LitterDrifter Scenario: Defense Contractor Espionage
APT • LitterDrifter
STAKES
Defense contracts + Military technology + National security + Strategic intelligence
HOOK
Security teams at Nordisk Forsvarsteknologi A/S are seeing engineering workstations execute unknown processes when USB drives are inserted, classified design repositories opening without user action, and outbound connections to unfamiliar infrastructure. Multiple NATO and Ukraine support programs are reporting the same activity, indicating coordinated surveillance of defense development systems.
PRESSURE
- Delivery commitment due Tuesday for 600 million DKK NATO package
- Suspected espionage threatens operational security and allied planning
- Enterprise scope: Danish defense company, 800 employees, NATO programs and Ukraine military aid
FRONT • 150 minutes • Expert
APT • LitterDrifter
NPCs
- Birgitte Nyborg (CEO): Responsible for delivery decisions and national-security escalation
- Troels Hartmann (CTO): Leads engineering continuity and removable-media controls
- Sarah Lund (CISO): Directs incident containment, forensics, and regulator coordination
- Carl Morck (VP Defense Programs): Owns delivery risk across NATO and Ukraine support programs
SECRETS
- Engineering teams received USB media from trusted project channels without full chain-of-custody checks
- Sensitive subsystem documentation was accessed outside normal program windows
- Multiple suppliers in the same defense ecosystem are reporting similar activity
LitterDrifter Scenario: Defense Contractor Espionage
APT • LitterDrifter
STAKES
Defense contracts + Military technology + National security + Strategic intelligence
HOOK
Security teams at Albion Defense Engineering are seeing engineering workstations execute unknown processes when USB drives are inserted, classified design repositories opening without user action, and outbound connections to unfamiliar infrastructure. Multiple NATO and Ukraine support programs are reporting the same activity, indicating coordinated surveillance of defense development systems.
PRESSURE
- Delivery commitment due Tuesday for GBP 72 million NATO package
- Suspected espionage threatens operational security and allied planning
- Enterprise scope: UK defense contractor, 2,000 employees, NATO programs and Ukraine support
FRONT • 150 minutes • Expert
APT • LitterDrifter
NPCs
- Richard Blackwood (CEO): Responsible for delivery decisions and national-security escalation
- Deepa Kaur (CTO): Leads engineering continuity and removable-media controls
- Michael Thornton (CISO): Directs incident containment, forensics, and regulator coordination
- Sarah Crawford (VP Defense Programs): Owns delivery risk across NATO and Ukraine support programs
SECRETS
- Engineering teams received USB media from trusted project channels without full chain-of-custody checks
- Sensitive subsystem documentation was accessed outside normal program windows
- Multiple suppliers in the same defense ecosystem are reporting similar activity
Planning Resources
For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:
Litter Drifter Defense Contractor Planning Document
Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.
Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:
Litter Drifter Defense Contractor Scenario Slides
Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support
Scenario Details for IMs
Hook
“It is Monday morning at Nordisk Forsvarsteknologi A/S. Engineers preparing a major NATO delivery notice USB media launching unknown executables, confidential design files opening without user requests, and workstation logs showing repeated outbound sessions to infrastructure no one recognizes. Senior leadership now has reports from multiple program teams that the same behavior is appearing across restricted engineering segments, and each hour increases the risk that defense program data is being copied out of the environment.”
“(Regional context: Denmark defense-industrial response.)”
“It is Monday morning at Albion Defense Engineering. Engineers preparing a major NATO delivery notice USB media launching unknown executables, confidential design files opening without user requests, and workstation logs showing repeated outbound sessions to infrastructure no one recognizes. Senior leadership now has reports from multiple program teams that the same behavior is appearing across restricted engineering segments, and each hour increases the risk that defense program data is being copied out of the environment.”
“(Regional context: United Kingdom defense-industrial response.)”
Initial Symptoms to Present:
- “USB devices trigger unexpected process launches on restricted engineering workstations”
- “Defense design repositories show unauthorized access outside scheduled build windows”
- “Endpoint logs show repeat outbound sessions to unfamiliar infrastructure from isolated segments”
- “Multiple suppliers report similar telemetry within the same NATO support ecosystem”
Key Discovery Paths:
Detective Investigation Leads:
- Forensics tie initial execution to removable media used in legitimate engineering workflows
- Access timelines show collection focused on subsystem architecture and interface control documents
- Historical logs indicate sustained low-noise collection behavior rather than destructive impact
Protector System Analysis:
- Endpoint hardening gaps allow signed but unapproved binaries to execute from USB paths
- Segmentation boundaries reduce blast radius but still permit credential-driven data access
- Recovery options differ sharply between immediate isolation and evidence-preserving containment
Tracker Network Investigation:
- Beacon traffic uses encrypted staging intervals designed to blend into normal support traffic
- External destinations rotate through infrastructure with links to prior defense-sector campaigns
- Correlated timing across suppliers suggests coordinated tasking rather than opportunistic crime
Communicator Stakeholder Interviews:
- Program leadership is balancing delivery commitments against confidence in design integrity
- Legal and security teams need a defensible timeline before regulator and government notifications
- Supplier relations teams need coordinated language that preserves trust while sharing risk indicators
Mid-Scenario Pressure Points:
- Hour 1: Delivery management requests a go/no-go recommendation for tomorrow’s handoff
- Hour 2: Security operations receives cross-supplier intelligence indicating matching USB-driven behavior
- Hour 3: External stakeholders ask whether current design baselines should be considered exposed
- Hour 4: Leadership requires a decision on containment depth versus delivery continuity
Evolution Triggers:
- If containment is delayed, additional engineering segments begin showing unauthorized access patterns
- If only partial isolation is used, operators observe renewed beaconing after workstation restarts
- If delivery proceeds without integrity assurance, downstream recipients question program trustworthiness
Resolution Pathways:
Technical Success Indicators:
- Removable-media execution paths are controlled and monitored across all engineering tiers
- Artifact timeline supports both remediation and evidentiary requirements
- A validated clean baseline is established for affected design repositories
Business Success Indicators:
- Leadership receives a defensible recommendation on delivery timing and design confidence
- Supplier and partner communication remains consistent and evidence-based
- Incident decisions align with legal, regulatory, and defense reporting obligations
Learning Success Indicators:
- Team recognizes how non-destructive espionage campaigns differ from disruptive malware events
- Participants practice balancing forensic rigor against urgent operational commitments
- Group demonstrates coordinated technical and executive decision-making under uncertainty
Common IM Facilitation Challenges:
If Technical Scope Becomes Too Narrow:
“You can clean endpoints quickly, but what evidence proves the design baseline is still trustworthy for military delivery?”
If Escalation Is Delayed:
“Leadership needs a recommendation now: delay delivery for deeper assurance, or proceed with documented residual risk?”
If Compliance Planning Is Deferred:
“Datatilsynet requests an immediate incident status and asks whether controlled technical export data or employee information was exposed, with formal GDPR notification expected within 72 hours if confirmed.”
“The ICO requests an immediate incident status and asks whether controlled technical export data or employee information was exposed, with formal UK GDPR notification expected within 72 hours if confirmed.”
Success Metrics for Session:
Template Compatibility
This scenario adapts to multiple session formats with appropriate scope and timing:
Quick Demo (35-40 minutes)
Structure: 2 investigation rounds, 1 decision round
Focus: USB-driven intrusion discovery and immediate containment choices
Key Actions: Identify removable-media execution path, isolate affected engineering segments, issue initial stakeholder update
Lunch & Learn (75-90 minutes)
Structure: 4 investigation rounds, 2 decision rounds
Focus: Evidence-led response with delivery risk analysis
Key Actions: Build forensic timeline, assess design-baseline trust, coordinate regulator and defense-agency notifications
Full Game (120-140 minutes)
Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end espionage response under defense delivery pressure
Key Actions: Run parallel containment and intelligence analysis, make delivery recommendation, define long-term architecture controls
Advanced Challenge (150-170 minutes)
Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Cross-supplier intelligence correlation, contested attribution, policy-level disclosure decisions
Additional Challenges: Conflicting partner telemetry, rapid leadership deadlines, partial evidence with high consequence
This Danish variation can be adapted to other EU countries during facilitation. All EU countries share GDPR (72-hour breach notification) but have different defense and cybersecurity institutions.
When running this scenario for another EU country, substitute these elements:
| Estonia |
AKI |
Ministry of Defence (Kaitseministeerium) |
RIA / CERT-EE |
KAPO |
| France |
CNIL |
Ministere des Armees / DGA |
ANSSI |
DGSI / DGSE |
| Germany |
BfDI |
BMVg |
BSI |
BKA / BfV |
| Netherlands |
Autoriteit Persoonsgegevens |
Ministerie van Defensie |
NCSC-NL |
Team High Tech Crime / AIVD |
| Poland |
UODO |
MON |
NASK / CSIRT GOV |
ABW |
| Sweden |
IMY |
Forsvarsdepartementet |
CERT-SE / MSB |
Sapo |
Notes:
- Sector context: Defense suppliers often have both civilian GDPR obligations and national-security reporting obligations.
- Coordination model: Many countries split cyber response between civilian CERTs and military/intelligence channels.
- Facilitation tip: Keep technical findings consistent while swapping institutional stakeholders and legal reporting paths.
Organization names and NPC names are left to the IM's discretion.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
- Clue 1 (Minute 5): Security operations at Nordisk Forsvarsteknologi A/S detects repeated unknown process execution from removable media across restricted engineering endpoints.
- Clue 2 (Minute 10): Endpoint telemetry shows sensitive design repositories accessed from accounts and hosts that do not match normal delivery workflows.
- Clue 3 (Minute 15): VP Defense Programs Carl Morck reports that two subsystem teams found unauthorized reads of targeting interface documentation from segmented engineering shares.
- Clue 1 (Minute 5): Security operations at Albion Defense Engineering detects repeated unknown process execution from removable media across restricted engineering endpoints.
- Clue 2 (Minute 10): Endpoint telemetry shows sensitive design repositories accessed from accounts and hosts that do not match normal delivery workflows.
- Clue 3 (Minute 15): VP Defense Programs Sarah Crawford reports that two subsystem teams found unauthorized reads of targeting interface documentation from segmented engineering shares.
Pre-Defined Response Options
- Option A: Immediate Engineering Isolation
- Action: Remove affected workstations from production segments and block all removable-media execution pending triage.
- Pros: Fast containment of active collection behavior; simplifies scoping.
- Cons: Immediate delivery disruption and reduced engineering throughput.
- Type Effectiveness: Super effective against APT collection activity using removable-media pathways.
- Option B: Evidence-First Containment
- Action: Preserve volatile artifacts on high-value hosts while containing only confirmed compromised segments.
- Pros: Stronger evidentiary basis for attribution and legal reporting.
- Cons: Higher short-term risk of continued access if scope is underestimated.
- Type Effectiveness: Moderately effective when team discipline and telemetry quality are high.
- Option C: Delivery-Continuity Prioritization
- Action: Keep key program lanes active with compensating monitoring while isolating non-critical segments.
- Pros: Maintains near-term operational commitments.
- Cons: Residual exposure risk and weaker assurance for delivery integrity.
- Type Effectiveness: Partially effective and high risk if adversary footholds are broader than expected.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Initial Discovery and Containment (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Endpoint detections show repeated execution from removable media in engineering workspaces.
- Clue 2 (Minute 10): Access logs reveal non-routine reads of subsystem architecture documents from restricted shares.
- Clue 3 (Minute 15): VP Defense Programs Carl Morck reports that two subsystem teams found unauthorized reads of targeting interface documentation from segmented engineering shares.
- Clue 3 (Minute 15): VP Defense Programs Sarah Crawford reports that two subsystem teams found unauthorized reads of targeting interface documentation from segmented engineering shares.
- Clue 4 (Minute 20): Cross-supplier reporting indicates similar telemetry patterns in organizations supporting Ukraine-related programs.
Response Options:
- Option A: Full Segment Isolation
- Pros: Minimizes immediate collection risk.
- Cons: Maximum disruption to delivery planning.
- Option B: Tiered Isolation with Forensic Priority
- Pros: Preserves key evidence and maintains partial operations.
- Cons: Requires precise, disciplined execution.
- Option C: Monitoring-Heavy Continuity
- Pros: Keeps delivery activities moving in the short term.
- Cons: Creates residual exposure and decision debt for Round 2.
Round 2: Reporting and Delivery Integrity (30-35 min)
Investigation Clues:
- Clue 5 (Minute 30): Integrity checks show suspicious access to documents tied to upcoming delivery milestones.
- Clue 6 (Minute 40): Datatilsynet requests an immediate incident status and asks whether controlled technical export data or employee information was exposed, with formal GDPR notification expected within 72 hours if confirmed.
- Clue 6 (Minute 40): The ICO requests an immediate incident status and asks whether controlled technical export data or employee information was exposed, with formal UK GDPR notification expected within 72 hours if confirmed.
- Clue 7 (Minute 50): Program leadership requests a written recommendation on delivery confidence level.
- Clue 8 (Minute 55): Supplier liaison receives external queries about whether affected technical baselines remain valid.
Round Transition Narrative
After Round 1 -> Round 2:
“CFCS coordination reports similar USB-driven activity at another Danish defense supplier, increasing concern about a broader campaign targeting Ukraine support programs.”
“NCSC coordination reports similar USB-driven activity at another UK defense supplier, increasing concern about a broader campaign targeting Ukraine support programs.”
Facilitation questions:
- “What evidence threshold is sufficient to certify delivery integrity under active stakeholder pressure?”
- “How do you sequence containment, reporting, and leadership communication so decisions remain defensible?”
- “Which unresolved unknown would most change your recommendation if discovered in the next hour?”
Debrief Focus:
- Balancing speed and certainty in espionage-oriented incidents
- Preserving chain-of-evidence while reducing ongoing collection risk
- Communicating uncertainty to leadership without losing operational control
Full Game Materials (120-140 min, 3 rounds)
The Full Game expands the scenario from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than receiving timed clues. Round 3 shifts from immediate response to strategic hardening and partner assurance.
Round 1: Crisis Briefing and Scope Discovery (35-40 min)
CEO Birgitte Nyborg calls an emergency briefing in Copenhagen and states that the company is one day from a critical delivery for Ukraine support and needs immediate clarity on engineering-network trust. CTO Troels Hartmann confirms the pattern is tied to removable media and not normal software deployment. CISO Sarah Lund adds that logs indicate persistent outbound traffic from restricted workstations. VP Defense Programs Carl Morck warns that delivery decisions cannot wait and asks for an immediate containment recommendation.
CEO Richard Blackwood opens an emergency call in London and states that the company is one day from a critical delivery for Ukraine support and needs immediate clarity on engineering-network trust. CTO Deepa Kaur confirms the pattern is tied to removable media and not normal software deployment. CISO Michael Thornton adds that logs indicate persistent outbound traffic from restricted workstations. VP Defense Programs Sarah Crawford warns that delivery decisions cannot wait and asks for an immediate containment recommendation.
Players investigate openly using role capabilities. Key findings include removable-media execution patterns, suspicious repository access, and cross-supplier telemetry alignment.
If team stalls: “You can isolate hosts now, but leadership still needs a confidence statement on whether tomorrow’s delivery baseline is trustworthy.”
Round 2: Integrity Decision and External Coordination (35-40 min)
- Technical teams complete high-priority artifact collection and propose containment expansion paths.
- Program leadership requires a recommendation on delivery timing and confidence statement language.
- Regulatory and government coordination is now active across GDPR, Datatilsynet, CFCS, and Forsvarsministeriet channels.
- Law-enforcement/intelligence liaison begins via PET.
- Regulatory and government coordination is now active across UK GDPR and Official Secrets Act, ICO, NCSC, and Ministry of Defence channels.
- Law-enforcement/intelligence liaison begins via NCA.
Facilitation questions:
- “What must be true before you recommend shipment, delay, or limited release?”
- “How do you communicate residual risk to partners who need a binary answer?”
Round 3: Strategic Recovery and Hardening (40-45 min)
Opening: Two weeks later, immediate containment is complete and leadership asks for a long-term assurance strategy covering removable-media controls, supplier telemetry sharing, and evidence-retention standards.
Pressure events:
- Procurement partners require proof of control improvements before restoring full trust
- Internal audit requests a formal lessons-learned package tied to engineering workflows
- Executive leadership requests a board-ready readiness roadmap for the next 90 days
Victory conditions for full 3-round arc:
- Verified clean baseline for affected engineering environments
- Defensible external reporting package aligned to legal and defense obligations
- Durable control improvements addressing removable-media and supplier-correlation risk
Debrief Questions
- “Which early signal most clearly distinguished espionage collection from commodity malware noise?”
- “Where did delivery pressure improve decision quality, and where did it degrade it?”
- “What evidence was essential for external credibility, and what was merely useful?”
- “How should supplier ecosystems coordinate faster on similar telemetry without oversharing sensitive details?”
Debrief Focus
- Defense-sector incidents often prioritize intelligence collection over immediate disruption
- Removable-media pathways remain a high-risk blind spot in mixed-trust engineering workflows
- High-confidence communication depends on technical depth, timing discipline, and clear uncertainty framing
Advanced Challenge Materials (150-170 min)
Red Herrings and Misdirection
- Legitimate USB-based testing workflows generate noise similar to malicious execution patterns.
- A routine supplier maintenance window overlaps with suspicious beacon intervals.
- A non-malicious credentials hygiene issue appears related but is operationally separate.
Removed Resources and Constraints
- No prebuilt incident playbook for removable-media espionage scenarios
- Limited historical telemetry retention on a subset of engineering endpoints
- Delayed external partner responses during the first critical decision window
Enhanced Pressure
- Leadership requests a same-day shipment recommendation despite incomplete evidence
- Partners request immediate indicator sharing before legal review is complete
- Program teams request exceptions to containment controls to meet milestone commitments
Ethical Dilemmas
- Preserve more evidence and accept short-term operational risk, or prioritize rapid isolation and lose attribution depth.
- Delay delivery for higher assurance, or proceed with documented residual risk to meet alliance commitments.
- Share broad indicators quickly to help partners, or limit disclosure to avoid exposing sensitive internal architecture.
Advanced Debrief Topics
- Building incident doctrine for quiet, long-dwell espionage campaigns
- Structuring executive decisions when technical certainty is asymmetrical across teams
- Improving cross-supplier readiness without weakening internal confidentiality boundaries