Noodle RAT Scenario: Biotech Research Surveillance

Noodle RAT Scenario: Biotech Research Surveillance

GenVista Therapeutics: Biotech company with 400 employees running Phase III clinical trials
APT Espionage • NoodleRAT
STAKES
Clinical data integrity + Regulatory confidence + Research IP protection + Patient-impact timelines
HOOK
Research teams at GenVista Therapeutics report analysis workstations slowing unexpectedly, unauthorized session prompts during trial review, and encrypted outbound traffic from restricted clinical-data environments. Security scans find no malicious files on disk, but memory telemetry indicates covert process manipulation tied to high-value research workflows.
PRESSURE
  • Submission milestone: Thursday 3:30 PM
  • Enterprise valuation exposure: $2 billion
  • Research scope at risk: Phase III oncology and immunotherapy trial data
FRONT • 180 minutes • Expert
GenVista Therapeutics: Biotech company with 400 employees running Phase III clinical trials
APT Espionage • NoodleRAT
NPCs
  • Dr. Sarah Mitchell (CEO): Owns strategic response, program continuity, and external confidence
  • Kevin Park (CTO): Leads technical containment and system-recovery planning
  • Dr. Andrea Chen (Chief Science Officer): Represents trial-integrity and research-delivery impact
  • David Torres (CISO): Coordinates evidence handling and authority engagement
SECRETS
  • Monitoring controls emphasized disk indicators and underweighted volatile-memory telemetry
  • Privileged research roles had broad repository access beyond least-privilege baselines
  • Covert access prioritized high-value trial and modeling workflows before disruption became visible

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Noodle RAT Biotech Research Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Noodle RAT Biotech Research Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Note👥 Large Group Format (12-15+ Players)

Team-specific evidence cards for Multi-Team Coordination format. Three parallel teams (Alpha/Forensics, Bravo/Network, Charlie/Business Impact) receive separate tiered artifacts across five investigation rounds.

Large Group Artifacts – Organizational Context

Includes 21 tiered evidence cards, IM distribution guide, and cross-team coordination notes. For experienced IMs only – see Large Group Prep Worksheet before running this format.

Large Group Facilitator Guide

Round-by-round facilitation notes, central dilemma, information asymmetry map, common failure modes, and debrief focus for this scenario. For general format setup and IC briefing, see the Large Group Facilitation Guide.

Scenario Details for IMs

Hook

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “Clinical analysis tools show intermittent lockups and unexplained session prompts”
  • “Security scans report clean disks despite persistent suspicious behavior”
  • “Restricted trial repositories produce abnormal access and credential events”
  • “Encrypted outbound sessions appear from regulated research environments”

Key Discovery Paths:

Detective Investigation Leads:

  • Timeline reconstruction shows covert access behavior predating visible disruption
  • Access traces indicate interest in efficacy data, modeling outputs, and submission artifacts
  • Evidence suggests low-noise persistence optimized for prolonged surveillance

Protector System Analysis:

  • Research endpoints show volatile-memory anomalies inconsistent with normal workflows
  • Segmentation controls reduced but did not eliminate sensitive-data exposure pathways
  • Recovery quality depends on preserving volatile evidence before broad reset actions

Tracker Network Investigation:

  • Forensics identify periodic encrypted beaconing from high-value research systems
  • Transfer patterns indicate staged exfiltration from trial and modeling repositories
  • Infrastructure overlap suggests organized espionage tradecraft rather than commodity malware

Communicator Stakeholder Interviews:

  • Research leadership needs immediate guidance on what work can continue safely
  • Regulatory and partner stakeholders request confidence statements on data integrity
  • Security teams need clear disclosure thresholds tied to evidence quality

Mid-Scenario Pressure Points:

  • Hour 1: Program teams cannot confirm integrity of critical trial-analysis baselines
  • Hour 2: Leadership receives indicators that high-value datasets were accessed
  • Hour 3: Regulatory stakeholders request formal incident posture updates
  • Hour 4: Submission confidence declines as unresolved exposure scope expands

Evolution Triggers:

  • If containment is delayed, covert access persists and collection scope grows
  • If systems are reset too quickly, key volatile evidence may be lost
  • If communication is delayed, regulatory and partner confidence deteriorates

Resolution Pathways:

Technical Success Indicators:

  • Verified removal of covert access paths and restoration of trusted research baselines
  • Evidence package preserved for authority and investigative coordination
  • Monitoring strategy upgraded to detect low-noise persistence behaviors

Business Success Indicators:

  • Submission and disclosure decisions remain defensible with documented rationale
  • Stakeholder communication stays timely, accurate, and confidence-scoped
  • Program risk is managed through coordinated science, security, and governance decisions

Learning Success Indicators:

  • Team recognizes covert surveillance patterns that evade simple disk-based controls
  • Participants practice balancing evidence preservation with milestone urgency
  • Group coordinates technical and scientific decision-making under strategic pressure

Common IM Facilitation Challenges:

If Teams Rush to Reimage:

“Which volatile artifacts are essential before reset actions, and who authorizes that tradeoff?”

If Milestone Pressure Overrides Security Discipline:

“What evidence threshold is required before asserting submission integrity to regulators and partners?”

If Authority Coordination Is Delayed:

Success Metrics for Session:

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Covert-access detection and immediate integrity decisions
Key Actions: Scope exposure, preserve evidence, issue first submission-confidence posture

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Parallel forensic triage, regulatory posture, and disclosure sequencing
Key Actions: Build timeline confidence, protect high-value datasets, align scientific and security messaging

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end biotech espionage response under high-stakes submission pressure
Key Actions: Coordinate leadership and research teams, decide milestone posture, define durable remediation

Advanced Challenge (150-170 minutes)

Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Integrity disputes, disclosure conflict, and stakeholder-governance tension
Additional Challenges: Ambiguous scope, contractual exposure, and escalating confidence pressure

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Pre-Defined Response Options

  • Option A: Evidence-Preserved Containment

    • Action: Isolate high-risk systems, preserve volatile evidence, and execute staged recovery with authority coordination.
    • Pros: Improves attribution confidence and long-term defensibility.
    • Cons: Slower short-term recovery and immediate submission pressure.
    • Type Effectiveness: Super effective for durable strategic resilience.

  • Option B: Submission-First Continuity

    • Action: Maintain broad operations while applying targeted controls to minimize disruption.
    • Pros: Supports near-term milestone continuity.
    • Cons: Higher risk of ongoing covert collection and uncertain scope.
    • Type Effectiveness: Partially effective with elevated strategic risk.

  • Option C: Phased Confidence Restoration

    • Action: Prioritize critical datasets, restore in waves, and sequence disclosure as confidence improves.
    • Pros: Balances operational urgency with evidence discipline.
    • Cons: Extended ambiguity can strain regulator and partner trust.
    • Type Effectiveness: Moderately effective when governance remains disciplined.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Covert Access Discovery (30-35 min)

Investigation Clues:

  • Clue 1 (Minute 5): Research systems show persistent covert behavior without file-based indicators.
  • Clue 2 (Minute 10): Forensics indicate sustained unauthorized visibility into high-value trial workflows.
  • Clue 4 (Minute 20): Leadership requests immediate containment recommendation with milestone impact estimate.

Round 2: Reporting and Submission Confidence (30-35 min)

Investigation Clues:

  • Clue 5 (Minute 30): Stakeholders request formal confidence statements on trial-data integrity.
  • Clue 7 (Minute 50): Program teams request a clear go/no-go decision for submission posture.
  • Clue 8 (Minute 55): Legal and security functions require documented rationale for disclosure choices.

Round Transition Narrative

After Round 1 -> Round 2:

Facilitation questions:

  • “What minimum evidence supports a credible submission-confidence statement?”
  • “Which decisions cannot wait for complete forensic certainty?”
  • “How do you communicate residual uncertainty without eroding trust?”

Debrief Focus:

  • Integrating covert-threat forensics with biotech governance decisions
  • Balancing milestone pressure with evidence quality and regulatory obligations
  • Preserving confidence as exposure scope evolves across recovery phases

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than timed clues. Round 3 focuses on institutional recovery and biotech-governance redesign.

Round 1: Executive Briefing and Scope Discovery (35-40 min)

Players investigate openly using role capabilities. Early findings include covert repository access, uncertain scope, and rising submission pressure.

If team stalls: “You can prioritize speed or confidence first. Which path remains defensible to scientific leadership and authorities by end of day?”

Round 2: Regulatory Coordination and Milestone Decisions (35-40 min)

  • Technical teams complete artifact collection and present containment/recovery options.
  • Leadership requests a clear recommendation for submission posture and disclosure timing.

Facilitation questions:

  • “What controls must be in place before asserting trial-data trustworthiness?”
  • “How will you document rationale for choices likely to face later review?”

Round 3: Institutional Recovery and Strategic Resilience (40-45 min)

Opening: Two weeks later, immediate containment is complete and leadership requests a 90-day remediation roadmap with owner-assigned milestones and measurable outcomes.

Pressure events:

  • Program stakeholders request proof of sustained control improvements
  • Governance bodies request objective metrics tied to reduced surveillance risk
  • Research leadership requests controls that preserve velocity without integrity loss

Victory conditions for full 3-round arc:

  • Verified clean baseline for critical research and collaboration systems
  • Defensible reporting package for regulators and submission stakeholders
  • Durable biotech security controls aligned to operational constraints

Debrief Questions

  1. “Which early indicator most clearly signaled strategic surveillance rather than isolated technical noise?”
  2. “How did submission pressure alter risk tolerance across teams?”
  3. “What evidence was essential for credibility with regulators and partners?”
  4. “How can biotech organizations improve readiness without undermining trial velocity?”

Debrief Focus

  • Biotech espionage incidents combine scientific-integrity risk with regulatory and market pressure
  • Defensible response requires synchronized science, security, and governance decisions
  • Long-term resilience depends on evidence discipline, segmentation, and transparent accountability

Advanced Challenge Materials (150-170 min)

Red Herrings and Misdirection

  1. A legitimate analytics-tool update overlaps with incident timing and distorts early triage.
  2. A separate vendor service outage appears related but is operationally independent.
  3. Internal rumor of accidental data leakage diverts attention from forensic evidence.

Removed Resources and Constraints

  • No dedicated playbook for covert surveillance in trial-analysis environments
  • Volatile evidence collection procedures are inconsistent across teams
  • Immediate external specialist support is delayed by contractual lead time

Enhanced Pressure

  • Program leadership demands same-day confidence statements on submission viability
  • Partners request detailed updates before full forensic scope is confirmed
  • Executive governance requires written rationale for each high-impact decision

Ethical Dilemmas

  1. Delay submission for stronger evidence confidence, or proceed with higher residual risk.
  2. Disclose broad uncertainty early, or wait for cleaner scope at trust risk.
  3. Preserve full forensic integrity, or accelerate operational restoration with attribution loss.

Advanced Debrief Topics

  • Building biotech doctrine for covert surveillance incidents
  • Structuring governance when scientific urgency and technical certainty diverge
  • Sustaining long-term security investment in high-pressure research organizations