Noodle RAT Scenario: Biotech Research Surveillance

Noodle RAT Scenario: Biotech Research Surveillance

GenVista Therapeutics: Biotech company with 400 employees running Phase III clinical trials

APT Espionage • NoodleRAT

STAKES

Clinical data integrity + Regulatory confidence + Research IP protection + Patient-impact timelines

HOOK

Research teams at GenVista Therapeutics report analysis workstations slowing unexpectedly, unauthorized session prompts during trial review, and encrypted outbound traffic from restricted clinical-data environments. Security scans find no malicious files on disk, but memory telemetry indicates covert process manipulation tied to high-value research workflows.

PRESSURE

• Submission milestone: Thursday 3:30 PM
• Enterprise valuation exposure: $2 billion
• Research scope at risk: Phase III oncology and immunotherapy trial data

FRONT • 180 minutes • Expert

GenVista Therapeutics: Biotech company with 400 employees running Phase III clinical trials

APT Espionage • NoodleRAT

NPCs

• Dr. Sarah Mitchell (CEO): Owns strategic response, program continuity, and external confidence
• Kevin Park (CTO): Leads technical containment and system-recovery planning
• Dr. Andrea Chen (Chief Science Officer): Represents trial-integrity and research-delivery impact
• David Torres (CISO): Coordinates evidence handling and authority engagement

SECRETS

• Monitoring controls emphasized disk indicators and underweighted volatile-memory telemetry
• Privileged research roles had broad repository access beyond least-privilege baselines
• Covert access prioritized high-value trial and modeling workflows before disruption became visible

Noodle RAT Scenario: Biotech Research Surveillance

Helvetia BioSciences AG: Swiss biotech company with 350 employees in the Basel clinical research cluster

APT Espionage • NoodleRAT

STAKES

Clinical data integrity + Regulatory confidence + Research IP protection + Patient-impact timelines

HOOK

Research teams at Helvetia BioSciences AG report analysis workstations slowing unexpectedly, unauthorized session prompts during trial review, and encrypted outbound traffic from restricted clinical-data environments. Security scans find no malicious files on disk, but memory telemetry indicates covert process manipulation tied to high-value research workflows.

PRESSURE

• Submission milestone: Thursday 15:30
• Enterprise valuation exposure: CHF 1.8 billion
• Research scope at risk: late-stage clinical and translational research datasets

FRONT • 180 minutes • Expert

Helvetia BioSciences AG: Swiss biotech company with 350 employees in the Basel clinical research cluster

APT Espionage • NoodleRAT

NPCs

• Dr. Stefan Brunner (CEO): Owns strategic response, program continuity, and external confidence
• Thomas Wyss (CTO): Leads technical containment and system-recovery planning
• Dr. Ursula Meier (Chief Science Officer): Represents trial-integrity and research-delivery impact
• Martin Keller (CISO): Coordinates evidence handling and authority engagement

SECRETS

• Monitoring controls emphasized disk indicators and underweighted volatile-memory telemetry
• Privileged research roles had broad repository access beyond least-privilege baselines
• Covert access prioritized high-value trial and modeling workflows before disruption became visible

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Noodle RAT Biotech Research Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Noodle RAT Biotech Research Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Note👥 Large Group Format (12-15+ Players)

Team-specific evidence cards for Multi-Team Coordination format. Three parallel teams (Alpha/Forensics, Bravo/Network, Charlie/Business Impact) receive separate tiered artifacts across five investigation rounds.

Large Group Artifacts – Organizational Context

Includes 21 tiered evidence cards, IM distribution guide, and cross-team coordination notes. For experienced IMs only – see Large Group Prep Worksheet before running this format.

Noodle RAT Scenario Facilitator Guide (this scenario)

Round-by-round facilitation notes, central dilemma, information asymmetry map, common failure modes, and debrief focus specific to Noodle RAT. Reference this during the session.

Large Group Format Guide (all scenarios)

IC management tactics, room setup, distribution system, and the facilitator’s cheat sheet concept. Applies to any Multi-Team Coordination session regardless of scenario.

Scenario Details for IMs

Hook

“It is Monday at 9:05 AM at GenVista Therapeutics. Scientists preparing final trial-quality reviews report intermittent tool lockups, unusual credential prompts, and unexplained remote-session indicators in regulated research systems. Security teams confirm suspicious outbound traffic while endpoint disk scans remain clean. Leadership must contain likely covert surveillance without compromising imminent regulatory milestones.”

“Initial anomalies were logged at 9:05 AM, with submission commitments due by Thursday 3:30 PM.”

“Operational scope: Biotech company with 400 employees running Phase III clinical trials focused on Phase III oncology and immunotherapy trial data.”

“(Regional context: US clinical-research response.)”

“It is Monday at 09:05 at Helvetia BioSciences AG. Scientists preparing final trial-quality reviews report intermittent tool lockups, unusual credential prompts, and unexplained remote-session indicators in regulated research systems. Security teams confirm suspicious outbound traffic while endpoint disk scans remain clean. Leadership must contain likely covert surveillance without compromising imminent Swissmedic milestones.”

“Initial anomalies were logged at 09:05, with submission commitments due by Thursday 15:30.”

“Operational scope: Swiss biotech company with 350 employees in the Basel clinical research cluster focused on late-stage clinical and translational research datasets.”

“(Regional context: Switzerland clinical-research response.)”

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• “Clinical analysis tools show intermittent lockups and unexplained session prompts”
• “Security scans report clean disks despite persistent suspicious behavior”
• “Restricted trial repositories produce abnormal access and credential events”
• “Encrypted outbound sessions appear from regulated research environments”

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• Timeline reconstruction shows covert access behavior predating visible disruption
• Access traces indicate interest in efficacy data, modeling outputs, and submission artifacts
• Evidence suggests low-noise persistence optimized for prolonged surveillance

Protector System Analysis:

Note🛡️ Protector System Analysis

• Research endpoints show volatile-memory anomalies inconsistent with normal workflows
• Segmentation controls reduced but did not eliminate sensitive-data exposure pathways
• Recovery quality depends on preserving volatile evidence before broad reset actions

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• Forensics identify periodic encrypted beaconing from high-value research systems
• Transfer patterns indicate staged exfiltration from trial and modeling repositories
• Infrastructure overlap suggests organized espionage tradecraft rather than commodity malware

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• Research leadership needs immediate guidance on what work can continue safely
• Regulatory and partner stakeholders request confidence statements on data integrity
• Security teams need clear disclosure thresholds tied to evidence quality

Mid-Scenario Pressure Points:

• Hour 1: Program teams cannot confirm integrity of critical trial-analysis baselines
• Hour 2: Leadership receives indicators that high-value datasets were accessed
• Hour 3: Regulatory stakeholders request formal incident posture updates
• Hour 4: Submission confidence declines as unresolved exposure scope expands

Evolution Triggers:

• If containment is delayed, covert access persists and collection scope grows
• If systems are reset too quickly, key volatile evidence may be lost
• If communication is delayed, regulatory and partner confidence deteriorates

Resolution Pathways:

Technical Success Indicators:

• Verified removal of covert access paths and restoration of trusted research baselines
• Evidence package preserved for authority and investigative coordination
• Monitoring strategy upgraded to detect low-noise persistence behaviors

Business Success Indicators:

• Submission and disclosure decisions remain defensible with documented rationale
• Stakeholder communication stays timely, accurate, and confidence-scoped
• Program risk is managed through coordinated science, security, and governance decisions

Learning Success Indicators:

• Team recognizes covert surveillance patterns that evade simple disk-based controls
• Participants practice balancing evidence preservation with milestone urgency
• Group coordinates technical and scientific decision-making under strategic pressure

Common IM Facilitation Challenges:

If Teams Rush to Reimage:

“Which volatile artifacts are essential before reset actions, and who authorizes that tradeoff?”

If Milestone Pressure Overrides Security Discipline:

“What evidence threshold is required before asserting submission integrity to regulators and partners?”

If Authority Coordination Is Delayed:

“Regulatory liaison teams request incident status and ask when investigators, partners, and oversight entities will be notified of possible trial-data exposure affecting submission confidence.”

“FDPIC and Swissmedic liaison teams request incident status and ask when investigators and partners will be notified of potential personal-data and research-data exposure under FADP obligations.”

Success Metrics for Session:

• Team identifies covert-access pathways affecting high-value trial workflows
• Containment and evidence handling remain defensible under submission pressure
• Stakeholder and authority communication is timely and evidence-based
• Scientific decision-making remains aligned to technical confidence levels
• Long-term biotech security improvements are clearly defined

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Covert-access detection and immediate integrity decisions
Key Actions: Scope exposure, preserve evidence, issue first submission-confidence posture

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Parallel forensic triage, regulatory posture, and disclosure sequencing
Key Actions: Build timeline confidence, protect high-value datasets, align scientific and security messaging

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end biotech espionage response under high-stakes submission pressure
Key Actions: Coordinate leadership and research teams, decide milestone posture, define durable remediation

Advanced Challenge (150-170 minutes)

Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Integrity disputes, disclosure conflict, and stakeholder-governance tension
Additional Challenges: Ambiguous scope, contractual exposure, and escalating confidence pressure

Quick Demo Materials (35-40 min)

Guided Investigation Clues

• Clue 1 (Minute 5): Security operations at GenVista Therapeutics confirms covert behavior in research environments without disk-based malware indicators.
• Clue 2 (Minute 10): Investigators identify unauthorized reads from repositories supporting Phase III oncology and immunotherapy trial data.
• Clue 3 (Minute 15): Chief Science Officer Dr. Andrea Chen confirms unauthorized reads of interim efficacy summaries and dose-response modeling files tied to active submissions.

• Clue 1 (Minute 5): Security operations at Helvetia BioSciences AG confirms covert behavior in research environments without disk-based malware indicators.
• Clue 2 (Minute 10): Investigators identify unauthorized reads from repositories supporting late-stage clinical and translational research datasets.
• Clue 3 (Minute 15): Chief Science Officer Dr. Ursula Meier confirms unauthorized reads of interim efficacy summaries and dose-response modeling files tied to active submissions.

Pre-Defined Response Options

• Option A: Evidence-Preserved Containment

  • Action: Isolate high-risk systems, preserve volatile evidence, and execute staged recovery with authority coordination.
  • Pros: Improves attribution confidence and long-term defensibility.
  • Cons: Slower short-term recovery and immediate submission pressure.
  • Type Effectiveness: Super effective for durable strategic resilience.

• Option B: Submission-First Continuity

  • Action: Maintain broad operations while applying targeted controls to minimize disruption.
  • Pros: Supports near-term milestone continuity.
  • Cons: Higher risk of ongoing covert collection and uncertain scope.
  • Type Effectiveness: Partially effective with elevated strategic risk.

• Option C: Phased Confidence Restoration

  • Action: Prioritize critical datasets, restore in waves, and sequence disclosure as confidence improves.
  • Pros: Balances operational urgency with evidence discipline.
  • Cons: Extended ambiguity can strain regulator and partner trust.
  • Type Effectiveness: Moderately effective when governance remains disciplined.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Covert Access Discovery (30-35 min)

Investigation Clues:

• Clue 1 (Minute 5): Research systems show persistent covert behavior without file-based indicators.
• Clue 2 (Minute 10): Forensics indicate sustained unauthorized visibility into high-value trial workflows.

• Clue 3 (Minute 15): Chief Science Officer Dr. Andrea Chen confirms unauthorized reads of interim efficacy summaries and dose-response modeling files tied to active submissions.

• Clue 3 (Minute 15): Chief Science Officer Dr. Ursula Meier confirms unauthorized reads of interim efficacy summaries and dose-response modeling files tied to active submissions.

• Clue 4 (Minute 20): Leadership requests immediate containment recommendation with milestone impact estimate.

Round 2: Reporting and Submission Confidence (30-35 min)

Investigation Clues:

• Clue 5 (Minute 30): Stakeholders request formal confidence statements on trial-data integrity.

• Clue 6 (Minute 40): Regulatory liaison teams request incident status and ask when investigators, partners, and oversight entities will be notified of possible trial-data exposure affecting submission confidence.

• Clue 6 (Minute 40): FDPIC and Swissmedic liaison teams request incident status and ask when investigators and partners will be notified of potential personal-data and research-data exposure under FADP obligations.

• Clue 7 (Minute 50): Program teams request a clear go/no-go decision for submission posture.
• Clue 8 (Minute 55): Legal and security functions require documented rationale for disclosure choices.

Round Transition Narrative

After Round 1 -> Round 2:

“FBI reports similar biotech espionage patterns where covert access persisted for months before detection and eroded regulatory confidence late in trial cycles.”

“BACS/GovCERT.ch notes repeated espionage pressure on high-value Swiss life-science research, especially near late-stage submission deadlines.”

Facilitation questions:

• “What minimum evidence supports a credible submission-confidence statement?”
• “Which decisions cannot wait for complete forensic certainty?”
• “How do you communicate residual uncertainty without eroding trust?”

Debrief Focus:

• Integrating covert-threat forensics with biotech governance decisions
• Balancing milestone pressure with evidence quality and regulatory obligations
• Preserving confidence as exposure scope evolves across recovery phases

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than timed clues. Round 3 focuses on institutional recovery and biotech-governance redesign.

Round 1: Executive Briefing and Scope Discovery (35-40 min)

CEO Dr. Sarah Mitchell convenes an emergency response briefing and states that submission timelines are critical to patient-impact and investor commitments. CTO Kevin Park confirms anomalous memory behavior across trial-analysis systems. Chief Science Officer Dr. Andrea Chen reports access irregularities in core efficacy datasets. CISO David Torres requests immediate containment and evidence preservation for FBI coordination.

CEO Dr. Stefan Brunner convenes an emergency response briefing and states that submission timelines are critical to patient-impact and financing commitments. CTO Thomas Wyss confirms anomalous memory behavior across trial-analysis systems. Chief Science Officer Dr. Ursula Meier reports access irregularities in core efficacy datasets. CISO Martin Keller requests immediate containment and evidence preservation for BACS/GovCERT.ch and fedpol coordination under FDPIC expectations.

Players investigate openly using role capabilities. Early findings include covert repository access, uncertain scope, and rising submission pressure.

If team stalls: “You can prioritize speed or confidence first. Which path remains defensible to scientific leadership and authorities by end of day?”

Round 2: Regulatory Coordination and Milestone Decisions (35-40 min)

• Technical teams complete artifact collection and present containment/recovery options.
• Leadership requests a clear recommendation for submission posture and disclosure timing.

• Coordination now spans FDA trial integrity requirements and HIPAA-aligned data controls, Federal health and market authorities, FBI, and FDA stakeholders.

• Coordination now spans FADP, Swissmedic requirements, and FDPIC oversight (not GDPR), FDPIC and Swissmedic supervision, BACS/GovCERT.ch and fedpol, and Swissmedic stakeholders.

Facilitation questions:

• “What controls must be in place before asserting trial-data trustworthiness?”
• “How will you document rationale for choices likely to face later review?”

Round 3: Institutional Recovery and Strategic Resilience (40-45 min)

Opening: Two weeks later, immediate containment is complete and leadership requests a 90-day remediation roadmap with owner-assigned milestones and measurable outcomes.

Pressure events:

• Program stakeholders request proof of sustained control improvements
• Governance bodies request objective metrics tied to reduced surveillance risk
• Research leadership requests controls that preserve velocity without integrity loss

Victory conditions for full 3-round arc:

• Verified clean baseline for critical research and collaboration systems
• Defensible reporting package for regulators and submission stakeholders
• Durable biotech security controls aligned to operational constraints

Debrief Questions

1. “Which early indicator most clearly signaled strategic surveillance rather than isolated technical noise?”
2. “How did submission pressure alter risk tolerance across teams?”
3. “What evidence was essential for credibility with regulators and partners?”
4. “How can biotech organizations improve readiness without undermining trial velocity?”

Debrief Focus

• Biotech espionage incidents combine scientific-integrity risk with regulatory and market pressure
• Defensible response requires synchronized science, security, and governance decisions
• Long-term resilience depends on evidence discipline, segmentation, and transparent accountability

Advanced Challenge Materials (150-170 min)

Red Herrings and Misdirection

1. A legitimate analytics-tool update overlaps with incident timing and distorts early triage.
2. A separate vendor service outage appears related but is operationally independent.
3. Internal rumor of accidental data leakage diverts attention from forensic evidence.

Removed Resources and Constraints

• No dedicated playbook for covert surveillance in trial-analysis environments
• Volatile evidence collection procedures are inconsistent across teams
• Immediate external specialist support is delayed by contractual lead time

Enhanced Pressure

• Program leadership demands same-day confidence statements on submission viability
• Partners request detailed updates before full forensic scope is confirmed
• Executive governance requires written rationale for each high-impact decision

Ethical Dilemmas

1. Delay submission for stronger evidence confidence, or proceed with higher residual risk.
2. Disclose broad uncertainty early, or wait for cleaner scope at trust risk.
3. Preserve full forensic integrity, or accelerate operational restoration with attribution loss.

Advanced Debrief Topics

• Building biotech doctrine for covert surveillance incidents
• Structuring governance when scientific urgency and technical certainty diverge
• Sustaining long-term security investment in high-pressure research organizations