Noodle RAT Scenario: Aerospace Engineering Espionage

Noodle RAT Scenario: Aerospace Engineering Espionage

Vanguard Aerospace: Aerospace engineering company with 3,000 employees supporting defense and commercial aviation
APT Espionage • NoodleRAT
STAKES
Defense technology protection + Program delivery integrity + Export-control compliance + Strategic advantage
HOOK
Engineering teams at Vanguard Aerospace report design workstations slowing unpredictably, credential prompts appearing during routine CAD sessions, and encrypted outbound sessions from classified design environments. Security scans show no malicious files on disk, but memory telemetry indicates unauthorized process injection tied to sensitive aerospace projects.
PRESSURE
  • Program delivery target: Friday 4:00 PM
  • Contract exposure: $420 million
  • Engineering scope at risk: next-generation avionics and mission-control software
FRONT • 150 minutes • Expert
Vanguard Aerospace: Aerospace engineering company with 3,000 employees supporting defense and commercial aviation
APT Espionage • NoodleRAT
NPCs
  • Colonel (ret.) James Archer (CEO): Owns executive decisions on program continuity and stakeholder confidence
  • Dr. Helen Park (CTO): Leads technical containment and recovery planning
  • Dr. Amanda Rodriguez (VP Engineering): Represents design-team delivery risk and engineering impact
  • Marcus Chen (CISO): Coordinates evidence preservation and authority engagement
SECRETS
  • Security monitoring focused on disk-based indicators and underweighted memory telemetry
  • Privileged engineering accounts had broader access than current program segmentation required
  • Attackers prioritized design-repository visibility before broad operational disruption

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Noodle RAT Aerospace Engineering Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Noodle RAT Aerospace Engineering Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “Engineering systems show unexplained slowdown and intermittent access conflicts”
  • “Security scans find no malicious files despite continued suspicious activity”
  • “Restricted design repositories generate abnormal authentication and access events”
  • “Outbound encrypted sessions appear from engineering enclaves at unusual intervals”

Key Discovery Paths:

Detective Investigation Leads:

  • Timeline reconstruction shows covert access behavior preceding visible disruption
  • Access traces indicate focused interest in avionics and integration design artifacts
  • Evidence suggests attacker persistence optimized for low-noise surveillance

Protector System Analysis:

  • Engineering endpoints show memory anomalies inconsistent with normal toolchains
  • Segmentation controls slowed but did not prevent cross-workspace reconnaissance
  • Recovery confidence depends on preserving volatile evidence before reset actions

Tracker Network Investigation:

  • Network forensics show periodic encrypted beacons from engineering systems
  • Traffic patterns indicate staged exfiltration from high-value design repositories
  • Infrastructure overlap suggests organized espionage tradecraft rather than opportunistic crime

Communicator Stakeholder Interviews:

  • Program teams need clear guidance on what work can continue safely
  • Contract stakeholders request immediate confidence statements on deliverable integrity
  • Security leadership needs alignment on disclosure thresholds and authority coordination

Mid-Scenario Pressure Points:

  • Hour 1: Program management cannot confirm integrity of current design baselines
  • Hour 2: Leadership receives indications that sensitive engineering artifacts were accessed
  • Hour 3: Government and customer stakeholders request formal incident posture updates
  • Hour 4: Delivery confidence declines as unresolved access scope expands

Evolution Triggers:

  • If containment is delayed, covert access persists and collection scope grows
  • If systems are reset too quickly, critical volatile evidence may be lost
  • If communication is delayed, confidence in program governance deteriorates

Resolution Pathways:

Technical Success Indicators:

  • Verified removal of covert access paths and restoration of trusted engineering baselines
  • Evidence package preserved for authority and investigative coordination
  • Monitoring strategy upgraded to detect low-noise persistence behaviors

Business Success Indicators:

  • Program leadership issues defensible delivery decisions with documented rationale
  • Stakeholder communication remains timely, accurate, and scoped to evidence confidence
  • Contract risk is managed through clear governance and milestone reprioritization

Learning Success Indicators:

  • Team recognizes covert-surveillance patterns that evade simple disk-based detection
  • Participants practice balancing evidence preservation with operational urgency
  • Group coordinates engineering, security, and leadership decisions under strategic pressure

Common IM Facilitation Challenges:

If Teams Rush to Reimage Systems:

“Which volatile artifacts are critical before reset actions, and who owns that decision?”

If Program Pressure Overrides Security Discipline:

“What evidence threshold is required before asserting delivery confidence to defense stakeholders?”

If Regulatory Coordination Is Delayed:

Success Metrics for Session:

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Core covert-access detection and immediate containment decisions
Key Actions: Scope exposure, preserve evidence, issue first delivery-confidence posture

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Parallel forensic triage, program governance, and disclosure sequencing
Key Actions: Build timeline confidence, protect high-value repositories, align stakeholder messaging

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end aerospace espionage response under strategic delivery pressure
Key Actions: Coordinate leadership and engineering, decide milestone posture, define durable remediation

Advanced Challenge (150-170 minutes)

Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Counterintelligence tension, delivery-governance conflict, and evidence-quality disputes
Additional Challenges: Ambiguous scope, contractual penalties, and escalating stakeholder scrutiny

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Pre-Defined Response Options

  • Option A: Evidence-Preserved Containment

    • Action: Isolate high-risk systems, preserve volatile evidence, and execute staged recovery with authority coordination.
    • Pros: Improves attribution confidence and long-term defensibility.
    • Cons: Slower short-term recovery and immediate delivery pressure.
    • Type Effectiveness: Super effective for sustained strategic resilience.

  • Option B: Delivery-First Continuity

    • Action: Maintain broad operations while applying targeted controls to reduce disruption.
    • Pros: Supports near-term milestone continuity.
    • Cons: Higher risk of ongoing covert collection and uncertain exposure scope.
    • Type Effectiveness: Partially effective with elevated strategic risk.

  • Option C: Phased Confidence Restoration

    • Action: Prioritize critical design domains, restore in waves, and sequence disclosure as confidence improves.
    • Pros: Balances operational urgency with evidence discipline.
    • Cons: Extended ambiguity can strain stakeholder trust.
    • Type Effectiveness: Moderately effective when governance remains disciplined.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Covert Access Discovery (30-35 min)

Investigation Clues:

  • Clue 1 (Minute 5): Engineering systems show persistent covert behavior without file-based indicators.
  • Clue 2 (Minute 10): Forensics indicate sustained unauthorized visibility into protected design workflows.
  • Clue 4 (Minute 20): Leadership requests immediate containment recommendation with delivery impact estimate.

Round 2: Reporting and Delivery Confidence (30-35 min)

Investigation Clues:

  • Clue 5 (Minute 30): Stakeholders request formal confidence statements on program integrity.
  • Clue 7 (Minute 50): Program teams request a clear go/no-go decision for near-term milestones.
  • Clue 8 (Minute 55): Legal and security functions require documented rationale for disclosure choices.

Round Transition Narrative

After Round 1 -> Round 2:

Facilitation questions:

  • “What minimum evidence supports a credible delivery-confidence statement?”
  • “Which decisions cannot wait for perfect forensic certainty?”
  • “How do you communicate residual uncertainty without eroding trust?”

Debrief Focus:

  • Integrating covert-threat forensics with aerospace governance decisions
  • Balancing milestone pressure with evidence quality and regulatory obligations
  • Preserving confidence when exposure scope evolves over time

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than timed clues. Round 3 focuses on institutional recovery and aerospace governance redesign.

Round 1: Executive Briefing and Scope Discovery (35-40 min)

Players investigate openly using role capabilities. Early findings include covert repository access, uncertain scope, and rising delivery pressure.

If team stalls: “You can prioritize speed or confidence first. Which path remains defensible to engineering leaders and authorities by end of day?”

Round 2: Regulatory Coordination and Milestone Decisions (35-40 min)

  • Technical teams complete artifact collection and present containment/recovery options.
  • Leadership requests a clear recommendation for milestone posture and disclosure timing.

Facilitation questions:

  • “What controls must be in place before asserting engineering-baseline trust?”
  • “How will you document rationale for decisions likely to face later review?”

Round 3: Institutional Recovery and Strategic Resilience (40-45 min)

Opening: Two weeks later, immediate containment is complete and leadership requests a 90-day remediation roadmap with owner-assigned milestones and measurable outcomes.

Pressure events:

  • Program stakeholders request evidence of lasting control improvements
  • Governance bodies request objective metrics tied to reduced surveillance risk
  • Engineering leadership requests controls that preserve delivery capability

Victory conditions for full 3-round arc:

  • Verified clean baseline for critical engineering and collaboration systems
  • Defensible reporting package for regulators and program stakeholders
  • Durable aerospace security controls aligned to operational constraints

Debrief Questions

  1. “Which early indicator most clearly signaled strategic surveillance rather than isolated technical noise?”
  2. “How did milestone pressure alter risk tolerance across teams?”
  3. “What evidence was essential for credibility with authorities and customers?”
  4. “How can aerospace organizations raise readiness without undermining delivery performance?”

Debrief Focus

  • Aerospace espionage incidents combine strategic exposure with high-stakes program pressure
  • Defensible response requires synchronized engineering, security, and governance decisions
  • Long-term resilience depends on evidence discipline, segmentation, and transparent accountability

Advanced Challenge Materials (150-170 min)

Red Herrings and Misdirection

  1. A legitimate simulation-tool update overlaps with incident timing and distorts initial triage.
  2. A separate vendor outage appears related but is operationally independent.
  3. Internal rumor about intentional data leakage diverts attention from forensic evidence.

Removed Resources and Constraints

  • No dedicated playbook for covert engineering-environment surveillance response
  • Volatile evidence collection procedures are incomplete across teams
  • Immediate external specialist support is delayed by contractual lead time

Enhanced Pressure

  • Program leadership demands same-day confidence statements on milestone viability
  • Customers request detailed updates before full forensic scope is confirmed
  • Executive governance requires written rationale for every high-impact decision

Ethical Dilemmas

  1. Pause delivery for stronger evidence confidence, or continue with higher residual risk.
  2. Disclose broad uncertainty early, or wait for cleaner scope at trust risk.
  3. Preserve full forensic integrity, or accelerate operational restoration with attribution loss.

Advanced Debrief Topics

  • Building aerospace doctrine for covert surveillance incidents
  • Structuring governance when delivery urgency and technical certainty diverge
  • Sustaining long-term security investment in high-pressure engineering environments