LitterDrifter Scenario: Media Network Source Protection

LitterDrifter Scenario: Media Network Source Protection

Nordisk Mediegruppe: Danish media network, 300 employees, war correspondents in Ukraine

APT • LitterDrifter

STAKES

Press freedom + Source protection + Editorial integrity + Journalist safety

HOOK

Security teams at Nordisk Mediegruppe are seeing newsroom laptops execute unknown processes when USB drives are inserted, source files open without user action, and outbound sessions to unfamiliar infrastructure from editorial systems. Multiple teams covering Ukraine report the same pattern, indicating targeted surveillance of journalist workflows and source-handling operations.

PRESSURE

• Major publication deadline: Thursday
• Surveillance risk threatens source trust and reporting safety
• Program exposure: 85 million DKK newsroom program budget
• Operational scope: Danish media network, 300 employees, war correspondents in Ukraine

FRONT • 150 minutes • Expert

Nordisk Mediegruppe: Danish media network, 300 employees, war correspondents in Ukraine

APT • LitterDrifter

NPCs

• Peter Skjern (Editor-in-Chief): Owns publication decisions and accountability
• Katrine Fonsmark (Foreign Desk Chief): Coordinates high-risk reporting workflows
• Kasper Juul (IT Director): Leads containment and evidence-preserving remediation
• Sarah Lund (Investigative Reporter): Represents source protection and field-reporting risk

SECRETS

• USB-based newsroom workflows created exploitable trust paths in editorial operations
• Source-handling artifacts were accessed outside approved review windows
• Similar telemetry appears across media organizations covering the same conflict

LitterDrifter Scenario: Media Network Source Protection

Commonwealth Broadcasting Network: UK media network, 500 employees, international correspondents in conflict zones

APT • LitterDrifter

STAKES

Press freedom + Source protection + Editorial integrity + Journalist safety

HOOK

Security teams at Commonwealth Broadcasting Network are seeing newsroom laptops execute unknown processes when USB drives are inserted, source files open without user action, and outbound sessions to unfamiliar infrastructure from editorial systems. Multiple teams covering Ukraine report the same pattern, indicating targeted surveillance of journalist workflows and source-handling operations.

PRESSURE

• Major publication deadline: Thursday
• Surveillance risk threatens source trust and reporting safety
• Program exposure: GBP 14 million newsroom program budget
• Operational scope: UK media network, 500 employees, international correspondents in conflict zones

FRONT • 150 minutes • Expert

Commonwealth Broadcasting Network: UK media network, 500 employees, international correspondents in conflict zones

APT • LitterDrifter

NPCs

• James Crawford (Editor-in-Chief): Owns publication decisions and accountability
• Amira Hassan (Foreign Desk Chief): Coordinates high-risk reporting workflows
• Oliver Thompson (IT Director): Leads containment and evidence-preserving remediation
• Charlotte Webb (Investigative Reporter): Represents source protection and field-reporting risk

SECRETS

• USB-based newsroom workflows created exploitable trust paths in editorial operations
• Source-handling artifacts were accessed outside approved review windows
• Similar telemetry appears across media organizations covering the same conflict

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Litter Drifter Media Network Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Litter Drifter Media Network Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

“It is Monday morning at Nordisk Mediegruppe. Editors preparing a major conflict-zone package report USB devices triggering unexpected executables, source files opening outside normal workflows, and endpoint logs showing recurring outbound sessions to unfamiliar hosts. Similar signals appear in several reporting teams, and leadership must decide how to contain the incident without exposing confidential sources or missing publication commitments.”

“(Regional context: Denmark media-sector response.)”

“It is Monday morning at Commonwealth Broadcasting Network. Editors preparing a major conflict-zone package report USB devices triggering unexpected executables, source files opening outside normal workflows, and endpoint logs showing recurring outbound sessions to unfamiliar hosts. Similar signals appear in several reporting teams, and leadership must decide how to contain the incident without exposing confidential sources or missing publication commitments.”

“(Regional context: United Kingdom media-sector response.)”

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• “USB drives trigger unknown process launches on newsroom endpoints”
• “Source files and reporting drafts open outside authorized editorial sessions”
• “Editorial systems show recurring outbound traffic to unfamiliar infrastructure”
• “Partner media teams report matching telemetry across conflict-reporting operations”

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• Forensics tie initial execution to removable-media workflows used in editorial exchanges
• Access timelines show persistent collection behavior around source and draft-management artifacts
• Activity profile indicates surveillance-style collection rather than destructive disruption

Protector System Analysis:

Note🛡️ Protector System Analysis

• Endpoint hardening differs across desks handling high-risk reporting
• Containment plans must balance source safety, evidence quality, and publication continuity
• Recovery constraints differ between newsroom and field-facing systems

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• Beaconing intervals and destination rotation suggest low-visibility exfiltration behavior
• Infrastructure overlap appears with prior surveillance targeting media organizations
• Cross-outlet telemetry timing indicates coordinated campaign tasking

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• Editorial leadership needs rapid guidance on publication confidence and source risk
• Reporters need practical source-protection actions while systems are under investigation
• External affairs teams need aligned language for authorities, partners, and the public

Mid-Scenario Pressure Points:

• Hour 1: Leadership requests a go/no-go decision for the upcoming publication window
• Hour 2: Partner outlets request assurance that shared materials remain trustworthy
• Hour 3: Security review finds suspicious reads in source-correlation files
• Hour 4: Executive team requires immediate reporting posture for oversight and cyber channels

Evolution Triggers:

• If containment is delayed, additional editorial desks show matching unauthorized-access behavior
• If isolation is partial, systems resume beaconing after restart cycles
• If publication proceeds without confidence checks, source trust and partnership confidence decline quickly

Resolution Pathways:

Technical Success Indicators:

• Removable-media execution pathways are controlled across editorial systems
• Evidence timeline supports legal duties and source-protection decisions
• Clean baselines are restored for source-handling and draft-management repositories

Business Success Indicators:

• Leadership receives defensible recommendations on publication timing and risk boundaries
• External communication is consistent, timely, and evidence-based
• Incident posture aligns with legal obligations and editorial mission priorities

Learning Success Indicators:

• Team differentiates surveillance-style compromise from disruption-centric malware response
• Participants practice high-stakes decisions under deadline and trust pressure
• Group coordinates technical, editorial, and stakeholder streams while preserving evidence integrity

Common IM Facilitation Challenges:

If Publication Pressure Overrides Source Risk:

“You can keep the publication date, but what evidence supports confidence that source-protection controls still hold?”

If Escalation Is Delayed:

“Leadership needs a decision now: deepen containment and absorb delay, or publish with explicit residual risk?”

If Reporting Is Deferred:

“Datatilsynet requests incident status and asks whether source-related personal data was exposed, with formal GDPR notification expected within 72 hours if compromise is confirmed.”

“The ICO requests incident status and asks whether source-related personal data was exposed, with formal UK GDPR notification expected within 72 hours if compromise is confirmed.”

Success Metrics for Session:

• Team identifies removable-media execution paths and high-risk editorial dependencies
• Containment plan balances source protection, evidence quality, and publication continuity
• Executive decision points are explicit, timed, and technically justified
• Authority and partner communication remains coherent and defensible
• Players define long-term controls that preserve reporting velocity without sacrificing source safety

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Detecting surveillance behavior in newsroom source-handling workflows
Key Actions: Identify removable-media access path, isolate high-risk systems, issue first publication-confidence recommendation

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Coordinating containment with source-protection and reporting duties
Key Actions: Build evidence timeline, assess editorial-data integrity, align communications with authorities and partners

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end newsroom incident response under publication pressure
Key Actions: Run containment and reporting in parallel, decide publication posture, define durable control roadmap

Advanced Challenge (150-170 minutes)

Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Cross-newsroom signal ambiguity, source-risk communication, constrained evidence windows
Additional Challenges: Conflicting partner indicators, legal pressure, high-urgency editorial deadlines

🌍 Localizing to Other EU Countries

This Danish variation can be adapted to other EU countries during facilitation. All EU countries share GDPR (72-hour breach notification) but media oversight and cyber institutions differ by country.

When running this scenario for another EU country, substitute these elements:

Country	Data Protection Authority	Cyber Agency / CERT	Media Regulator	Operational Note
France	CNIL	ANSSI / CERT-FR	ARCOM	Centralized regulatory posture
Germany	BfDI	BSI / CERT-Bund	State media authorities (Landesmedienanstalten)	Federal-state split in oversight
Ireland	DPC	NCSC-IE	Coimisiun na Mean	High concentration of global media platforms
Italy	Garante Privacy	ACN	AGCOM	Broadcast and digital regulation crossover
Netherlands	Autoriteit Persoonsgegevens	NCSC-NL	CvdM	Strong public-private media ecosystem
Spain	AEPD	INCIBE	CNMC	Regional media operations complexity

Notes:

• Source protection context: Technical findings may trigger legal and ethical obligations beyond standard breach response.
• Regulatory context: Data-protection and media-governance channels often run in parallel.
• Facilitation tip: Keep technical indicators stable while adapting institutional wrappers.

Organization names and NPC names are left to the IM's discretion.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

• Clue 1 (Minute 5): Security operations at Nordisk Mediegruppe detects repeated process execution from USB paths on editorial systems.
• Clue 2 (Minute 10): Access review shows source-linked files and drafts opened from unexpected hosts.
• Clue 3 (Minute 15): Foreign Desk Chief Katrine Fonsmark confirms unauthorized reads of source-correlation notes and unpublished reporting drafts tied to current conflict coverage.

• Clue 1 (Minute 5): Security operations at Commonwealth Broadcasting Network detects repeated process execution from USB paths on editorial systems.
• Clue 2 (Minute 10): Access review shows source-linked files and drafts opened from unexpected hosts.
• Clue 3 (Minute 15): Foreign Desk Chief Amira Hassan confirms unauthorized reads of source-correlation notes and unpublished reporting drafts tied to current conflict coverage.

Pre-Defined Response Options

• Option A: Immediate Editorial-Segment Isolation
  • Action: Isolate affected systems and block removable-media execution pending triage.
  • Pros: Fast containment with clear scope boundaries.
  • Cons: Immediate publication disruption and workflow friction.
  • Type Effectiveness: Super effective against low-noise surveillance activity.
• Option B: Evidence-First Containment
  • Action: Preserve volatile artifacts on critical systems while isolating confirmed compromised segments.
  • Pros: Stronger reporting and attribution posture.
  • Cons: Requires disciplined execution and tight cross-team timing.
  • Type Effectiveness: Moderately effective when telemetry quality is strong.
• Option C: Continuity-Weighted Monitoring
  • Action: Keep key editorial lanes active with compensating controls and focused monitoring.
  • Pros: Preserves short-term publication momentum.
  • Cons: Leaves residual exposure risk if compromise scope expands.
  • Type Effectiveness: Partially effective and risk-heavy under uncertainty.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Detection and Scope Framing (30-35 min)

Investigation Clues:

• Clue 1 (Minute 5): Endpoint telemetry flags USB-triggered execution events in high-sensitivity newsroom workflows.
• Clue 2 (Minute 10): Access logs show irregular reads of source-correlation and draft repositories.

• Clue 3 (Minute 15): Foreign Desk Chief Katrine Fonsmark confirms unauthorized reads of source-correlation notes and unpublished reporting drafts tied to current conflict coverage.

• Clue 3 (Minute 15): Foreign Desk Chief Amira Hassan confirms unauthorized reads of source-correlation notes and unpublished reporting drafts tied to current conflict coverage.

• Clue 4 (Minute 20): Partner outlets report similar indicators in conflict-reporting environments.

Round 2: Reporting and Publication Confidence Decision (30-35 min)

Investigation Clues:

• Clue 5 (Minute 30): Integrity review identifies suspicious metadata changes in source-linked materials.

• Clue 6 (Minute 40): Datatilsynet requests incident status and asks whether source-related personal data was exposed, with formal GDPR notification expected within 72 hours if compromise is confirmed.

• Clue 6 (Minute 40): The ICO requests incident status and asks whether source-related personal data was exposed, with formal UK GDPR notification expected within 72 hours if compromise is confirmed.

• Clue 7 (Minute 50): Leadership requests a written confidence position for publication timing.
• Clue 8 (Minute 55): Partners ask whether shared materials should be handled as potentially exposed.

Round Transition Narrative

After Round 1 -> Round 2:

“CFCS shares matching USB-driven indicators from another Danish newsroom covering Ukraine.”

“NCSC and NCA share matching USB-driven indicators from another UK broadcaster covering Ukraine.”

Facilitation questions:

• “What evidence threshold is sufficient for a defensible publication decision?”
• “Which decision must happen now, and which can wait for more data?”
• “How do you communicate uncertainty without breaking source and partner trust?”

Debrief Focus:

• Balancing editorial urgency with source-risk and evidence-quality constraints
• Maintaining source and partner trust while disclosing partial findings
• Running containment and communication streams in parallel under deadline pressure

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands the scenario from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than receiving timed clues. Round 3 focuses on strategic recovery, source trust, and durable newsroom controls.

Round 1: Executive Briefing and Initial Scope (35-40 min)

Editor-in-Chief Peter Skjern opens an emergency meeting and states that publication decisions now depend on source-integrity confidence. Foreign Desk Chief Katrine Fonsmark reports anomalies in materials tied to active Ukraine coverage. IT Director Kasper Juul confirms removable-media execution behavior on editorial systems. Investigative Reporter Sarah Lund warns that source confidentiality is at risk and requests immediate containment with evidence preservation.

Editor-in-Chief James Crawford opens an emergency meeting and states that publication decisions now depend on source-integrity confidence. Foreign Desk Chief Amira Hassan reports anomalies in materials tied to active Ukraine coverage. IT Director Oliver Thompson confirms removable-media execution behavior on editorial systems. Investigative Reporter Charlotte Webb warns that source confidentiality is at risk and requests immediate containment with evidence preservation.

Players investigate openly using role capabilities. Key findings include removable-media execution, source-file anomalies, and partner telemetry overlap.

If team stalls: “You can preserve schedule or increase confidence, but not both fully. What evidence supports your next decision?”

Round 2: Authority Coordination and Publication Decision (35-40 min)

• Technical teams complete artifact collection and present containment paths with explicit risk boundaries.
• Editorial leadership requests a clear recommendation on publication timing and source-risk posture.

• Coordination now spans GDPR, Datatilsynet, and CFCS channels.
• Mission continuity assessment focuses on conflict-zone reporting and source verification operations.

• Coordination now spans UK GDPR and Ofcom Broadcasting Code, ICO, and NCSC and NCA channels.
• Mission continuity assessment focuses on conflict-zone reporting and source verification operations.

Facilitation questions:

• “What controls are required before publishing with bounded and explicit residual risk?”
• “How do you document rationale so the decision remains defensible after-action?”

Round 3: Strategic Recovery and Source-Protection Redesign (40-45 min)

Opening: Two weeks later, immediate containment is complete and leadership requests a 90-day source-protection and editorial-security roadmap.

Pressure events:

• Partner outlets request proof of meaningful control improvements before restoring full collaboration
• Internal review asks for accountable owners and measurable delivery milestones
• Reporting teams request practical controls that do not block urgent editorial work

Victory conditions for full 3-round arc:

• Verified clean baseline for source-handling and editorial systems
• Defensible reporting package aligned with legal and operational obligations
• Durable control improvements that protect source trust without breaking newsroom tempo

Debrief Questions

1. “Which early indicator most clearly signaled sustained surveillance rather than routine newsroom noise?”
2. “How did publication pressure shape risk tolerance across teams?”
3. “What evidence was essential for source trust, and what was secondary?”
4. “How can media organizations share indicators quickly without exposing sensitive source workflows?”

Debrief Focus

• Surveillance-centric incidents require different sequencing than disruption-centric attacks
• Source trust is a core operational dependency and must be treated as a technical and ethical control target
• Executive confidence depends on transparent uncertainty framing and evidence-backed tradeoffs

Advanced Challenge Materials (150-170 min)

Red Herrings and Misdirection

1. Legitimate offline source-ingest workflows generate benign signals similar to malicious USB activity.
2. A routine inter-desk exchange overlaps with suspicious timeline artifacts.
3. An unrelated account-hygiene issue appears connected but is technically separate.

Removed Resources and Constraints

• No prebuilt playbook for removable-media espionage in source-sensitive reporting environments
• Limited historical telemetry retention on selected field-reporting devices
• Delayed partner responses during the first executive decision window

Enhanced Pressure

• Leadership requests same-day publication assurance despite incomplete forensic scope
• Partner outlets request immediate indicator sharing before legal review completion
• Editorial teams request containment exceptions to protect publication cadence

Ethical Dilemmas

1. Preserve richer evidence and accept short-term publication risk, or isolate faster and lose attribution depth.
2. Delay publication for stronger confidence, or publish with explicit residual risk to preserve editorial mission.
3. Share broad indicators for rapid sector defense, or limit disclosure to protect source-linked operating patterns.

Advanced Debrief Topics

• Building newsroom doctrine for low-noise intelligence collection campaigns
• Structuring governance when confidence levels differ across technical and editorial teams
• Improving cross-outlet readiness while protecting source confidentiality