Poison Ivy Scenario: Financial Advisory Surveillance

Poison Ivy Scenario: Financial Advisory Surveillance

Westfield Financial Advisors: Advisory firm with 150 employees and $2 billion AUM
Financial Surveillance • PoisonIvy
STAKES
Client financial privacy + Strategy integrity + Regulatory compliance + Advisory trust
HOOK
Advisory teams at Westfield Financial Advisors report unauthorized after-hours account views, portfolio workstations showing remote cursor activity, and unexplained session prompts during private client reviews. Network telemetry shows encrypted outbound sessions from advisory systems while endpoint scans reveal no destructive malware indicators.
PRESSURE
  • Decision window: Thursday 4:00 PM
  • Asset scope: $2 billion AUM
  • Strategic exposure: $310 million high-net-worth strategy exposure
FRONT • 120 minutes • Intermediate
Westfield Financial Advisors: Advisory firm with 150 employees and $2 billion AUM
Financial Surveillance • PoisonIvy
NPCs
  • Richard Hartwell (Managing Director): Owns continuity, disclosure, and trust posture
  • Maria Santos (CTO): Leads technical containment and environment hardening
  • David Kim (Compliance Director): Directs regulatory response and client-notification posture
  • Rachel Green (CISO): Coordinates evidence handling and authority engagement
SECRETS
  • Monitoring prioritized broad endpoint alerts over operator-behavior analytics
  • Privileged advisory roles had broader access than least-privilege policy intended
  • Covert remote access focused on high-value client strategy artifacts before visible disruption

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Poison Ivy Financial Advisory Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Poison Ivy Financial Advisory Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “Advisor systems show intermittent remote cursor activity and session prompts”
  • “Client account tools show unauthorized after-hours access patterns”
  • “Endpoint scans appear mostly clean despite persistent suspicious behavior”
  • “Encrypted outbound sessions originate from portfolio and strategy workstations”

Key Discovery Paths:

Detective Investigation Leads:

  • Timeline reconstruction shows covert access before visible operational impact
  • Access traces indicate focused interest in high-value client strategy artifacts
  • Evidence suggests long-duration surveillance optimized for intelligence collection

Protector System Analysis:

  • Advisor endpoints show remote-control artifacts and command-execution anomalies
  • Segmentation controls reduced but did not eliminate sensitive exposure pathways
  • Recovery confidence depends on evidence preservation before broad reset actions

Tracker Network Investigation:

  • Forensics identify periodic encrypted beaconing from advisory systems
  • Transfer patterns indicate staged exfiltration from client and strategy repositories
  • Infrastructure overlap suggests organized surveillance tradecraft rather than opportunistic activity

Communicator Stakeholder Interviews:

  • Advisory leadership needs clear guidance on safe continuation thresholds
  • Clients request confidence statements on account and strategy integrity
  • Compliance and legal teams need disclosure thresholds tied to evidence quality

Mid-Scenario Pressure Points:

  • Hour 1: Leadership cannot confirm integrity of active advisory strategy baselines
  • Hour 2: Indicators suggest unauthorized reads of high-value client strategy materials
  • Hour 3: Clients request formal incident posture updates and account-risk guidance
  • Hour 4: Regulatory and fiduciary confidence declines as unresolved scope expands

Evolution Triggers:

  • If containment is delayed, covert access persists and collection scope increases
  • If systems are reset too quickly, key investigative evidence may be lost
  • If communication is delayed, client trust and compliance defensibility decline rapidly

Resolution Pathways:

Technical Success Indicators:

  • Verified removal of covert access paths and restoration of trusted advisory baselines
  • Evidence package preserved for authority and legal coordination
  • Monitoring strategy upgraded to detect persistent remote-control behavior

Business Success Indicators:

  • Continuity and disclosure decisions remain defensible with documented rationale
  • Client communication stays timely, accurate, and confidence-scoped
  • Fiduciary and regulatory risk is managed through coordinated governance

Learning Success Indicators:

  • Team recognizes long-duration remote-access surveillance patterns in financial contexts
  • Participants practice balancing evidence preservation with client-service urgency
  • Group coordinates technical, compliance, and executive decisions under pressure

Common IM Facilitation Challenges:

If Teams Rush to Reimage Systems:

“Which evidence artifacts are essential before reset actions, and who signs off on that tradeoff?”

If Advisory Pressure Overrides Security Discipline:

“What evidence threshold is required before asserting client-account and strategy integrity?”

If Authority Coordination Is Delayed:

Success Metrics for Session:

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Remote-access detection and immediate client-protection posture decisions
Key Actions: Scope exposure, preserve evidence, issue first confidence statement

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Parallel forensic triage, compliance posture, and notification sequencing
Key Actions: Build timeline confidence, protect high-value advisory assets, align advisory and compliance messaging

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end financial-surveillance response under high-stakes client pressure
Key Actions: Coordinate leadership and advisory teams, decide continuity posture, define durable remediation

Advanced Challenge (150-170 minutes)

Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Fiduciary-liability tension, disclosure conflict, and governance pressure
Additional Challenges: Ambiguous scope, client escalation, and compressed decision windows

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Pre-Defined Response Options

  • Option A: Evidence-Preserved Containment

    • Action: Isolate high-risk systems, preserve evidence, and execute staged recovery with compliance and authority coordination.
    • Pros: Improves attribution confidence and long-term defensibility.
    • Cons: Slower short-term recovery and immediate advisory pressure.
    • Type Effectiveness: Super effective for durable strategic resilience.

  • Option B: Continuity-First Operations

    • Action: Maintain broad operations while applying targeted controls to minimize disruption.
    • Pros: Supports near-term advisory continuity and client-service stability.
    • Cons: Higher risk of ongoing covert collection and uncertain exposure scope.
    • Type Effectiveness: Partially effective with elevated strategic risk.

  • Option C: Phased Confidence Restoration

    • Action: Prioritize critical accounts, restore in waves, and sequence disclosure as confidence improves.
    • Pros: Balances operational urgency with evidence discipline.
    • Cons: Extended ambiguity can strain client and regulator trust.
    • Type Effectiveness: Moderately effective when governance remains disciplined.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Covert Access Discovery (30-35 min)

Investigation Clues:

  • Clue 1 (Minute 5): Advisory systems show persistent covert behavior and control anomalies.
  • Clue 2 (Minute 10): Forensics indicate sustained unauthorized visibility into strategy workflows.
  • Clue 4 (Minute 20): Leadership requests immediate containment recommendation with client-impact estimate.

Round 2: Reporting and Confidence Posture (30-35 min)

Investigation Clues:

  • Clue 5 (Minute 30): Clients request formal confidence statements on account and strategy integrity.
  • Clue 7 (Minute 50): Advisory leadership requests a clear continuity posture decision.
  • Clue 8 (Minute 55): Compliance teams require documented rationale for disclosure choices.

Round Transition Narrative

After Round 1 -> Round 2:

Facilitation questions:

  • “What minimum evidence supports a credible confidence statement to clients?”
  • “Which decisions cannot wait for full forensic certainty?”
  • “How do you communicate uncertainty without eroding trust?”

Debrief Focus:

  • Integrating remote-access forensics with fiduciary-governance decisions
  • Balancing client pressure with evidence quality and compliance obligations
  • Preserving confidence as exposure scope evolves through recovery phases

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than timed clues. Round 3 focuses on institutional recovery and advisory-governance redesign.

Round 1: Executive Briefing and Scope Discovery (35-40 min)

Players investigate openly using role capabilities. Early findings include covert repository access, uncertain scope, and rising client pressure.

If team stalls: “You can prioritize speed or confidence first. Which path remains defensible to advisory leadership and clients by end of day?”

Round 2: Regulatory Coordination and Continuity Decisions (35-40 min)

  • Technical teams complete artifact collection and present containment/recovery options.
  • Leadership requests a clear recommendation for continuity posture and disclosure timing.

Facilitation questions:

  • “What controls must be in place before asserting advisory integrity confidence?”
  • “How will you document rationale for decisions likely to face later review?”

Round 3: Institutional Recovery and Strategic Resilience (40-45 min)

Opening: Two weeks later, immediate containment is complete and leadership requests a 90-day remediation roadmap with owner-assigned milestones and measurable outcomes.

Pressure events:

  • Clients request proof of sustained control improvements and governance maturity
  • Compliance leadership requests objective metrics tied to reduced surveillance risk
  • Advisory teams request controls that preserve service quality

Victory conditions for full 3-round arc:

  • Verified clean baseline for critical advisory and client-service systems
  • Defensible reporting package for clients, regulators, and legal counsel
  • Durable financial-surveillance controls aligned to operational constraints

Debrief Questions

  1. “Which early indicator most clearly signaled strategic surveillance rather than routine technical noise?”
  2. “How did client pressure alter risk tolerance across teams?”
  3. “What evidence was essential for credibility with clients and regulators?”
  4. “How can advisory firms improve readiness without undermining client-service quality?”

Debrief Focus

  • Financial advisory surveillance incidents combine fiduciary risk with client-confidence pressure
  • Defensible response requires synchronized technical, compliance, and governance decisions
  • Long-term resilience depends on evidence discipline, segmentation, and transparent accountability

Advanced Challenge Materials (150-170 min)

Red Herrings and Misdirection

  1. A legitimate advisor remote-support session overlaps with incident timing and distorts triage.
  2. A separate portfolio-platform outage appears related but is operationally independent.
  3. Internal rumor of accidental client-data mishandling diverts focus from forensic evidence.

Removed Resources and Constraints

  • No dedicated playbook for covert remote-access campaigns in advisory environments
  • Evidence collection procedures are inconsistent across support teams
  • Immediate external specialist support is delayed by contractual lead time

Enhanced Pressure

  • Leadership demands same-day confidence statements on client-service continuity
  • Clients request detailed updates before full forensic scope is confirmed
  • Executive governance requires written rationale for each high-impact decision

Ethical Dilemmas

  1. Pause advisory operations for stronger evidence confidence, or continue with higher residual risk.
  2. Disclose broad uncertainty early, or wait for cleaner scope at trust risk.
  3. Preserve full forensic integrity, or accelerate restoration with attribution loss.

Advanced Debrief Topics

  • Building advisory doctrine for covert surveillance incidents
  • Structuring governance when client urgency and technical certainty diverge
  • Sustaining long-term security investment in high-pressure fiduciary environments