compromise of sensitive project data
Federal agency coordination for security clearance implications and national security concerns
Legal analysis for breach notification requirements and potential litigation exposure

Crisis Manager Strategic Response:

Government contract security implications and potential loss of security clearances
Client relationship management during active espionage investigation
Business continuity planning for potential loss of defense and government contracts

Evolution Triggers:

Intermediate → Advanced: Discovery of client network compromise through trusted relationships
Advanced → Critical: Evidence of classified information theft requiring federal investigation

Success Metrics:

Successful threat hunting and persistent access elimination
Effective client communication and relationship preservation
Coordinated federal investigation support
Business continuity maintenance during active espionage response

Learning Objectives:

Advanced persistent threat techniques and remote access tools
Corporate espionage and intellectual property theft
Government contract security implications
Threat hunting and living-off-the-land detection

Historical Context for IMs:

This scenario modernizes the 2008 Gh0st RAT, which was a basic remote access trojan commonly used in early APT campaigns. The contemporary version adapts this to modern advanced persistent threat techniques, where attackers use legitimate cloud services and administrative tools to maintain long-term access for corporate espionage, reflecting the evolution of remote access threats from basic tools to sophisticated nation-state tradecraft.

Ghost RAT Scenario: Corporate Espionage Network Discovery (2008)

International Trading Corporation: Mid-size import/export company, 180 employees, operating across US, Europe, and Asia

APT • Gh0st RAT

STAKES

Trade secrets + Customer databases + Financial records + International business relationships

HOOK

It's March 2008. Your company facilitates trade relationships between manufacturers in China and retailers in the US and Europe. Employees have been receiving professionally crafted emails with attachments that appear to be shipping manifests and trade documents. Unknown to your team, these emails contain a sophisticated remote access trojan called Gh0st RAT, giving attackers complete control over infected computers and access to sensitive business communications and customer data.

PRESSURE

Potential loss of competitive advantage and customer trust - trade relationships depend on confidentiality and reliability

FRONT • 120 minutes • Intermediate

International Trading Corporation: Mid-size import/export company, 180 employees, operating across US, Europe, and Asia

APT • Gh0st RAT

NPCs

Director Sarah Chen (Operations): Managing international trade relationships while discovering that business communications may have been monitored for months\
IT Manager Robert Kim (Systems Administration): Learning that email attachments can install hidden software that provides complete remote computer control\
Trade Coordinator Maria Rodriguez (Customer Relations): Realizing that customer shipping information and business negotiations may have been compromised\
Finance Manager David Liu (Accounting): Discovering that financial records and banking information could be accessible to unknown attackers

SECRETS

Sophisticated social engineering uses legitimate business document formats to deliver malware\
Remote access software provides complete control over infected computers including file access, keylogging, and screen capture\
Attackers appear to have specific knowledge of international trade practices and document workflows

Historical Context & Modernization Prompts

Understanding 2008 Technology Context

This scenario represents actual Gh0st RAT attacks from 2008. Key historical elements to understand:

Email Security: Basic antivirus scanning with limited attachment sandboxing or behavioral analysis
Remote Access Tools: RATs were relatively new concept for non-technical organizations
Social Engineering: Business email compromise techniques were emerging but not widely understood
Network Monitoring: Limited visibility into endpoint behavior and network communications
Incident Response: Most organizations lacked dedicated cybersecurity teams or formal response procedures

Collaborative Modernization Questions for Players

Present these questions after initial investigation to guide modernization:

“How would similar social engineering attacks work with today’s communication tools?”
- Guide toward: Cloud collaboration platforms, instant messaging, mobile applications
“What modern remote access techniques provide similar capabilities to 2008 RATs?”
- Guide toward: Living-off-the-land tools, cloud-based C2, legitimate remote access software abuse
“How has business email compromise evolved since 2008?”
- Guide toward: CEO fraud, vendor impersonation, cloud email security challenges
“What would international trade data look like in today’s digital environment?”
- Guide toward: Cloud platforms, API integrations, mobile access, digital supply chain systems
“How would modern detection identify this type of persistent access?”
- Guide toward: Behavioral analysis, endpoint detection, threat hunting, user behavior analytics

Modernization Discovery Process

After historical investigation, facilitate modernization discussion:

Communication Evolution: Explore how business communication has moved to cloud platforms
Attack Technique Advancement: Discuss how RAT capabilities are now built into legitimate tools
Detection Improvement: Compare 2008 signature-based detection to modern behavioral analysis
Business Impact Amplification: Consider how modern interconnected systems change compromise scope
Response Coordination: Examine how organizations can better coordinate international incident response

Learning Objectives

Advanced Persistent Threats: Understanding long-term, targeted attack campaigns
Social Engineering Evolution: Recognizing how targeted attacks exploit business processes
Remote Access Security: Appreciating challenges of legitimate vs. malicious remote access
International Business Risk: Learning how global operations create complex security challenges

IM Facilitation Notes

Business Context Focus: Emphasize how attacks target business processes rather than just technology
Persistence Explanation: Help players understand how attackers maintain long-term access
Detection Challenges: Discuss why persistent access can remain hidden for months
Modernization Guidance: Support player exploration of how contemporary threats are more sophisticated
Cultural Sensitivity: Address international aspects respectfully and professionally

This historical foundation helps teams understand how targeted attacks evolved from basic remote access tools to sophisticated APT campaigns, while exploring how modern business environments create new opportunities and challenges for attackers.

Raspberry Robin (USB Loader)

Raspberry Robin Scenario: Precision Manufacturing Corp Outbreak

Precision Manufacturing Corp: Industrial equipment manufacturer, 850 employees across production floors

Worm • RaspberryRobin

STAKES

Production line security + Industrial control systems + Manufacturing deadlines + Worker safety systems

HOOK

Precision Manufacturing is running at maximum capacity to fulfill a critical aerospace contract when maintenance technicians begin reporting strange behavior from production control systems. Multiple USB drives used for equipment updates and data transfer between air-gapped systems are spreading malicious LNK files that appear as normal folders, and the infection is jumping between isolated manufacturing networks through routine USB maintenance procedures.

PRESSURE

Aerospace contract delivery Friday - production delays cost $500K per day + Worker safety systems potentially compromised

FRONT • 120 minutes • Advanced

Precision Manufacturing Corp: Industrial equipment manufacturer, 850 employees across production floors

Worm • RaspberryRobin

NPCs

Operations Manager Janet Williams: Managing critical aerospace production deadline, watching USB-based malware spread between air-gapped manufacturing systems through routine maintenance procedures
Senior Technician Carlos Rodriguez: Discovering that USB drives used for equipment updates are automatically creating malicious files that spread to every system they touch
Safety Coordinator Diana Park: Investigating potential compromise of worker safety systems as USB malware spreads through industrial control networks
Quality Engineer Mark Thompson: Analyzing production data integrity as infected USB drives contaminate manufacturing control systems and quality monitoring equipment

SECRETS

Manufacturing technicians routinely use USB drives to transfer updates and data between air-gapped production systems
USB-based malware is spreading through legitimate maintenance procedures, bypassing network security controls
Infected systems include both production control and worker safety monitoring equipment

Scenario Details for IMs

Opening Presentation

“It’s Tuesday morning at Precision Manufacturing Corp, and the factory is operating at maximum capacity to fulfill a critical aerospace contract due Friday. Maintenance technicians are performing routine equipment updates using USB drives to transfer data between air-gapped production systems when they notice something disturbing: the USB drives are automatically creating files that look like normal folders, but clicking on them causes strange system behavior. The malware is spreading through legitimate maintenance procedures, jumping between isolated manufacturing networks.”

Initial Symptoms to Present:

“USB drives used for equipment maintenance automatically creating suspicious LNK files”
“Production control systems showing signs of infection after routine USB data transfers”
“Air-gapped manufacturing networks experiencing unauthorized file creation and system modifications”
“Worker safety monitoring systems displaying anomalous behavior after USB maintenance procedures”

Key Discovery Paths:

Detective Investigation Leads:

Digital forensics reveal USB-based worm creating malicious LNK files disguised as legitimate folders
Manufacturing system analysis shows infection spreading through routine maintenance USB procedures
Timeline analysis indicates initial compromise through external contractor USB device

Protector System Analysis:

Production control system monitoring reveals USB-based malware bypassing air-gapped network security
Industrial safety system assessment shows potential compromise of worker protection monitoring
Manufacturing network security analysis indicates systematic USB-based propagation across isolated systems

Tracker Network Investigation:

USB device analysis reveals sophisticated worm designed specifically for air-gapped environment spreading
Manufacturing system communication patterns show malware adapting to industrial control protocols
Production data integrity analysis indicates potential compromise of quality control and safety systems

Communicator Stakeholder Interviews:

Maintenance technician interviews reveal routine USB usage patterns and infection spread mechanisms
Production management coordination regarding manufacturing deadline impact and system safety
Aerospace customer communication about potential production delays and quality assurance

Mid-Scenario Pressure Points:

Hour 1: Critical production line shuts down due to infected USB drives affecting manufacturing control systems
Hour 2: Worker safety monitoring systems show signs of compromise affecting factory floor operations
Hour 3: Aerospace customer demands assurance that production quality hasn’t been compromised by malware
Hour 4: Manufacturing deadline approaches with production systems still showing signs of USB-based infection

Evolution Triggers:

If USB disinfection fails, malware continues spreading through all manufacturing maintenance procedures
If production systems remain infected, aerospace contract delivery is threatened
If safety systems are compromised, worker protection and regulatory compliance are at risk

Resolution Pathways:

Technical Success Indicators:

Complete USB-based malware removal from manufacturing systems with verified clean maintenance procedures
Air-gapped network security restored preventing further USB-based propagation
Production control and safety system integrity verified ensuring worker protection and manufacturing quality

Business Success Indicators:

Manufacturing operations restored maintaining aerospace contract delivery schedule
Production quality assurance verified preventing customer concerns and contract penalties
Worker safety systems secured maintaining regulatory compliance and factory floor protection

Learning Success Indicators:

Team understands USB-based propagation in air-gapped manufacturing environments
Participants recognize removable media security challenges in industrial control systems
Group demonstrates coordination between cybersecurity response and manufacturing operations continuity

Common IM Facilitation Challenges:

If Air-Gapped Environment Is Misunderstood:

“Your network security approach is solid, but Carlos explains that manufacturing systems are air-gapped - the malware is spreading through USB drives during routine maintenance. How does this change your containment strategy?”

If Production Impact Is Ignored:

“While you’re analyzing the USB malware, Janet reports that production line 3 is down and the aerospace contract delivery is at risk. How do you balance thorough investigation with critical manufacturing deadlines?”

If Safety System Compromise Is Overlooked:

“Diana just discovered that worker safety monitoring systems may be infected through the same USB maintenance procedures. How do you assess and protect worker safety while managing production continuity?”

Success Metrics for Session:

Team understands USB-based malware propagation in air-gapped manufacturing environments
Production operations and worker safety maintained as priorities throughout incident response
Air-gapped network security concepts and removable media controls clearly understood
Learning includes industrial control system security and manufacturing cybersecurity challenges
Response strategy balances immediate threat containment with production and safety requirements

Raspberry Robin Scenario: State Department of Revenue Breach

State Department of Revenue: Government agency processing tax returns and citizen services, 600 employees

Worm • RaspberryRobin

STAKES

Taxpayer data security + Government service continuity + Regulatory compliance + Public trust

HOOK

The State Department of Revenue is processing peak tax season returns when field auditors and citizen service representatives begin reporting USB drives that automatically create suspicious folder-like files. The USB-based malware is spreading through routine data collection procedures, jumping between secure government networks and citizen service systems through legitimate USB workflows used for tax audits and document transfers.

PRESSURE

Tax season peak operations - any data breach affects millions of taxpayers + Government security breach threatens public trust

FRONT • 120 minutes • Advanced

State Department of Revenue: Government agency processing tax returns and citizen services, 600 employees

Worm • RaspberryRobin

NPCs

Director Patricia Chen: Managing peak tax season operations, discovering that USB-based malware is spreading through government networks via routine tax audit and citizen service procedures
Chief Information Officer Robert Martinez: Investigating how USB malware is bypassing government security controls and spreading between classified and citizen service networks
Field Audit Supervisor Linda Johnson: Reporting that USB drives used for taxpayer data collection are automatically creating malicious files affecting audit systems and citizen information
Cybersecurity Analyst Kevin Foster: Analyzing USB-based worm propagation through government workflows and assessing potential taxpayer data exposure

SECRETS

Government auditors routinely use USB drives to collect taxpayer documents and transfer data between field locations and secure office systems
USB-based malware is spreading through legitimate government workflows, bypassing network security and air-gapped protections
Infected systems include both taxpayer data processing and government service delivery networks

Scenario Details for IMs

Opening Presentation

“It’s Wednesday morning at the State Department of Revenue during peak tax season, and government employees are processing thousands of tax returns while field auditors collect taxpayer documents using USB drives for secure transfer. But auditors begin reporting disturbing behavior: USB drives are automatically creating files that appear to be normal folders, but accessing them causes system anomalies. The USB-based malware is spreading through legitimate government workflows, affecting both taxpayer data systems and citizen service networks.”

Initial Symptoms to Present:

“USB drives used by field auditors automatically creating suspicious LNK files disguised as folders”
“Government tax processing systems showing signs of infection after routine USB data transfers”
“Citizen service networks experiencing unauthorized file creation and system modifications”
“Taxpayer data security systems displaying anomalous behavior after USB-based document transfers”

Key Discovery Paths:

Detective Investigation Leads:

Digital forensics reveal USB-based worm creating malicious LNK files designed to spread through government workflows
Government system analysis shows infection propagating through routine taxpayer data collection procedures
Security timeline indicates potential initial compromise through citizen interaction or contractor device

Protector System Analysis:

Government network monitoring reveals USB-based malware bypassing security controls and air-gapped protections
Taxpayer data system assessment shows potential compromise of sensitive citizen information processing
Government security analysis indicates systematic USB-based propagation across classified and citizen service networks

Tracker Network Investigation:

USB device forensics reveal sophisticated worm adapted for government workflow exploitation
Government system communication patterns show malware leveraging legitimate administrative processes
Taxpayer data integrity analysis indicates potential exposure of sensitive citizen information

Communicator Stakeholder Interviews:

Government employee interviews reveal routine USB usage patterns in taxpayer data collection and processing
Citizen service coordination regarding potential exposure of personal tax and financial information
Regulatory compliance assessment with state and federal government cybersecurity requirements

Mid-Scenario Pressure Points:

Hour 1: Taxpayer data processing systems shut down due to USB malware affecting peak tax season operations
Hour 2: Field audit operations suspended as infected USB drives threaten taxpayer information security
Hour 3: Government security assessment reveals potential exposure of sensitive citizen data to USB-based malware
Hour 4: State cybersecurity authorities demand immediate containment and taxpayer notification assessment

Evolution Triggers:

If USB disinfection fails, malware continues spreading through all government data collection procedures
If taxpayer data exposure is confirmed, regulatory notification and public trust crisis ensue
If government service disruption continues, citizen services and tax season operations are compromised

Resolution Pathways:

Technical Success Indicators:

Complete USB-based malware removal from government systems with verified clean data collection procedures
Government network security restored preventing further USB-based propagation across citizen service systems
Taxpayer data integrity verified ensuring citizen information protection and regulatory compliance

Business Success Indicators:

Government operations restored maintaining tax season processing and citizen service delivery
Public trust protected through transparent communication and professional incident management
Regulatory compliance maintained preventing government cybersecurity penalties and citizen notification requirements

Learning Success Indicators:

Team understands USB-based propagation in government environments with citizen data protection requirements
Participants recognize removable media security challenges in government workflows and regulatory compliance
Group demonstrates coordination between cybersecurity response and government service continuity obligations

Common IM Facilitation Challenges:

If Government Workflow Complexity Is Ignored:

“Your network security strategy is sound, but Linda explains that field auditors must use USB drives to collect taxpayer documents from citizen locations. How does legitimate government workflow requirement change your USB security approach?”

If Taxpayer Data Impact Is Minimized:

“While you’re removing USB malware, Kevin discovered that infected systems process millions of taxpayer tax returns and personal financial information. How do you assess potential citizen data exposure and notification requirements?”

If Public Trust Implications Are Overlooked:

“Director Chen just learned that news media is asking about government cybersecurity breach during tax season. How do you balance technical response with public trust and transparent government communication obligations?”

Success Metrics for Session:

Team understands USB-based malware propagation in government environments with citizen data protection
Taxpayer data security and government service continuity maintained throughout incident response
Government cybersecurity concepts and regulatory compliance requirements clearly understood
Learning includes government workflow security and citizen data protection challenges
Response strategy balances immediate threat containment with public trust and regulatory obligations

Raspberry Robin Scenario: Healthcare Network USB Outbreak

Regional Health System: Multi-hospital network serving 400,000 patients, 3,500 healthcare workers

Worm • RaspberryRobin

STAKES

Patient care continuity + Medical device security + HIPAA compliance + Healthcare data protection

HOOK

Regional Health System is managing flu season patient surge when medical technicians notice USB drives used for medical device updates and patient data transfers are automatically creating suspicious folder-like files. The USB malware is spreading through routine healthcare workflows, affecting medical equipment, patient monitoring systems, and electronic health records through legitimate USB procedures used across hospital networks.

PRESSURE

Flu season patient surge - medical device failures threaten patient safety + HIPAA data breach threatens regulatory compliance

FRONT • 120 minutes • Advanced

Regional Health System: Multi-hospital network serving 400,000 patients, 3,500 healthcare workers

Worm • RaspberryRobin

NPCs

Chief Medical Officer Dr. Sarah Williams: Managing patient surge operations while USB malware spreads through medical device networks affecting patient care systems
IT Director Michael Chen: Discovering USB-based worm propagation through healthcare workflows is bypassing medical network security and affecting patient monitoring
Biomedical Engineer Lisa Rodriguez: Investigating how infected USB drives are compromising medical equipment and patient safety monitoring systems
HIPAA Compliance Officer David Park: Assessing potential patient data exposure as USB malware spreads through electronic health record systems

SECRETS

Healthcare workers routinely use USB drives to update medical devices, transfer patient data, and maintain equipment across hospital networks
USB malware is exploiting legitimate healthcare workflows to spread between patient care systems and medical device networks
Infected systems include medical equipment, patient monitoring, and electronic health record systems containing protected patient information

Scenario Details for IMs

Opening Presentation

“It’s Thursday morning at Regional Health System during peak flu season, with hospitals operating at surge capacity and medical staff using USB drives for routine medical device updates and patient data transfers. Medical technicians report that USB drives are automatically creating files that appear to be normal folders, but accessing them causes medical equipment anomalies. The USB malware is spreading through legitimate healthcare workflows, affecting patient monitoring systems and electronic health records.”

Initial Symptoms to Present:

“USB drives used for medical device updates creating suspicious LNK files disguised as medical folders”
“Patient monitoring systems showing anomalies after routine USB maintenance procedures”
“Electronic health record systems experiencing unauthorized file creation after USB data transfers”
“Medical equipment networks displaying signs of infection through USB-based maintenance workflows”

Common IM Facilitation Challenges:

If Patient Safety Is Overlooked:

“Your USB security response is thorough, but Dr. Williams reports that infected medical devices are affecting patient monitoring during flu surge. How do you balance malware removal with immediate patient safety requirements?”

If Healthcare Workflow Complexity Is Ignored:

“While analyzing USB propagation, Lisa explains that medical technicians must use USB drives to update life-critical equipment that can’t be networked for safety reasons. How does this change your containment approach?”

If HIPAA Implications Are Minimized:

“David discovered that infected USB drives have accessed electronic health record systems containing patient data. How do you assess potential HIPAA breach notification requirements while managing patient care continuity?”

Success Metrics for Session:

Patient safety and healthcare operations maintained throughout USB malware response
Medical device security and healthcare workflow protection demonstrated
HIPAA compliance and patient data protection requirements understood
USB-based malware containment in healthcare environment successfully implemented

Raspberry Robin Scenario: Community First Bank Network

Community First Bank: Regional bank with 45 branch locations, 1,200 employees

Worm • RaspberryRobin

STAKES

Customer financial data + Banking operations + Regulatory compliance + Financial transaction security

HOOK

Community First Bank is processing peak month-end transactions when branch managers report USB drives used for daily transaction reconciliation and audit procedures are creating suspicious folder-like files. The USB malware is spreading through routine banking workflows, affecting customer account systems, transaction processing, and financial audit networks through legitimate USB procedures used across branch locations.

PRESSURE

Month-end transaction processing - banking system failures affect customer accounts + Financial regulatory compliance at risk

FRONT • 120 minutes • Advanced

Community First Bank: Regional bank with 45 branch locations, 1,200 employees

Worm • RaspberryRobin

NPCs

Regional Director Janet Foster: Managing month-end operations across 45 branches while USB malware spreads through banking networks affecting customer transaction processing
IT Security Manager Carlos Martinez: Investigating USB-based worm propagation through banking workflows bypassing financial network security
Branch Operations Manager Diana Chen: Reporting infected USB drives affecting daily transaction reconciliation and customer account systems
Compliance Officer Robert Kim: Assessing potential customer data exposure and regulatory notification requirements as USB malware spreads through financial systems

SECRETS

Bank employees routinely use USB drives for transaction reconciliation, audit procedures, and data transfer between branch locations
USB malware exploits legitimate banking workflows to spread between customer account systems and financial transaction networks
Infected systems include customer account databases, transaction processing, and financial audit systems

Scenario Details for IMs

Success Metrics for Session:

Customer financial data security and banking operations maintained throughout USB malware response
Banking workflow security and financial transaction protection demonstrated
Financial regulatory compliance and customer data protection requirements understood
USB-based malware containment in banking environment successfully implemented

Poison Ivy (Persistent Backdoor)

Poison Ivy Scenario: Corporate Espionage Campaign

InnovateTech Solutions: Software development company, 400 employees, developing proprietary AI technology

APT • PoisonIvy

STAKES

Intellectual property + Trade secrets + Competitive advantage + Customer data

HOOK

InnovateTech is finalizing their breakthrough AI algorithm for market launch when developers notice their workstations occasionally behaving strangely - screens flickering during meetings, files being accessed remotely, and sensitive code repositories showing signs of unauthorized access. Classic remote access tools have been providing competitors complete surveillance of proprietary development work.

PRESSURE

AI product launch Monday - intellectual property theft threatens $50M investment and market leadership

FRONT • 120 minutes • Advanced

InnovateTech Solutions: Software development company, 400 employees, developing proprietary AI technology

APT • PoisonIvy

NPCs

CTO Dr. Amanda Foster: Leading AI development project, unaware that competitors have remote access to proprietary algorithms and development meetings
Lead Developer Marcus Chen: Discovering unauthorized access to source code repositories and development systems
Security Analyst Jennifer Park: Investigating classic RAT indicators and remote access patterns
IP Attorney Robert Martinez: Assessing trade secret exposure and competitive intelligence theft

SECRETS

Developers clicked on convincing technical recruitment emails containing malicious attachments
Competitors have had remote desktop access to development workstations for weeks
Proprietary AI algorithms and customer data have been systematically stolen

Poison Ivy Scenario: Law Enforcement Surveillance

Metro Police Department: Urban police force, 2,500 officers, investigating organized crime

APT • PoisonIvy

STAKES

Criminal investigation integrity + Officer safety + Evidence security + Public safety

HOOK

Metro Police is conducting a major organized crime investigation when detectives notice their case management systems showing signs of remote access - investigation files being viewed during off-hours, surveillance footage being accessed remotely, and confidential informant data showing unauthorized activity. Criminal organizations have been using remote access tools to monitor police investigations.

PRESSURE

Organized crime arrests scheduled Thursday - any intelligence leak threatens officer safety and case integrity

FRONT • 150 minutes • Expert

Metro Police Department: Urban police force, 2,500 officers, investigating organized crime

APT • PoisonIvy

NPCs

Detective Captain Sarah Williams: Leading organized crime investigation with compromised case management systems
IT Security Officer Michael Rodriguez: Investigating remote access patterns affecting law enforcement networks
Detective Lisa Chen: Reporting suspicious computer behavior during confidential investigation meetings
FBI Liaison Agent David Park: Coordinating federal support for compromised law enforcement investigation

SECRETS

Police personnel clicked on fake legal document attachments during case preparation
Criminal organizations have remote surveillance of police investigation systems
Confidential informant identities and investigation strategies have been exposed

Poison Ivy Scenario: Medical Practice Patient Data

Riverside Medical Group: Multi-specialty practice, 85 providers, 15,000 patients

APT • PoisonIvy

STAKES

Patient privacy + HIPAA compliance + Medical practice operations + Healthcare data

HOOK

Riverside Medical is implementing new electronic health records when staff notice computers occasionally performing actions without user input - patient files opening automatically, medical records being accessed during closed hours, and billing systems showing unauthorized activity. Remote access tools have been providing unauthorized surveillance of patient medical information.

PRESSURE

HIPAA audit next week - patient data breach threatens practice survival and regulatory compliance

FRONT • 120 minutes • Advanced

Riverside Medical Group: Multi-specialty practice, 85 providers, 15,000 patients

APT • PoisonIvy

NPCs

Practice Administrator Dr. Patricia Martinez: Managing EHR implementation while patient data systems show signs of remote surveillance
HIPAA Compliance Officer Jennifer Wong: Investigating potential patient data exposure and regulatory notification requirements
IT Manager Carlos Foster: Analyzing remote access patterns affecting medical record systems
Patient Privacy Advocate Lisa Chen: Assessing patient notification requirements and healthcare data protection

SECRETS

Medical staff clicked on fake healthcare compliance emails during EHR implementation
Unauthorized parties have remote access to patient medical records and billing information
Protected health information has been systematically accessed and potentially stolen

Poison Ivy Scenario: Wealth Management Partners Surveillance

Wealth Management Partners: Investment advisory firm, 120 advisors, managing $2.5B in assets

APT • PoisonIvy

STAKES

Client investment data + Financial privacy + Regulatory compliance + Investment strategies

HOOK

Wealth Management Partners is preparing quarterly client reviews when advisors notice their portfolio management systems showing signs of remote activity - client accounts being accessed after hours, investment strategies being viewed during private meetings, and trading algorithms showing unauthorized modifications. Remote surveillance tools have been monitoring confidential client financial information.

PRESSURE

Quarterly client meetings this week - investment data breach threatens client trust and SEC compliance

FRONT • 120 minutes • Advanced

Wealth Management Partners: Investment advisory firm, 120 advisors, managing $2.5B in assets

APT • PoisonIvy

NPCs

Managing Director Robert Kim: Overseeing client portfolio management with compromised investment systems showing remote surveillance
Compliance Director Amanda Foster: Investigating potential client data exposure and SEC notification requirements
Senior Advisor Michael Chen: Reporting remote access patterns affecting client account and investment strategy systems
Cybersecurity Consultant Sarah Martinez: Analyzing RAT indicators and financial data protection requirements

SECRETS

Investment advisors clicked on fake SEC compliance emails during quarterly preparation
Unauthorized parties have remote surveillance of client investment accounts and trading strategies
Confidential client financial information and proprietary investment algorithms have been accessed

Poison Ivy Scenario: Supply Chain Software Infiltration

SecureFlow Systems: Software development company, 320 employees, providing supply chain management software to Fortune 500 companies

APT • Poison Ivy

STAKES

Customer trust + Supply chain integrity + Intellectual property + Software integrity

HOOK

SecureFlow develops critical supply chain management software used by major manufacturers, retailers, and logistics companies. Sophisticated attackers have compromised their development environment through advanced remote access techniques, injecting malicious code into software updates that will be deployed to hundreds of customer organizations. The attack uses modern cloud-based command and control and fileless execution to maintain persistent access while poisoning the software supply chain.

PRESSURE

Customer panic about supply chain security - any compromise could affect global commerce and manufacturing

FRONT • 90 minutes • Intermediate

SecureFlow Systems: Software development company, 320 employees, providing supply chain management software to Fortune 500 companies

APT • Poison Ivy

NPCs

Development Manager Sarah Kim (DevSecOps): Discovering that software build pipeline has been compromised with malicious code injection affecting customer deployments
Chief Technology Officer Marcus Rodriguez (Cloud Architecture): Investigating sophisticated command and control infrastructure using legitimate cloud services and CDN networks
Customer Success Director Jennifer Chen (Fortune 500 Relations): Managing customer communications as major clients discover potential compromise in their supply chain management systems
Security Architect Alex Thompson (Threat Response): Finding evidence of advanced persistent access using PowerShell, WMI, and legitimate system administration tools

SECRETS

Development environment compromise through vendor email account takeover and social engineering
Malicious code injection into software updates using legitimate development tools and processes
Command and control infrastructure disguised as legitimate cloud storage and content delivery networks

Scenario Details for IMs

Opening Presentation

“You’re at SecureFlow Systems, a software company that provides supply chain management solutions to hundreds of Fortune 500 companies. Your development team has discovered unusual activity in the software build environment - code repositories show unauthorized changes, and your automated deployment systems have been modified. Security analysis reveals sophisticated remote access tools that have compromised your development pipeline. Worse, malicious code may have already been deployed to customer organizations through recent software updates.”

Initial Symptoms to Present:

“Software build systems showing unauthorized modifications and suspicious automated processes”
“Remote access tools using legitimate cloud services and system administration utilities”
“Code repositories containing unauthorized changes that bypass normal development approval processes”
“Customer reports of unusual behavior in recently deployed software updates”

Key Discovery Paths:

Detective Investigation Leads:

Software forensics reveal malicious code injection into legitimate development processes
Build pipeline analysis shows compromise of automated deployment and code signing systems
Attack vector analysis discovers initial compromise through targeted social engineering of development staff

Protector System Analysis:

Development environment security assessment reveals persistent adversary access using legitimate tools
Code integrity analysis shows sophisticated supply chain poisoning techniques
Customer deployment security assessment reveals scope of potentially compromised software updates

Tracker Command and Control Analysis:

Network monitoring reveals use of legitimate cloud services for covert command and control
Software supply chain analysis discovers coordinated attack targeting multiple software vendors
Threat intelligence reveals broader campaign against software development companies

Communicator Customer Relations:

Fortune 500 customer notification about potential supply chain compromise in their production systems
Software integrity verification and emergency patch deployment coordination
Legal analysis for liability and regulatory compliance during supply chain security incident

Crisis Manager Business Continuity:

Software development process security review and emergency response procedures
Customer relationship management during active supply chain security investigation
Business impact assessment for potential loss of customer trust and market position

Evolution Triggers:

Intermediate → Advanced: Customer organizations report active malware infections from compromised software updates
Advanced → Critical: Multiple software vendors report similar supply chain compromises indicating coordinated campaign

Success Metrics:

Rapid identification and containment of development environment compromise
Effective customer communication and software integrity verification
Successful supply chain security incident response
Business continuity maintenance during supply chain investigation

Learning Objectives:

Software supply chain security and development environment protection
Advanced remote access techniques using legitimate cloud services
Supply chain incident response and customer communication
DevSecOps security integration and threat detection

Historical Context for IMs:

This scenario modernizes the 2005 Poison Ivy RAT, which was a basic remote access trojan used in targeted attacks. The contemporary version adapts this to modern software supply chain attacks, where sophisticated adversaries compromise development environments to inject malicious code into software updates, reflecting the evolution from simple remote access to complex supply chain infiltration techniques.

Poison Ivy Scenario: Remote Access Discovery Timeline (2005)

Regional Marketing Agency: Creative services firm, 75 employees, serving clients in healthcare, finance, and government sectors

APT • Poison Ivy

STAKES

Client confidential data + Creative intellectual property + Competitive proposals + Professional reputation

HOOK

It's September 2005. Your marketing agency creates campaigns for sensitive clients including healthcare organizations, financial institutions, and government contractors. Employees have been receiving emails with creative briefs and campaign proposals that contain sophisticated remote access trojans. The Poison Ivy RAT provides attackers with complete system control, allowing them to steal client data, monitor business communications, and access confidential marketing strategies and competitive proposals.

PRESSURE

Client trust and competitive advantage - marketing agencies handle extremely sensitive business information and campaign strategies

FRONT • 90 minutes • Intermediate

Regional Marketing Agency: Creative services firm, 75 employees, serving clients in healthcare, finance, and government sectors

APT • Poison Ivy

NPCs

Creative Director Jennifer Walsh (Client Relations): Managing high-profile client relationships while discovering that confidential campaign strategies may have been accessed by competitors\
IT Coordinator Michael Chen (Systems Support): Learning that remote access software can be hidden inside legitimate business documents and provide complete computer control\
Account Manager Lisa Rodriguez (Healthcare Clients): Realizing that protected health information and medical campaign data could be compromised, triggering regulatory compliance concerns\
Business Development Director Tom Johnson (Competitive Intelligence): Discovering that proposal strategies and client negotiations may have been monitored by unknown parties

SECRETS

Remote access trojan hidden in legitimate marketing documents provides complete system access including file downloads, keylogging, and screen capture\
Attackers specifically target creative agencies to access multiple high-value clients through single compromise\
Marketing industry information sharing creates network of potential targets for lateral movement

Historical Context & Modernization Prompts

Understanding 2005 Technology Context

This scenario represents actual Poison Ivy RAT attacks from 2005. Key historical elements to understand:

Email Attachments: Primary malware delivery vector with limited scanning and sandboxing capabilities
RAT Technology: Remote administration tools were sophisticated but detection was signature-based
Regulatory Environment: HIPAA and financial regulations existed but cybersecurity requirements were minimal
Business Networks: Simple network architectures with limited segmentation or access controls
Incident Response: Most small businesses had no formal cybersecurity or incident response capabilities

Collaborative Modernization Questions for Players

Present these questions after initial investigation to guide modernization:

“How would attackers target marketing agencies in today’s digital landscape?”
- Guide toward: Cloud collaboration platforms, social media intelligence, supply chain attacks
“What modern techniques provide similar remote access capabilities to 2005 RATs?”
- Guide toward: Cloud-based remote tools, legitimate software abuse, fileless attacks
“How has regulatory compliance changed since 2005 for businesses handling sensitive data?”
- Guide toward: GDPR, state privacy laws, breach notification requirements, cybersecurity frameworks
“What would client data storage and sharing look like in modern marketing agencies?”
- Guide toward: Cloud storage, collaboration platforms, mobile access, API integrations
“How would modern threat detection identify persistent remote access?”
- Guide toward: Endpoint detection, behavioral analysis, cloud security monitoring, threat hunting

Modernization Discovery Process

After historical investigation, facilitate modernization discussion:

Industry Evolution: Explore how marketing has moved to digital platforms and cloud services
Regulatory Changes: Discuss how privacy laws have created new compliance requirements
Attack Sophistication: Compare basic RAT techniques to modern supply chain and cloud attacks
Client Risk Amplification: Consider how interconnected business relationships create cascading risk
Detection Advancement: Examine how behavioral analysis improves on signature-based detection

Learning Objectives

Third-Party Risk: Understanding how service providers create attack vectors to multiple targets
Regulatory Implications: Learning how data breaches trigger complex compliance requirements
Persistent Access: Recognizing techniques for maintaining long-term system access
Business Process Targeting: Appreciating how attackers exploit industry-specific workflows

IM Facilitation Notes

Multi-Client Impact: Emphasize how single compromise affects multiple organizations
Regulatory Complexity: Help players understand compliance implications without legal expertise
Business Relationship Focus: Highlight how attacks target trust relationships between organizations
Evolution Discussion: Guide conversation toward modern supply chain and third-party risks
Detection Challenges: Discuss why legitimate-looking remote access can evade detection

This historical foundation demonstrates how targeted attacks on service providers can amplify impact across multiple client organizations, while helping teams understand the evolution from basic remote access to complex supply chain threats.

Wire Lurker (Cross-Platform Mobile)

WireLurker Scenario: Design Agency Cross-Platform Outbreak

Creative Studios Inc: Design agency, 180 employees, Mac-heavy creative environment

Trojan • WireLurker

STAKES

Client creative work + Cross-platform security + Project deadlines + Intellectual property

HOOK

Creative Studios is finalizing major brand campaigns when designers notice their Mac workstations and connected iPhones showing unusual behavior - apps installing automatically, data syncing unexpectedly between devices, and creative files being modified across multiple platforms. Cross-platform malware is spreading through the studio's integrated Mac-iOS workflow.

PRESSURE

Client campaign launch Friday - creative work theft threatens agency reputation and $5M contracts

FRONT • 120 minutes • Advanced

Creative Studios Inc: Design agency, 180 employees, Mac-heavy creative environment

Trojan • WireLurker

NPCs

Creative Director Amanda Chen: Managing campaign production with infected Mac-iOS devices affecting creative workflows
IT Manager Michael Foster: Investigating cross-platform infection spreading through agency's integrated Apple ecosystem
Senior Designer Lisa Rodriguez: Reporting unauthorized app installations and data syncing between Mac and iOS devices
Account Manager Robert Kim: Coordinating client communications about potential creative work exposure and project delays

SECRETS

Designers downloaded infected creative software from compromised third-party app stores
Malware spreads between Mac workstations and connected iPhones through USB and wireless connections
Creative projects and client brand materials have been accessed across multiple device platforms

WireLurker Scenario: Tech Startup Development Environment

AppDev Innovations: Mobile app development startup, 95 employees, iOS development focus

Trojan • WireLurker

STAKES

App source code + Developer credentials + Apple Store presence + Startup survival

HOOK

AppDev Innovations is preparing their breakthrough mobile app for App Store launch when developers notice their development Macs and test iPhones exhibiting strange cross-device behavior - development certificates being modified, test apps installing on multiple devices simultaneously, and source code repositories showing unauthorized access across platforms.

PRESSURE

App Store launch Tuesday - source code theft threatens startup survival and investor funding

FRONT • 120 minutes • Advanced

AppDev Innovations: Mobile app development startup, 95 employees, iOS development focus

Trojan • WireLurker

NPCs

CEO Jennifer Wong: Leading app launch preparations with infected development environment threatening startup survival
Lead iOS Developer Carlos Martinez: Discovering cross-platform infection affecting development Macs and test devices
DevOps Engineer Diana Foster: Investigating unauthorized certificate modifications and code repository access
CTO Sarah Chen: Coordinating incident response while protecting proprietary app algorithms and development processes

SECRETS

Developers downloaded infected Xcode tools from unofficial sources during rapid development cycles
Cross-platform malware has access to development certificates, source code, and App Store credentials
Proprietary app algorithms and user data collection methods have been compromised across development platforms

WireLurker Scenario: Media Company Cross-Device Infection

Digital Media Corp: Content production company, 220 employees, multimedia workflows

Trojan • WireLurker

STAKES

Media content + Celebrity privacy + Production schedules + Content distribution

HOOK

Digital Media Corp is producing exclusive celebrity interviews when editors notice their Mac editing workstations and production iPhones showing coordinated unusual behavior - media files syncing unexpectedly, editing projects being accessed remotely, and exclusive content appearing to be copied across multiple device platforms through their integrated production workflow.

PRESSURE

Exclusive content premiere Monday - celebrity privacy breach threatens media relationships and distribution deals

FRONT • 120 minutes • Advanced

Digital Media Corp: Content production company, 220 employees, multimedia workflows

Trojan • WireLurker

NPCs

Production Director Robert Martinez: Managing exclusive content production with cross-platform infection affecting multimedia workflows
IT Security Manager Lisa Chen: Investigating Mac-iOS infection spreading through integrated media production systems
Senior Editor Amanda Foster: Reporting unauthorized media file access and cross-device content synchronization
Legal Counsel Michael Kim: Assessing celebrity privacy exposure and content distribution security requirements

SECRETS

Media editors downloaded infected video editing plugins from compromised creative software sites
Cross-platform malware accesses exclusive celebrity content and production schedules across Mac-iOS ecosystem
Confidential media content and celebrity personal information have been compromised across production devices

WireLurker Scenario: Educational Technology Cross-Platform Breach

EduTech Solutions: Educational technology company, 150 employees, developing learning apps

Trojan • WireLurker

STAKES

Student data privacy + Educational content + FERPA compliance + Learning platform security

HOOK

EduTech Solutions is deploying their learning platform to school districts when developers notice their Mac development systems and connected iPads showing synchronized suspicious behavior - educational apps installing across multiple devices, student data being accessed on various platforms, and learning content being modified through their integrated development and testing workflow.

PRESSURE

School district deployment Thursday - student data breach threatens educational contracts and FERPA compliance

FRONT • 120 minutes • Advanced

EduTech Solutions: Educational technology company, 150 employees, developing learning apps

Trojan • WireLurker

NPCs

Chief Product Officer Sarah Martinez: Managing educational platform deployment with cross-platform infection affecting student data systems
Privacy Officer Jennifer Foster: Investigating potential student data exposure across Mac-iOS educational development environment
Lead Education Developer Carlos Chen: Reporting unauthorized educational app installations and cross-device data access
Compliance Director Lisa Kim: Assessing FERPA violation risks and educational data protection requirements

SECRETS

Educational developers downloaded infected learning app templates from compromised educational software repositories
Cross-platform malware has access to student learning data and educational content across development platforms
Confidential student information and proprietary educational algorithms have been compromised across Mac-iOS systems

Noodle Rat (Corporate Intelligence)

Noodle Rat Scenario: Biotech Research Surveillance

BioGenesis Labs: Pharmaceutical research company, 320 scientists, developing breakthrough treatments

APT • NoodleRAT

STAKES

Research data + Clinical trial results + Patent applications + Regulatory compliance

HOOK

BioGenesis is finalizing clinical trial data for FDA submission when researchers notice their workstations occasionally showing signs of remote activity despite no suspicious files being found. Advanced fileless malware is operating entirely in memory, providing competitors invisible surveillance of breakthrough pharmaceutical research and clinical trial results.

PRESSURE

FDA submission deadline Tuesday - research theft threatens $200M drug development investment and regulatory approval

FRONT • 150 minutes • Expert

BioGenesis Labs: Pharmaceutical research company, 320 scientists, developing breakthrough treatments

APT • NoodleRAT

NPCs

Research Director Dr. Patricia Wong: Leading FDA submission with infected research systems showing invisible surveillance
IT Security Analyst Michael Foster: Investigating memory-resident malware with no file-based detection signatures
Clinical Data Manager Jennifer Martinez: Reporting unauthorized access to clinical trial results and patient data
Regulatory Affairs Director Robert Chen: Assessing FDA compliance risks and pharmaceutical research protection requirements

SECRETS

Research scientists opened convincing pharmaceutical industry emails containing fileless malware payloads
Competitors have invisible memory-resident surveillance of clinical trial data and research processes
Breakthrough pharmaceutical formulations and clinical trial results have been systematically stolen through fileless techniques

Noodle Rat Scenario: Aerospace Engineering Espionage

SkyTech Aerospace: Defense aerospace contractor, 450 engineers, classified aircraft development

APT • NoodleRAT

STAKES

Classified aircraft designs + National security + Defense contracts + Engineering secrets

HOOK

SkyTech is completing classified aircraft designs for military delivery when engineers notice subtle signs of system compromise despite comprehensive security scans finding no malicious files. Advanced fileless surveillance malware is operating entirely in memory, providing foreign adversaries invisible access to classified aerospace engineering and defense technology development.

PRESSURE

Military aircraft delivery Friday - classified design theft threatens national security and defense capabilities

FRONT • 150 minutes • Expert

SkyTech Aerospace: Defense aerospace contractor, 450 engineers, classified aircraft development

APT • NoodleRAT

NPCs

Chief Engineer Dr. Amanda Chen: Leading classified aircraft development with invisible memory-resident surveillance
Security Officer Colonel Michael Rodriguez: Investigating fileless espionage targeting classified aerospace systems
Senior Aerospace Engineer Lisa Foster: Reporting unauthorized access to classified aircraft designs and engineering specifications
Defense Security Service Agent Robert Kim: Coordinating counterintelligence investigation of memory-resident foreign espionage

SECRETS

Aerospace engineers received sophisticated defense industry emails containing advanced fileless espionage payloads
Foreign adversaries have invisible memory-resident surveillance of classified aircraft development and defense technology
Classified aerospace designs and defense engineering secrets have been systematically stolen through undetectable fileless techniques

Noodle Rat Scenario: Investment Bank Trading Floor

Capital Markets International: Investment bank, 800 traders, managing $50B in assets

APT • NoodleRAT

STAKES

Trading algorithms + Market intelligence + Client portfolios + Financial regulations

HOOK

Capital Markets is executing high-frequency trading strategies when traders notice their workstations showing subtle performance anomalies despite security systems detecting no malicious files. Advanced fileless malware is operating entirely in memory, providing competitors invisible surveillance of proprietary trading algorithms and market intelligence.

PRESSURE

Market volatility peaks Thursday - trading algorithm theft threatens competitive advantage and $50B in managed assets

FRONT • 150 minutes • Expert

Capital Markets International: Investment bank, 800 traders, managing $50B in assets

APT • NoodleRAT

NPCs

Trading Floor Director Jennifer Wong: Managing high-frequency trading with invisible memory-resident surveillance affecting proprietary algorithms
Cybersecurity Manager Carlos Martinez: Investigating fileless financial espionage with no detectable file signatures
Senior Quantitative Analyst Diana Foster: Reporting unauthorized access to trading models and market intelligence systems
SEC Compliance Officer Michael Chen: Assessing regulatory notification requirements and financial market manipulation risks

SECRETS

Quantitative analysts received sophisticated financial industry emails containing advanced fileless trading espionage payloads
Competitors have invisible memory-resident surveillance of proprietary trading algorithms and market strategies
High-frequency trading models and client portfolio strategies have been systematically stolen through undetectable fileless techniques

Noodle Rat Scenario: Tech Unicorn Algorithm Theft

DataFlow Technologies: AI unicorn startup, 280 engineers, pre-IPO valuation $5B

APT • NoodleRAT

STAKES

Proprietary AI algorithms + Pre-IPO valuation + Competitive advantage + Investor confidence

HOOK

DataFlow is preparing for IPO launch when engineers notice their development workstations showing subtle performance indicators despite comprehensive security scans finding no threats. Advanced fileless malware is operating entirely in memory, providing competitors invisible surveillance of breakthrough AI algorithms and pre-IPO intellectual property.

PRESSURE

IPO roadshow begins Monday - algorithm theft threatens $5B valuation and investor confidence

FRONT • 150 minutes • Expert

DataFlow Technologies: AI unicorn startup, 280 engineers, pre-IPO valuation $5B

APT • NoodleRAT

NPCs

CTO Dr. Sarah Kim: Leading IPO preparation with invisible memory-resident surveillance affecting proprietary AI development
Security Engineer Michael Foster: Investigating advanced fileless espionage with no file-based detection capabilities
Principal AI Scientist Jennifer Martinez: Reporting unauthorized access to breakthrough algorithms and machine learning models
IPO Coordinator Robert Chen: Assessing investor disclosure requirements and competitive intelligence protection

SECRETS

AI engineers received sophisticated tech industry recruitment emails containing advanced fileless surveillance payloads
Competitors have invisible memory-resident surveillance of breakthrough AI algorithms and pre-IPO strategic planning
Proprietary machine learning models and IPO valuation secrets have been systematically stolen through undetectable fileless techniques

Litter Drifter (Government Targeting)

Litter Drifter Scenario: Ministry of Digital Infrastructure

Ministry of Digital Infrastructure: Government agency, 180 employees, managing national cybersecurity policy

APT • LitterDrifter

STAKES

National security + Critical infrastructure + Government communications + International relations

HOOK

The Ministry is coordinating cybersecurity policy during regional tensions when IT staff notice USB-based malware specifically targeting Ukrainian-language systems and government networks. Advanced nation-state worm is propagating through removable media, collecting intelligence on government operations and strategic planning during active geopolitical conflict.

PRESSURE

NATO summit begins Friday - intelligence collection threatens national security and diplomatic operations

FRONT • 150 minutes • Expert

Ministry of Digital Infrastructure: Government agency, 180 employees, managing national cybersecurity policy

APT • LitterDrifter

NPCs

Minister Dr. Olena Petrov: Leading national cybersecurity policy with targeted nation-state espionage affecting government operations
Cybersecurity Director Major Alexei Kozlov: Investigating geopolitical malware targeting Ukrainian government systems
Senior Policy Analyst Maria Doroshenko: Reporting intelligence collection affecting diplomatic and strategic planning
Intelligence Liaison Colonel Viktor Shevchenko: Coordinating counterintelligence response and international cooperation

SECRETS

Government staff received USB devices containing sophisticated nation-state worm targeting Ukrainian organizations
Foreign adversaries have geopolitical intelligence collection targeting government operations and diplomatic planning
Strategic communications and policy documents have been systematically collected through targeted espionage malware

Litter Drifter Scenario: Aegis Defense Systems Espionage

Aegis Defense Systems: Military contractor, 320 engineers, developing reconnaissance systems

APT • LitterDrifter

STAKES

Defense contracts + Military technology + National security + Strategic intelligence

HOOK

Aegis is finalizing advanced reconnaissance systems for military deployment when security teams discover USB-propagating malware specifically designed to target defense contractors supporting Ukrainian operations. Nation-state espionage worm is collecting intelligence on military technology development and strategic defense capabilities.

PRESSURE

Military contract delivery Tuesday - intelligence theft threatens $80M defense project and operational security

FRONT • 150 minutes • Expert

Aegis Defense Systems: Military contractor, 320 engineers, developing reconnaissance systems

APT • LitterDrifter

NPCs

Defense Program Manager Colonel Sarah Mitchell (Ret.): Managing military reconnaissance systems with targeted nation-state espionage
Security Clearance Officer Dr. James Peterson: Investigating foreign intelligence collection affecting classified defense projects
Senior Systems Engineer Rachel Kowalski: Reporting unauthorized access to military technology specifications
Counterintelligence Specialist Agent Lisa Rodriguez: Coordinating security response and threat assessment

SECRETS

Defense engineers received targeted USB devices containing advanced nation-state espionage malware
Foreign intelligence services have systematic collection targeting Ukrainian defense support and military technology
Classified reconnaissance system designs and defense capabilities have been systematically stolen through geopolitical targeting

Litter Drifter Scenario: International Aid Organization

Global Relief Alliance: International NGO, 240 staff, coordinating humanitarian operations

APT • LitterDrifter

STAKES

Humanitarian operations + Refugee data + International coordination + Field safety

HOOK

Global Relief is coordinating emergency humanitarian assistance in conflict zones when aid workers discover USB malware targeting organizations supporting Ukrainian refugee operations. Nation-state surveillance worm is collecting intelligence on humanitarian logistics and international relief coordination during active conflict.

PRESSURE

Emergency aid convoy departs Wednesday - intelligence collection threatens humanitarian operations and refugee safety

FRONT • 150 minutes • Expert

Global Relief Alliance: International NGO, 240 staff, coordinating humanitarian operations

APT • LitterDrifter

NPCs

Operations Director Dr. Anna Volkov: Coordinating humanitarian aid with nation-state surveillance affecting refugee operations
Field Security Manager Captain David Shaw: Investigating targeting of humanitarian organizations and field worker safety
Refugee Services Coordinator Elena Marchenko: Reporting intelligence collection affecting vulnerable populations and aid delivery
International Relations Officer Ambassador Patricia Chen: Assessing diplomatic implications and international cooperation

SECRETS

Humanitarian workers received USB devices containing nation-state worm targeting Ukrainian refugee assistance
Foreign intelligence has systematic surveillance of humanitarian operations and international relief coordination
Refugee data and humanitarian logistics have been systematically collected through targeted espionage operations

Litter Drifter Scenario: News Media Network

Independent Media Network: News organization, 150 journalists, covering international conflicts

APT • LitterDrifter

STAKES

Press freedom + Source protection + Information integrity + Journalist safety

HOOK

Independent Media is reporting on conflict zones when newsroom systems are infected by USB malware specifically targeting journalists covering Ukrainian conflicts. Nation-state espionage worm is collecting intelligence on news sources, journalist communications, and editorial operations to influence information warfare.

PRESSURE

Major investigative report publishes Thursday - intelligence collection threatens source protection and press freedom

FRONT • 150 minutes • Expert

Independent Media Network: News organization, 150 journalists, covering international conflicts

APT • LitterDrifter

NPCs

Editor-in-Chief Alexandra Kuznetsova: Leading conflict reporting with nation-state surveillance affecting journalist operations
Cybersecurity Consultant Mark Thompson: Investigating targeting of media organizations and source protection systems
Investigative Journalist Sofia Petrov: Reporting intelligence collection affecting confidential sources and news operations
Digital Security Trainer Dr. Michael Rodriguez: Assessing journalist safety and digital security in hostile environments

SECRETS

Journalists received USB devices containing nation-state espionage malware targeting media coverage of Ukrainian conflicts
Foreign intelligence has systematic surveillance of news operations and confidential source communications
Investigative reports and journalist sources have been systematically compromised through targeted media espionage

FakeBat (Payload Delivery)

FakeBat Scenario: Small Business Software Trap

Creative Solutions Studio: Digital marketing agency, 45 employees, serving local businesses

Social Engineering • FakeBat

STAKES

Client data + Business operations + Website security + Company reputation

HOOK

Creative Solutions is managing client campaigns when employees notice their browsers redirecting to unexpected websites and displaying persistent advertisements. Staff report installing 'critical software updates' for design tools, but these were sophisticated software masquerading attacks delivering multi-stage trojan payloads.

PRESSURE

Major client presentation Friday - browser compromise threatens business operations and client confidence

FRONT • 120 minutes • Intermediate

Creative Solutions Studio: Digital marketing agency, 45 employees, serving local businesses

Social Engineering • FakeBat

NPCs

Business Owner Lisa Martinez: Managing agency operations with compromised design workstations affecting client services
IT Coordinator Jake Thompson: Investigating unauthorized software installations and browser modifications
Creative Director Sarah Chen: Reporting design software 'updates' and persistent browser advertising issues
Client Relations Manager Mark Rodriguez: Assessing impact on client data security and service delivery

SECRETS

Design staff received convincing fake software update notifications for Adobe Creative Suite and design tools
Malicious software is masquerading as legitimate business applications while deploying secondary payloads
Browser hijacking is creating persistent infection vectors and redirecting client research to malicious sites

FakeBat Scenario: Gaming Cafe Network Infection

Level Up Gaming Cafe: Entertainment venue, 25 staff, 80 gaming stations

Social Engineering • FakeBat

STAKES

Customer data + Gaming systems + Payment processing + Business reputation

HOOK

Level Up is hosting weekend tournaments when gaming stations begin showing unexpected browser behavior and unwanted advertisements. Customers report downloading 'essential gaming software' and 'graphics driver updates' that appeared necessary for optimal performance, but these were sophisticated software masquerading attacks targeting gaming environments.

PRESSURE

Major esports tournament Saturday - system compromise threatens customer experience and payment security

FRONT • 120 minutes • Intermediate

Level Up Gaming Cafe: Entertainment venue, 25 staff, 80 gaming stations

Social Engineering • FakeBat

NPCs

Cafe Manager Tony Kim: Operating gaming venue with compromised customer stations affecting tournament operations
Systems Administrator Emma Foster: Investigating fake gaming software installations and browser hijacking
Tournament Coordinator Alex Rodriguez: Reporting customer complaints about browser redirects and performance issues
Customer Support Lead Jessica Wong: Handling customer concerns about unexpected software installations and system behavior

SECRETS

Gaming customers installed convincing fake game launchers, graphics drivers, and performance optimization tools
Malicious software is masquerading as essential gaming utilities while deploying trojan payloads across stations
Browser modifications are affecting customer gaming experiences and creating security risks for payment systems

FakeBat Scenario: Nonprofit Organization Deception

Community Outreach Foundation: Charitable organization, 35 volunteers, serving underserved populations

Social Engineering • FakeBat

STAKES

Donor information + Volunteer safety + Program funding + Community trust

HOOK

Community Outreach is coordinating assistance programs when volunteer computers begin experiencing browser redirects and persistent advertisements. Staff report installing 'security updates' and 'productivity software' that appeared critical for data protection, but these were sophisticated software masquerading attacks targeting nonprofit environments.

PRESSURE

Annual fundraising gala Thursday - system compromise threatens donor confidence and program funding

FRONT • 120 minutes • Intermediate

Community Outreach Foundation: Charitable organization, 35 volunteers, serving underserved populations

Social Engineering • FakeBat

NPCs

Executive Director Maria Santos: Leading nonprofit operations with compromised volunteer systems affecting donor relations
Volunteer Coordinator David Park: Investigating fake software installations affecting volunteer productivity and safety
Development Manager Rebecca Foster: Reporting concerns about donor data security and fundraising system integrity
IT Volunteer Coordinator Mike Johnson: Addressing browser modifications and unauthorized software across volunteer computers

SECRETS

Volunteers installed convincing fake antivirus software, productivity tools, and data protection utilities
Malicious software is masquerading as nonprofit-focused applications while deploying data collection payloads
Browser hijacking is affecting donor communications and creating security risks for fundraising operations

FakeBat Scenario: Freelancer Coworking Space

Innovation Hub Coworking: Shared workspace, 120 freelancers, collaborative professional environment

Social Engineering • FakeBat

STAKES

Client projects + Freelancer livelihoods + Shared network security + Professional reputation

HOOK

Innovation Hub is supporting independent professionals when the shared network experiences widespread browser issues and unexpected software installations. Freelancers report downloading 'essential productivity tools' and 'collaboration software' that appeared necessary for client work, but these were sophisticated software masquerading attacks targeting remote workers.

PRESSURE

Multiple client deadlines Monday - network compromise threatens freelancer businesses and workspace reputation

FRONT • 120 minutes • Intermediate

Innovation Hub Coworking: Shared workspace, 120 freelancers, collaborative professional environment

Social Engineering • FakeBat

NPCs

Workspace Manager Jennifer Wilson: Operating coworking space with compromised shared systems affecting freelancer productivity
Network Administrator Carlos Martinez: Investigating fake productivity software affecting multiple independent workers
Community Manager Diana Foster: Reporting freelancer concerns about browser issues and unexpected software behavior
Member Services Coordinator Robert Chen: Addressing impact on client work and professional services across diverse freelancers

SECRETS

Freelancers installed convincing fake collaboration tools, project management software, and business productivity applications
Malicious software is masquerading as essential freelancer tools while deploying trojans across shared workspace
Browser modifications are affecting client communications and creating security risks for independent professional work

Selection Guidelines

By Experience Level:

Beginner Groups: Gaboon Grabber, Raspberry Robin, FakeBat scenarios
Intermediate Groups: WannaCry, Poison Ivy, Wire Lurker scenarios
Advanced Groups: Stuxnet, Ghost Rat, Noodle Rat, Litter Drifter scenarios

By Session Length:

2-hour sessions: Single-organization scenarios with clear timelines
4-hour sessions: Multi-stakeholder scenarios with complex interdependencies
Campaign play: Mix scenarios to show malmon evolution and organizational learning

By Learning Objectives:

Technical Skills: Stuxnet, Code Red scenarios emphasize technical analysis
Social Engineering: Gaboon Grabber, FakeBat scenarios focus on human factors
Incident Coordination: WannaCry, Ghost Rat scenarios teach team leadership
Long-term Investigations: Poison Ivy, Noodle Rat scenarios develop patience and methodology

Scenario Card Collection

How Scenario Cards Work

Scenario Cards by Malmon

Gaboon Grabber (Phishing Specialist)

GaboonGrabber Scenario: Healthcare Implementation Crisis

Scenario Details for IMs

Opening Presentation

Initial Symptoms to Present:

Key Discovery Paths:

Detective Investigation Leads:

Protector System Analysis:

Tracker Network Investigation:

Communicator Stakeholder Interviews:

Mid-Scenario Pressure Points:

Evolution Triggers:

Resolution Pathways:

Technical Success Indicators:

Business Success Indicators:

Learning Success Indicators:

Common IM Facilitation Challenges:

If Team Focuses Too Heavily on Technical Details:

If Business Stakeholders Are Ignored:

If Social Engineering Aspect Is Missed:

Success Metrics for Session:

GaboonGrabber Scenario: RegionalBank Compliance Crisis

Scenario Details for IMs

Opening Presentation

Initial Symptoms to Present:

Key Discovery Paths:

Detective Investigation Leads:

Protector System Analysis:

Tracker Network Investigation:

Communicator Stakeholder Interviews:

Mid-Scenario Pressure Points:

Evolution Triggers:

Resolution Pathways:

Technical Success Indicators:

Business Success Indicators:

Learning Success Indicators:

Common IM Facilitation Challenges:

If Team Ignores Compliance Context:

If Business Impact Is Underestimated:

If Regulatory Complexity Overwhelms:

Success Metrics for Session:

GaboonGrabber Scenario: StateU Financial Aid Crisis

Scenario Details for IMs

Opening Presentation

Initial Symptoms to Present:

Key Discovery Paths:

Detective Investigation Leads:

Protector System Analysis:

Tracker Network Investigation:

Communicator Stakeholder Interviews:

Mid-Scenario Pressure Points:

Evolution Triggers:

Resolution Pathways:

Technical Success Indicators:

Business Success Indicators:

Learning Success Indicators:

Common IM Facilitation Challenges:

If Student Impact Is Minimized:

If FERPA Complexity Is Ignored:

If Timeline Pressure Is Underestimated:

Success Metrics for Session:

GaboonGrabber Scenario: SteelCorp Manufacturing Crisis

Scenario Details for IMs

Opening Presentation

Initial Symptoms to Present:

Key Discovery Paths:

Detective Investigation Leads:

Protector System Analysis:

Tracker Network Investigation:

Communicator Stakeholder Interviews:

Mid-Scenario Pressure Points:

Evolution Triggers:

Resolution Pathways:

Technical Success Indicators:

Business Success Indicators:

Learning Success Indicators:

Common IM Facilitation Challenges: