LitterDrifter Scenario: International Aid Coordination

LitterDrifter Scenario: International Aid Coordination

Nordisk Humanitær Bistand: Danish humanitarian NGO, 500 employees, Ukraine and neighboring-country operations
APT • LitterDrifter
STAKES
Humanitarian continuity + Beneficiary safety + Field logistics + Donor trust
HOOK
Security teams at Nordisk Humanitær Bistand are seeing field laptops launch unknown processes when USB drives are inserted, distribution manifests open without user action, and outbound sessions to unfamiliar infrastructure from coordination hubs. Multiple teams supporting Ukraine relief report the same behavior, indicating targeted surveillance of humanitarian logistics workflows.
PRESSURE
  • Critical convoy planning due Wednesday for 190 million DKK relief portfolio
  • Surveillance risk threatens aid routing and beneficiary privacy
  • Operational scope: Danish humanitarian NGO, 500 employees, Ukraine and neighboring-country operations
FRONT • 150 minutes • Expert
Nordisk Humanitær Bistand: Danish humanitarian NGO, 500 employees, Ukraine and neighboring-country operations
APT • LitterDrifter
NPCs
  • Martin Rohde (Country Director): Owns mission continuity and public accountability
  • Ingeborg Skjern (Operations Head): Leads distribution planning and field coordination
  • Thomas Buch (IT Manager): Runs containment and technical remediation under deadline pressure
  • Mads Skjern (Security Officer): Coordinates evidence handling, notifications, and risk communication
SECRETS
  • USB media used for low-connectivity field workflows bypassed normal control checks
  • High-sensitivity logistics files were accessed outside approved windows
  • Similar telemetry appears across partner organizations in the same aid network

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Litter Drifter International Aid Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Litter Drifter International Aid Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “USB drives trigger unknown process launches on field and coordination laptops”
  • “Distribution manifests and beneficiary records open outside authorized workflows”
  • “Outbound traffic from logistics systems reaches unfamiliar external infrastructure”
  • “Partner organizations report matching telemetry in related relief operations”

Key Discovery Paths:

Detective Investigation Leads:

  • Forensics tie initial execution to removable-media workflows used in low-connectivity environments
  • Access timelines show persistent collection of logistics and beneficiary-support artifacts
  • Activity profile suggests surveillance-oriented collection rather than disruptive encryption behavior

Protector System Analysis:

  • Endpoint controls are inconsistent between headquarters and field-operation systems
  • Containment options require balancing evidence preservation and convoy schedule continuity
  • Recovery plans differ significantly depending on field connectivity and staff travel schedules

Tracker Network Investigation:

  • Beacon intervals and destination rotation indicate deliberate low-visibility exfiltration behavior
  • Infrastructure overlap with prior humanitarian-sector targeting appears in threat-intel feeds
  • Cross-partner timing suggests coordinated campaign tasking across aid networks

Communicator Stakeholder Interviews:

  • Program leadership needs immediate recommendations on convoy confidence and data handling
  • Field teams need practical containment steps that work under limited connectivity constraints
  • External affairs teams need aligned language for partners, donors, and authorities

Mid-Scenario Pressure Points:

  • Hour 1: Leadership requests a go/no-go decision for the upcoming convoy handoff
  • Hour 2: Partner organizations request assurance that shared routing data remains trustworthy
  • Hour 3: Security review finds suspicious access in files tied to field distribution points
  • Hour 4: Executive team requires immediate reporting posture for regulators and cyber authorities

Evolution Triggers:

  • If containment is delayed, additional planning cells show similar unauthorized-access behavior
  • If isolation is partial, telemetry shows renewed beaconing after endpoint restart cycles
  • If convoy planning proceeds without confidence checks, partner trust and field safety posture degrade

Resolution Pathways:

Technical Success Indicators:

  • Removable-media execution paths are controlled across headquarters and field systems
  • Evidence timeline supports legal reporting and partner risk communication
  • Clean baselines are re-established for convoy planning and beneficiary-support datasets

Business Success Indicators:

  • Leadership receives defensible recommendations on convoy timing and integrity confidence
  • External partner communications remain consistent, timely, and technically grounded
  • Incident posture aligns with regulatory obligations and humanitarian mission constraints

Learning Success Indicators:

  • Team recognizes how espionage-style incidents differ from disruption-focused malware events
  • Participants practice making mission-critical decisions under uncertainty and ethical pressure
  • Group coordinates technical, operational, and stakeholder streams without breaking evidence quality

Common IM Facilitation Challenges:

If Convoy Urgency Overrides Evidence Discipline:

“You can keep the schedule, but what concrete evidence supports confidence in routing and beneficiary data integrity?”

If Escalation Is Delayed:

“Leadership needs a recommendation now: isolate deeper and absorb delay, or proceed with documented residual risk?”

If Reporting Is Deferred:

Success Metrics for Session:

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Detecting surveillance behavior in aid logistics workflows
Key Actions: Identify removable-media access path, isolate high-risk systems, issue first mission-confidence recommendation

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Coordinating containment with humanitarian obligations and reporting duties
Key Actions: Build evidence timeline, assess convoy-data integrity, align external communication with agencies and partners

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end humanitarian incident response under operational urgency
Key Actions: Run containment and reporting in parallel, make convoy integrity decision, define long-term control roadmap

Advanced Challenge (150-170 minutes)

Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Cross-partner signal ambiguity, beneficiary-risk communication, constrained evidence windows
Additional Challenges: Conflicting partner indicators, donor pressure, field-connectivity constraints

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Pre-Defined Response Options

  • Option A: Immediate Mission-Segment Isolation
    • Action: Isolate affected systems and block removable-media execution pending triage.
    • Pros: Fast containment boundary and clearer technical scope.
    • Cons: Immediate disruption to active convoy planning workflows.
    • Type Effectiveness: Super effective against low-noise surveillance activity.
  • Option B: Evidence-First Containment
    • Action: Preserve volatile artifacts on critical systems while isolating confirmed compromised segments.
    • Pros: Stronger legal and attribution posture for external reporting.
    • Cons: Requires high execution discipline and tight coordination.
    • Type Effectiveness: Moderately effective when telemetry quality and process rigor are strong.
  • Option C: Continuity-Weighted Monitoring
    • Action: Keep critical mission lanes active with compensating controls and focused monitoring.
    • Pros: Maintains short-term humanitarian delivery momentum.
    • Cons: Leaves residual exposure if compromise scope is broader than expected.
    • Type Effectiveness: Partially effective and risk-heavy under uncertainty.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Detection and Scope Framing (30-35 min)

Investigation Clues:

  • Clue 1 (Minute 5): Endpoint telemetry flags USB-triggered execution events in aid-planning workstations.
  • Clue 2 (Minute 10): Access logs show irregular reads of high-priority logistics artifacts.
  • Clue 4 (Minute 20): Partner signal sharing reveals comparable indicators in adjacent aid organizations.

Round 2: Reporting and Convoy Confidence Decision (30-35 min)

Investigation Clues:

  • Clue 5 (Minute 30): Integrity review identifies suspicious metadata changes in routing and inventory datasets.
  • Clue 7 (Minute 50): Leadership requests a written confidence statement for convoy execution.
  • Clue 8 (Minute 55): Partners ask whether shared planning artifacts should be treated as exposed.

Round Transition Narrative

After Round 1 -> Round 2:

Facilitation questions:

  • “What evidence threshold is sufficient to certify convoy integrity under deadline pressure?”
  • “Which decision must be made now, and which can safely wait for one more data point?”
  • “How do you communicate uncertainty without undermining partner confidence?”

Debrief Focus:

  • Balancing humanitarian urgency with evidence quality in incident decisions
  • Preserving cross-partner trust while disclosing partial findings
  • Running containment and communication streams in parallel under mission pressure

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands the scenario from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than receiving timed clues. Round 3 focuses on strategic recovery, partner trust, and resilient field controls.

Round 1: Executive Briefing and Initial Scope (35-40 min)

Players investigate openly using role capabilities. Key findings include removable-media execution, logistics-file anomalies, and partner telemetry overlap.

If team stalls: “You can protect schedule or increase confidence, but not both fully without tradeoffs. What evidence justifies your next step?”

Round 2: Agency Coordination and Mission Decision (35-40 min)

  • Technical teams complete artifact collection and propose containment paths with explicit risk levels.
  • Leadership requests a clear recommendation on convoy timing and confidence boundaries.

Facilitation questions:

  • “What controls are required before you can proceed with bounded and explicit residual risk?”
  • “How do you document rationale so the decision remains defensible after-action?”

Round 3: Strategic Recovery and Field-Control Redesign (40-45 min)

Opening: Two weeks later, immediate containment is complete and leadership asks for a durable 90-day plan covering removable-media policy, partner signal sharing, and low-connectivity field safeguards.

Pressure events:

  • Donor and partner organizations require evidence of meaningful control improvements
  • Internal review asks for accountable owners and measurable deadlines on every mitigation
  • Field teams request practical controls that do not block urgent aid delivery

Victory conditions for full 3-round arc:

  • Verified clean baseline for logistics and beneficiary-support systems
  • Defensible reporting package aligned to legal duties and partner expectations
  • Durable control improvements suitable for both headquarters and field realities

Debrief Questions

  1. “Which early signal most clearly separated surveillance behavior from normal operational noise?”
  2. “How did mission urgency change decision quality across technical and leadership teams?”
  3. “What evidence was essential for partner trust, and what was secondary?”
  4. “How can humanitarian networks share indicators faster without exposing sensitive beneficiary workflows?”

Debrief Focus

  • Surveillance-centric incidents demand different response sequencing than disruption-centric events
  • Humanitarian operations need controls designed for low-connectivity, partner-heavy environments
  • Executive confidence depends on timing discipline, transparent uncertainty, and evidence-backed tradeoffs

Advanced Challenge Materials (150-170 min)

Red Herrings and Misdirection

  1. Legitimate offline data-transfer workflows produce benign signals similar to malicious USB activity.
  2. A routine partner data sync overlaps with suspicious timeline artifacts.
  3. An unrelated account-hygiene issue appears connected but is technically separate.

Removed Resources and Constraints

  • No prebuilt playbook for removable-media espionage in cross-partner humanitarian operations
  • Limited historical telemetry retention on selected field devices
  • Delayed partner responses during the first critical decision window

Enhanced Pressure

  • Leadership requests same-day convoy assurance despite incomplete forensic scope
  • Partner organizations ask for immediate indicator sharing before legal review finalization
  • Program teams request containment exceptions to avoid delivery delays

Ethical Dilemmas

  1. Preserve deeper evidence and accept short-term mission risk, or isolate quickly and lose attribution depth.
  2. Delay convoy for stronger confidence, or proceed with explicit residual risk to meet humanitarian timelines.
  3. Share broad indicators to help partners rapidly, or limit detail to protect sensitive operating patterns.

Advanced Debrief Topics

  • Building doctrine for low-noise intelligence collection against humanitarian networks
  • Structuring governance when technical confidence is uneven across teams
  • Improving cross-organization readiness while protecting beneficiary and operational confidentiality