Poison Ivy Scenario: Corporate Espionage Campaign
Planning Resources
Scenario Details for IMs
Opening Presentation
“It’s Thursday morning at InnovateTech Solutions, and the company is completing final testing of their breakthrough AI algorithm that represents a $50 million investment and could revolutionize the industry. But during development meetings, engineers notice troubling signs: workstations occasionally flickering, development tools responding without user input, and project files being accessed during private planning sessions. Security investigation reveals classic remote access tools providing competitors complete surveillance of proprietary development work and intellectual property.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Lead investor discovers potential intellectual property theft threatening $50M funding and market launch
- Hour 2: Competitive intelligence reveals competitor announced similar AI features suggesting stolen technology
- Hour 3: Proprietary algorithms found on underground markets affecting competitive advantage and trade secrets
- Hour 4: Customer data exposure threatens client relationships and competitive market position
Evolution Triggers:
- If investigation reveals algorithm theft, competitive advantage and market launch are compromised
- If remote access continues, competitors maintain persistent surveillance of proprietary development
- If customer data exposure is confirmed, trade secret violations threaten company survival and market position
Resolution Pathways:
Technical Success Indicators:
- Complete remote access trojan removal from development systems with forensic preservation of evidence
- AI algorithm and customer data security verified preventing further unauthorized competitor access
- Corporate espionage infrastructure analysis provides intelligence on coordinated technology targeting
Business Success Indicators:
- Product launch protected through secure evidence handling and intellectual property coordination
- Customer relationships maintained through transparent communication and data protection verification
- Competitive advantage preserved preventing loss of market leadership and technology investment
Learning Success Indicators:
- Team understands classic RAT capabilities and long-term corporate espionage operations
- Participants recognize technology company targeting and intellectual property implications of algorithm theft
- Group demonstrates coordination between cybersecurity response and competitive intelligence protection
Common IM Facilitation Challenges:
If Remote Access Sophistication Is Underestimated:
“Your malware analysis is good, but Marcus discovered that competitors have been watching proprietary development meetings in real-time for weeks. How does complete remote desktop access change your intellectual property protection approach?”
If Competitive Intelligence Implications Are Ignored:
“While you’re removing the RAT, Robert needs to know: have proprietary AI algorithms been stolen by competitors? How do you coordinate cybersecurity response with trade secret protection investigation?”
If Market Impact Is Overlooked:
“Dr. Foster just learned that competitors announced similar AI features days before your launch. How do you assess whether stolen intellectual property has been used for competitive advantage?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish corporate espionage crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing classic RAT capabilities and intellectual property theft implications.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of technology company espionage challenges. Use the full set of NPCs to create realistic product launch and competitive intelligence pressures. The two rounds allow discovery of algorithm theft and market disruption, raising stakes. Debrief can explore balance between cybersecurity response and trade secret coordination.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing product launch, intellectual property protection, customer relationships, and corporate espionage investigation. The three rounds allow for full narrative arc including remote access discovery, competitive advantage impact assessment, and market response coordination.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate remote development tools causing false positives). Make containment ambiguous, requiring players to justify trade secret decisions with incomplete forensic evidence. Remove access to reference materials to test knowledge recall of RAT behavior and intellectual property principles. Include deep coordination with competitive intelligence and potential legal action consideration.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “Digital forensics reveal classic Poison Ivy remote access trojan providing complete system control over InnovateTech developer workstations. Security analysis shows competitors maintaining real-time screen surveillance, keystroke logging, and source code exfiltration of proprietary AI algorithms. Development staff report workstations performing unauthorized actions during confidential $50M breakthrough AI algorithm development meetings.”
Clue 2 (Minute 10): “Timeline analysis indicates remote desktop access maintained for weeks through spear-phishing campaign using convincing technical recruitment offers targeting software developers. Command and control traffic analysis reveals corporate espionage infrastructure coordinating multi-target technology company intellectual property theft. Repository security assessment shows unauthorized competitor access to proprietary AI algorithms and customer data affecting competitive advantage and trade secrets.”
Clue 3 (Minute 15): “Competitive intelligence investigation discovers proprietary AI algorithms on underground markets confirming intellectual property theft and trade secret violations. Lead investor reports concerns about technology compromise threatening $50M market launch and company valuation. Competitor announcement of similar AI features days before scheduled launch indicates potential use of stolen algorithms requiring coordinated trade secret and market response investigation.”
Pre-Defined Response Options
Option A: Emergency Development Isolation & IP Protection
- Action: Immediately isolate compromised developer systems, coordinate comprehensive trade secret investigation with IP counsel, conduct intellectual property damage assessment, implement emergency secure protocols for product launch protection.
- Pros: Completely eliminates remote surveillance preventing further algorithm theft; demonstrates responsible intellectual property incident management; maintains investor confidence through transparent trade secret coordination.
- Cons: Development system isolation disrupts product launch timeline affecting market opportunity; IP investigation requires extensive competitive intelligence coordination; damage assessment may reveal significant proprietary algorithm compromise.
- Type Effectiveness: Super effective against APT malmon type; complete remote access removal prevents continued surveillance and intellectual property theft.
Option B: Forensic Preservation & Targeted Remediation
- Action: Preserve trade secret investigation evidence while remediating confirmed compromised systems, conduct targeted intellectual property damage assessment, coordinate selective legal notification, implement enhanced monitoring while maintaining development operations.
- Pros: Balances product launch requirements with IP investigation; protects critical technology operations; enables focused trade secret response.
- Cons: Risks continued remote surveillance in undetected locations; selective remediation may miss coordinated targeting; forensic requirements may delay intellectual property protection.
- Type Effectiveness: Moderately effective against APT threats; reduces but doesn’t eliminate remote access presence; delays complete technology security restoration.
Option C: Business Continuity & Phased Security Response
- Action: Implement emergency secure development operations, phase remote access removal by project priority, establish enhanced competitive intelligence monitoring, coordinate gradual IP notification while maintaining launch operations.
- Pros: Maintains critical product launch timeline protecting market opportunity; enables continued development operations; supports controlled trade secret coordination.
- Cons: Phased approach extends remote surveillance timeline; emergency operations may not prevent continued algorithm theft; gradual notification delays may violate intellectual property protection requirements.
- Type Effectiveness: Partially effective against APT malmon type; prioritizes product launch over complete remote surveillance elimination; doesn’t guarantee intellectual property protection.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Remote Access Discovery (35-40 min)
Investigation Clues (Time-stamped)
T+0 (Round Start): “It’s Thursday morning at InnovateTech Solutions. Your company is finalizing breakthrough AI algorithm testing worth $50M - Monday launch scheduled. Developers Marcus Chen reports workstations flickering during proprietary development meetings. Security Analyst Jennifer Park detected unusual network patterns during confidential algorithm reviews. Initial investigation suggests potential remote surveillance of development systems.”
T+10 (Detective): “Marcus’s workstation forensics reveal classic Poison Ivy RAT with complete remote control capabilities - screen capture, keystroke logging, file exfiltration. Email analysis shows spear-phishing campaign using convincing technical recruitment offers targeting senior developers. Malware has been active for approximately 3 weeks during critical algorithm development phase.”
T+15 (Protector): “Jennifer’s security analysis confirms multiple developer workstations compromised with real-time surveillance capabilities. Repository logs show unauthorized access to proprietary AI algorithm source code during off-hours. Network monitoring reveals sustained command and control traffic to external infrastructure indicating ongoing remote desktop sessions.”
T+20 (Tracker): “Command and control infrastructure analysis reveals corporate espionage operation with centralized management server. Traffic patterns indicate systematic intellectual property exfiltration matching your proprietary algorithm development schedule. Threat intelligence suggests targeting of multiple technology companies in AI development sector.”
T+25 (Communicator): “Developer interviews confirm suspicious computer behavior - screens updating without input, files opening automatically during private meetings. CTO Dr. Foster extremely concerned about competitive intelligence implications with Monday launch. Lead investor requesting emergency briefing about intellectual property security.”
Response Options
Option A: Emergency Development Isolation - Action: Immediately disconnect compromised workstations, secure algorithm repositories offline, initiate comprehensive forensic investigation - Pros: Stops active surveillance immediately; protects remaining proprietary code - Cons: Disrupts launch preparation timeline; may alert attackers to detection - NPC Reactions: - Dr. Foster: “This delays our launch, but protecting our algorithms is critical.” - Marcus: “We can work offline, but coordination will be challenging.”
Option B: Monitored Containment - Action: Leave systems online while implementing enhanced monitoring, document ongoing theft, prepare for controlled remediation - Pros: Maintains development operations; gathers intelligence on attacker objectives - Cons: Continued IP theft during observation period; risky if attackers escalate - NPC Reactions: - Jennifer: “We can learn about their tactics, but every minute risks more theft.” - Robert (IP Attorney): “Each moment of delay compounds our trade secret exposure.”
Option C: Selective Remediation - Action: Isolate critical systems only, phase removal by priority, maintain some development operations - Pros: Balances security with launch requirements; protects most critical assets - Cons: Partial approach may leave surveillance gaps; complex coordination - NPC Reactions: - Dr. Foster: “Acceptable compromise between security and launch schedule.” - Lead Investor: “Make sure core algorithms are protected above all else.”
Pressure Events
T+30: “PRESSURE EVENT - Competitive intelligence report: Your primary competitor just announced ‘breakthrough AI features’ remarkably similar to your proprietary approach. Press release scheduled for their product next week. How does this competitive announcement affect your response strategy and Monday launch plans?”
Round 1 Transition
Based on team response choice, reveal:
If Emergency Isolation: “Your rapid isolation prevented further theft. Forensics confirms approximately 60% of proprietary algorithms were accessed. Competitors had real-time surveillance of your development meetings for 3 weeks. Dr. Foster needs to know: do we launch Monday with potentially compromised algorithms, or delay while rebuilding security?”
If Monitored Containment: “Your monitoring documented extensive theft. Attackers accessed 85% of algorithm code and observed Monday launch strategy discussions. Competitor announcement suggests stolen IP is already in use. Robert warns: launching now means competing against our own stolen technology.”
If Selective Remediation: “Critical systems secured, but surveillance continued on secondary systems. Approximately 70% algorithm exposure. Monday launch feasible, but competitive advantage significantly reduced. Investor concerned about market position with compromised technology.”
Round 2: Competitive Response & Recovery (35-40 min)
Investigation Clues (Time-stamped)
T+35 (Round Start): “Development systems partially secured, but competitive landscape has shifted dramatically. Your competitor’s announcement contains technical details only available from your proprietary research. Monday launch now faces direct competition from potentially stolen technology. Team must decide: launch as planned, delay for security rebuild, or pivot strategy entirely.”
T+45 (Detective): “IP theft forensics complete. Attackers exfiltrated: core algorithm documentation, customer pilot data, pricing strategies, and executive communications about competitive positioning. Timeline shows systematic intelligence gathering aligned with your development milestones. Evidence sufficient for legal action, but litigation could take years.”
T+50 (Protector): “Repository security audit reveals deeper exposure than initially detected. Customer pilot implementations were also compromised - client data may be exposed. Security rebuild estimated at 4-6 weeks for comprehensive remediation. Emergency deployment possible in 10 days with enhanced monitoring.”
T+55 (Tracker): “Competitor’s technical announcement analysis shows exact implementation matches your proprietary approach. Their ‘breakthrough’ uses identical algorithmic patterns developed in your compromised systems. Market analysts predicting competitive launch will significantly impact your Monday release. First-to-market advantage now lost.”
T+60 (Communicator): “Dr. Foster facing intense pressure from investors about launch decision. Customer pilot participants asking questions about data security after competitor announcement. Robert preparing legal options for trade secret litigation. Media beginning to notice competitive timing similarities.”
Response Options
Option A: Launch with Legal Action - Action: Proceed with Monday launch, immediately file trade secret litigation, coordinate aggressive PR about IP theft - Pros: Maintains market presence; demonstrates determination; may damage competitor reputation - Cons: Launch now competes with stolen technology; legal process lengthy; customer concerns about security - Victory Conditions: - Technical: Clean systems deployed with enhanced security - Business: Market launch achieved despite competitive headwinds - Learning: Team understands corporate espionage impact on business strategy
Option B: Strategic Delay & Rebuild - Action: Delay launch 6 weeks, comprehensive security rebuild, enhanced features to differentiate from stolen technology - Pros: Launches from position of security strength; time to add differentiating features - Cons: Loses first-to-market position; investor confidence impact; competitor gains market share - Victory Conditions: - Technical: Comprehensive security remediation completed - Business: Enhanced product distinguishes from competitor - Learning: Team appreciates trade-offs between security and business timing
Option C: Customer-First Response - Action: Priority notification to pilot customers, delay launch 2 weeks for security validation, transparency about incident - Pros: Maintains customer trust through transparency; moderate delay; demonstrates responsibility - Cons: Public disclosure may damage reputation; competitor advantage continues; investor concerns - Victory Conditions: - Technical: Customer systems verified secure - Business: Trust maintained through transparent handling - Learning: Team learns value of stakeholder communication during crisis
Pressure Events
T+70: “PRESSURE EVENT - Major pilot customer discovers your competitor’s announcement and demands explanation: ‘The technology you’re testing with us appears to be publicly announced by your competitor. Has our confidential pilot data been compromised?’ Customer threatening to cancel enterprise contract worth $8M. How do you respond?”
Facilitation Questions
- “How do you balance competitive pressure with responsible security remediation?”
- “What obligations do you have to pilot customers whose data may have been exposed?”
- “How does intellectual property theft change your Monday launch strategy?”
- “What lessons apply to protecting proprietary development in the future?”
Victory Conditions
Technical Victory: - All Poison Ivy infections removed from development systems - Proprietary algorithm repositories secured with enhanced access controls - Customer pilot data security verified
Business Victory: - Launch decision made balancing security, competition, and customer trust - Investor relationships maintained through transparent incident management - Competitive position protected despite IP theft
Learning Victory: - Team understands corporate espionage targeting of technology companies - Participants recognize balance between security response and business requirements - Group demonstrates coordination between cybersecurity and competitive strategy
Debrief Topics
- RAT Capabilities: How complete remote access enables systematic IP theft
- Corporate Espionage: Why technology companies are targets for competitive intelligence
- Trade Secret Protection: Legal and technical measures to protect proprietary algorithms
- Business Continuity: Balancing security response with product launch pressures
- Stakeholder Management: Coordinating with investors, customers, and legal counsel during incidents
Full Game Materials (120-140 min, 3 rounds)
Round 1: Initial Compromise Discovery (35-40 min)
Open Investigation Phase
Opening Scenario: “Thursday morning, InnovateTech Solutions, 400-employee software development company. Your breakthrough AI algorithm represents $50M investment with Monday launch scheduled. Developers report workstations occasionally behaving strangely during confidential development meetings. Investigate and recommend initial response.”
Available Investigation Paths:
Detective Role: - Workstation forensic analysis - Email security review - Timeline reconstruction - Malware reverse engineering - Code repository access logs
Protector Role: - Network traffic analysis - Endpoint security assessment - Repository access controls - Development system hardening - Access privilege review
Tracker Role: - Command and control infrastructure - Threat actor attribution - Industry targeting patterns - Competitive intelligence analysis - External threat intelligence
Communicator Role: - Developer interviews - Executive stakeholder briefings - Customer communication assessment - Investor relations coordination - Legal counsel consultation
NPCs Available for Consultation
Dr. Amanda Foster (CTO): - Priorities: Protect proprietary algorithms, maintain Monday launch schedule - Concerns: Competitive advantage, investor confidence, team morale - Conflict: Security vs. business timeline pressure
Marcus Chen (Lead Developer): - Priorities: Team productivity, code security, development operations - Concerns: Workstation reliability, code integrity, colleague safety - Information: Technical details about suspicious behavior patterns
Jennifer Park (Security Analyst): - Priorities: Thorough investigation, complete remediation, future prevention - Concerns: Threat sophistication, potential data loss, incomplete containment - Expertise: Security tools, forensics, threat analysis
Robert Martinez (IP Attorney): - Priorities: Trade secret protection, legal evidence preservation, regulatory compliance - Concerns: Competitive theft, litigation potential, investor relations - Expertise: Intellectual property law, corporate espionage cases
Pressure Events (Deploy as appropriate)
T+15: “Marcus reports: ‘I just found unfamiliar processes running on my development workstation. They disappear when I try to investigate. This is happening during our most confidential algorithm testing.’”
T+25: “Dr. Foster: ‘Lead investor just called - they’ve heard rumors about security issues. They’re questioning whether Monday launch is viable. I need answers fast.’”
T+30: “Robert: ‘If proprietary algorithms have been stolen, every day of delay increases trade secret exposure. We need to know: what was taken, when, and by whom?’”
Round 2: Competitive Intelligence Impact (40-45 min)
Open Investigation Phase
Round Transition: “Your initial response has contained active surveillance, but forensics reveals weeks of undetected remote access. Approximately 60-85% of proprietary algorithm code was accessed. Now, your primary competitor has just announced ‘breakthrough AI features’ remarkably similar to your proprietary approach - press release scheduled next week. Investigate the full scope of compromise and develop comprehensive response strategy.”
New Investigation Options:
Detective: - Competitor announcement technical analysis - Customer pilot data exposure assessment - Executive communication review - Supply chain security investigation - Legal evidence compilation
Protector: - Repository damage assessment - Customer system security review - Secure rebuild planning - Enhanced monitoring implementation - Incident response documentation
Tracker: - Competitor technical comparison - Market intelligence coordination - Threat actor capability assessment - Long-term persistence checking - Industry notification consideration
Communicator: - Customer pilot communication planning - Investor crisis management - Media inquiry preparation - Legal strategy coordination - Employee communication
NPC Evolution
Dr. Amanda Foster: - Increased pressure: “Competitor announcement changes everything. Do we launch Monday into direct competition, or delay for security rebuild?” - New concerns: Customer trust, employee morale, market positioning - Demanding: Clear recommendation on launch decision with security implications
Marcus Chen: - Technical discovery: “Customer pilot systems were also compromised. Their confidential data may be exposed.” - Team concern: “Development team morale is suffering. They feel violated by the surveillance.” - Question: “How do we rebuild trust in our development environment?”
Jennifer Park: - Investigation complete: “Attackers had real-time surveillance of development meetings, accessed executive strategy discussions, and monitored your customer pilots.” - Remediation estimate: “Comprehensive rebuild: 6 weeks. Emergency deployment: 10 days with enhanced monitoring.” - Warning: “We may have missed additional persistence mechanisms.”
Robert Martinez: - Legal assessment: “Evidence supports trade secret litigation, but legal process takes years. Competitor is using your stolen technology right now.” - Customer concern: “Pilot participants have legal right to know about potential data exposure.” - Trade-off: “Public litigation reveals incident publicly. Silent response protects reputation but limits legal options.”
Pressure Events
T+50: “Major customer pilot participant: ‘Your competitor just announced features identical to what we’re testing confidentially with you. Explain immediately or we’re canceling our $8M enterprise contract.’”
T+65: “Media inquiry: ‘Sources suggest your competitor’s technology breakthrough came from corporate espionage. Can you confirm your development systems were compromised?’ Response due in 2 hours.”
T+75: “Lead investor: ‘Board is questioning your leadership. First the security breach, now competitor has our technology. Give me one reason not to replace the executive team.’”
Round 3: Strategic Response & Recovery (40-45 min)
Open Investigation Phase
Round Transition: “Team has full understanding of compromise scope and competitive impact. Final decisions needed: launch strategy (proceed/delay/pivot), customer notification approach, legal action timing, and long-term security rebuild. Develop comprehensive strategy addressing technical remediation, business continuity, and stakeholder management.”
Strategic Decision Points:
- Launch Strategy
- Option A: Proceed Monday with enhanced security messaging
- Option B: Delay 2 weeks for customer notification and security validation
- Option C: Delay 6 weeks for comprehensive rebuild and feature enhancement
- Option D: Pivot to different market segment away from competitor
- Customer Notification
- Option A: Immediate transparent disclosure to all pilot participants
- Option B: Targeted notification only to confirmed exposed customers
- Option C: Generic security update without incident disclosure
- Option D: Delay notification pending legal counsel
- Legal Action
- Option A: Immediate public trade secret litigation against competitor
- Option B: Private legal action with confidential proceedings
- Option C: Regulatory complaint to authorities without civil suit
- Option D: Focus on recovery, defer legal action
- Security Rebuild
- Option A: Complete development environment rebuild (6 weeks)
- Option B: Phased remediation with enhanced monitoring (ongoing)
- Option C: Emergency deployment with security validation (10 days)
- Option D: Maintain operations with continuous security improvement
Final Pressure Events
T+90: “Dr. Foster: ‘I need your final recommendation. The board meets in one hour to decide: do we have a company Monday, or do we fold to the competitor who stole our technology?’”
T+105: “Industry analyst: ‘InnovateTech appears to have lost first-to-market advantage in AI breakthrough. Sources suggest security incident may have compromised competitive position. Market is watching your Monday launch closely.’”
T+115: “Customer pilot participant: ‘We’ve hired forensic investigators. If you’ve exposed our confidential data through poor security, expect litigation. We want answers today, not eventually.’”
Facilitation Questions
- “What evidence would you need to confidently proceed with Monday launch?”
- “How do you balance transparent customer notification with reputational concerns?”
- “What makes trade secret litigation worth pursuing despite years-long timeline?”
- “How do you rebuild developer trust after systematic surveillance of their work?”
- “What security measures would prevent similar corporate espionage in the future?”
Victory Conditions
Technical Victory: - Comprehensive Poison Ivy removal with verified clean systems - Repository security enhanced with audit logging and access controls - Customer pilot data security validated - Development environment hardened against future compromise
Business Victory: - Launch decision made with clear strategic rationale - Customer relationships preserved through appropriate notification - Investor confidence maintained through transparent crisis management - Competitive position protected despite intellectual property theft
Learning Victory: - Team articulates how RAT capabilities enable corporate espionage - Participants understand trade-offs between security response and business timing - Group demonstrates sophisticated stakeholder management during crisis - Discussion includes lessons for protecting proprietary development
Debrief Topics
- Corporate Espionage Mechanics: How systematic remote access enables IP theft
- Technology Company Targeting: Why AI and software development are espionage targets
- Business Continuity Challenges: Balancing security response with product launches
- Stakeholder Complexity: Managing investors, customers, employees, and competitors simultaneously
- Trade Secret Protection: Technical and legal measures for proprietary algorithms
- Attribution Challenges: Difficulty proving competitor responsibility for theft
- Long-term Recovery: Rebuilding security culture after development surveillance
Advanced Challenge Materials (150-170 min, 3+ rounds)
Additional Complexity Layers
Red Herrings
- Legitimate Remote Development Tools:
- Visual Studio Live Share sessions generate similar network patterns
- Remote pair programming tools create legitimate remote access
- Cloud IDE platforms show similar screen sharing behavior
- IM Challenge: Teams must distinguish malicious RAT from legitimate dev tools
- Developer VPN Behavior:
- Developers working remotely generate off-hours access patterns
- International contractors access repositories during US night hours
- Automated build systems create non-interactive repository access
- IM Challenge: Separate authorized remote work from unauthorized surveillance
- Competitive Intelligence Coincidence:
- AI algorithm approaches may converge on similar solutions independently
- Industry conferences share technical approaches publicly
- Former employees may have moved to competitor legitimately
- IM Challenge: Prove theft vs. independent development without absolute certainty
Ambiguous Evidence
- Incomplete Forensics:
- Anti-forensics techniques deleted portions of access logs
- Some compromised systems were rebuilt before investigation
- Network captures don’t show full communication history
- IM Challenge: Make critical decisions with imperfect information
- Attribution Uncertainty:
- C2 infrastructure uses anonymization services
- Attack patterns don’t conclusively identify threat actor
- Competitor may have hired third-party for espionage
- IM Challenge: Decide on legal action without definitive proof
- Customer Data Exposure:
- Pilot data access logged, but unclear what was exfiltrated
- Some customer systems may have been accessed indirectly
- Encryption status of stolen data uncertain
- IM Challenge: Determine notification obligations with incomplete evidence
Knowledge Recall Testing (No Reference Materials)
Teams must recall from training:
- RAT Capabilities:
- What access does remote administration tool provide?
- How does keystroke logging capture credentials and IP?
- What persistence mechanisms allow long-term access?
- How does screen surveillance enable meeting monitoring?
- Intellectual Property Law:
- What constitutes trade secret under law?
- When are breach notifications legally required?
- What evidence is needed for trade secret litigation?
- How do regulatory requirements vary by jurisdiction?
- Incident Response Principles:
- What are phases of incident response lifecycle?
- How do you balance containment with forensic preservation?
- When should law enforcement be involved?
- What documentation is needed for legal proceedings?
- APT Characteristics:
- What defines advanced persistent threat?
- How do APTs differ from opportunistic malware?
- What are typical APT motivations and objectives?
- How long do APT operations typically persist before detection?
Enhanced NPC Complexity
Dr. Amanda Foster (CTO) - Conflicting Priorities: - Public statements: “Security is our top priority. We take this very seriously.” - Private pressure: “I need this incident contained quietly. Public disclosure kills the company.” - Team challenge: Managing executive who demands both transparency and secrecy
Marcus Chen - Technical Disagreement: - Security position: “We need complete rebuild. Anything less leaves us vulnerable.” - Business position: “But Dr. Foster is right - 6 week delay means company failure.” - Team challenge: Developer caught between security principles and business survival
Jennifer Park - Investigation Scope: - Initial assessment: “I believe we’ve contained the threat.” - Later discovery: “I found additional persistence mechanisms. Investigation incomplete.” - Team challenge: Handling evolving investigation that changes previous decisions
Robert Martinez - Legal Complexity: - Trade secret litigation: “Strong case, but litigation takes 3-5 years and costs millions.” - Customer notification: “Some customers are in California - CCPA requires disclosure.” - Team challenge: Navigating complex legal landscape with competing requirements
Scenario Variations
Variation 1: Customer Discovers Compromise First - Major pilot customer detects suspicious network traffic - Customer investigation reveals InnovateTech as source - Team must respond to customer-initiated security inquiry - Additional pressure: Reactive rather than proactive disclosure
Variation 2: Competitor Public Accusation - Competitor publicly accuses InnovateTech of IP theft - Claims InnovateTech stole competitor’s breakthrough technology - Media coverage creates “dueling accusations” narrative - Additional pressure: Public relations crisis during investigation
Variation 3: Insider Threat Component - Some evidence suggests potential insider facilitation - Disgruntled developer recently left for competitor - Unclear if compromise was external only or insider-assisted - Additional pressure: HR investigation alongside technical response
Extended Pressure Events
T+30: “Security researcher publicly tweets: ‘Hearing (InnovateTech?) suffered major breach. Proprietary AI algorithms potentially stolen. Company staying quiet. Customers deserve transparency.’ Tweet going viral. Investor relations demanding response.”
T+60: “Former employee (now at competitor) contacts media: ‘InnovateTech security was always terrible. I’m not surprised they got breached. Their algorithms weren’t that innovative anyway.’ How does insider perspective affect your response?”
T+90: “Class action law firm announces investigation: ‘Seeking InnovateTech pilot program participants affected by alleged security breach and data exposure. Free legal consultation.’ Ambulance-chasing lawyers recruiting your customers. Impact on customer relationships?”
T+120: “Board emergency meeting: Lead investor moving to replace Dr. Foster as CTO. ‘The breach happened on her watch. Competitor now has our technology. She has failed.’ Does leadership change affect your technical response and recommendations?”
Advanced Facilitation Challenges
Challenge 1: Ethical Dilemma - Silent Launch “Your forensics confirms massive IP theft, but also shows no customer data was accessed. You could potentially launch Monday without customer notification, protecting reputation. Is this ethical? What obligations exist beyond legal requirements?”
Challenge 2: Attribution Certainty “Evidence strongly suggests competitor involvement, but isn’t conclusive. Filing trade secret litigation without certainty risks counter-suit for defamation. How certain must you be before legal action? What threshold of evidence is sufficient?”
Challenge 3: Employee Trust “Developers feel violated by weeks of surveillance during confidential work. Some are considering leaving the company. How do you rebuild trust in development environment? What responsibility does company have to monitored employees?”
Challenge 4: Security Theater vs. Substance “Marketing wants to announce ‘enhanced security measures’ immediately for customer confidence. But meaningful security improvements take months. Do you support security theater that may be misleading, or insist on honest timeline that may lose customers?”
Deep Coordination Requirements
Multi-Stakeholder Negotiation: - Investors demanding immediate launch - Customers demanding immediate notification - Legal counsel recommending delayed disclosure - Security team requiring remediation time - Team must negotiate solution satisfying conflicting demands
Regulatory Complexity: - Customer in California triggers CCPA requirements - European customer triggers GDPR considerations - Public company status may trigger SEC disclosure obligations - Team must coordinate across multiple regulatory frameworks
Vendor Ecosystem Impact: - Development tools vendor may have been compromise vector - Cloud service provider needs security incident notification - Third-party security firm hired for forensics - Team must manage broader vendor ecosystem involvement
Victory Conditions (Advanced)
Technical Excellence: - Complete RAT removal with comprehensive persistence checking - Customer systems validated secure through independent assessment - Enhanced security architecture implemented - Incident documentation suitable for legal proceedings
Business Sophistication: - Stakeholder strategy balances competing demands - Customer relationships preserved despite difficult disclosure - Competitive position protected through strategic response - Company survival ensured despite major security incident
Learning Mastery: - Team demonstrates deep understanding of RAT capabilities - Sophisticated analysis of corporate espionage tactics - Expert-level stakeholder management during crisis - Nuanced appreciation of security vs. business trade-offs - Recognition that perfect security may not align with business survival
Extended Debrief Topics
- Attribution Challenges: Why definitive proof of competitor involvement is difficult
- Insider Threat Indicators: How to distinguish insider facilitation from pure external compromise
- Security Culture: Building development environments resistant to surveillance
- Trade Secret Economics: Cost/benefit of intellectual property litigation
- Ethical Disclosure: Obligations beyond legal requirements
- Crisis Leadership: Managing executive pressure during security incidents
- Competitive Intelligence: Legitimate vs. illegal competitive information gathering
- Developer Privacy: Employee expectations during security investigations
- Supply Chain Security: Development tool and vendor security assessment
- Long-term Recovery: Rebuilding company reputation after IP theft
Modernization Discussion
Contemporary Parallels: - SolarWinds supply chain compromise (software development environment) - Chinese APT targeting of technology companies - Nation-state espionage in AI and quantum computing sectors - Insider threat challenges at competitive technology firms
Evolution Questions: - How do modern cloud development environments change attack surface? - What role does AI play in both attack and defense? - How has remote work affected development security? - What new techniques exist for protecting intellectual property?