Poison Ivy Scenario: Remote Access Discovery Timeline (2005)

Regional Marketing Agency: Creative services firm, 75 employees, serving clients in healthcare, finance, and government sectors
APT • Poison Ivy
STAKES
Client confidential data + Creative intellectual property + Competitive proposals + Professional reputation
HOOK
It's September 2005. Your marketing agency creates campaigns for sensitive clients including healthcare organizations, financial institutions, and government contractors. Employees have been receiving emails with creative briefs and campaign proposals that contain sophisticated remote access trojans. The Poison Ivy RAT provides attackers with complete system control, allowing them to steal client data, monitor business communications, and access confidential marketing strategies and competitive proposals.
PRESSURE
Client trust and competitive advantage - marketing agencies handle extremely sensitive business information and campaign strategies
FRONT • 90 minutes • Intermediate
Regional Marketing Agency: Creative services firm, 75 employees, serving clients in healthcare, finance, and government sectors
APT • Poison Ivy
NPCs
  • Creative Director Jennifer Walsh (Client Relations): Managing high-profile client relationships while discovering that confidential campaign strategies may have been accessed by competitors\
  • IT Coordinator Michael Chen (Systems Support): Learning that remote access software can be hidden inside legitimate business documents and provide complete computer control\
  • Account Manager Lisa Rodriguez (Healthcare Clients): Realizing that protected health information and medical campaign data could be compromised, triggering regulatory compliance concerns\
  • Business Development Director Tom Johnson (Competitive Intelligence): Discovering that proposal strategies and client negotiations may have been monitored by unknown parties
SECRETS
  • Remote access trojan hidden in legitimate marketing documents provides complete system access including file downloads, keylogging, and screen capture\
  • Attackers specifically target creative agencies to access multiple high-value clients through single compromise\
  • Marketing industry information sharing creates network of potential targets for lateral movement

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

PoisonIvy Remote Access Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

PoisonIvy Historical Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Regional Marketing Agency

Creative services firm, 75 employees, serving clients in healthcare, finance, and government sectors

Key Assets At Risk:

  • Client confidential data
  • Creative intellectual property
  • Competitive proposals
  • Professional reputation

Business Pressure

Client trust and competitive advantage - marketing agencies handle extremely sensitive business information and campaign strategies

Cultural Factors

  • Remote access trojan hidden in legitimate marketing documents provides complete system access including file downloads, keylogging, and screen capture\
  • Attackers specifically target creative agencies to access multiple high-value clients through single compromise\
  • Marketing industry information sharing creates network of potential targets for lateral movement

Opening Presentation

“It’s September 2005 at Regional Marketing Agency, and your firm creates campaigns for sensitive clients including healthcare organizations, financial institutions, and government contractors. Employees have been receiving emails with creative briefs and campaign proposals that contain sophisticated remote access trojans. Unknown to your team, the Poison Ivy RAT is giving attackers complete system control, allowing them to steal client data, monitor business communications, and access confidential marketing strategies worth millions in competitive proposals.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “Employees report receiving detailed creative brief documents with unexpected attachment behavior”
  • “IT notices unusual outbound network connections during off-hours”
  • “Competitor seemingly knows details of confidential campaign proposal before client presentation”
  • “Account manager discovers unauthorized access attempts to healthcare client data”

Key Discovery Paths:

Detective Investigation Leads:

  • Email forensics reveal sophisticated marketing document trojans with Poison Ivy RAT payloads
  • File analysis shows complete remote access capabilities hidden in legitimate creative brief formats
  • Timeline analysis indicates long-term persistent access across multiple employee systems

Protector System Analysis:

  • Network monitoring reveals persistent command and control connections to unknown servers
  • Endpoint analysis shows remote access including file exfiltration, keylogging, and screen capture
  • Security assessment reveals attackers targeted agency specifically to access multiple client sectors

Tracker Network Investigation:

  • Traffic analysis shows systematic theft of client campaign data and competitive proposals
  • Command and control patterns indicate professional operation with marketing industry knowledge
  • Connection analysis reveals targeting of healthcare, financial, and government client data

Communicator Stakeholder Interviews:

  • Client communications regarding potential exposure of confidential campaign strategies
  • Regulatory assessment of HIPAA and financial data protection requirements
  • Legal counsel evaluation of professional liability and client notification obligations

Mid-Scenario Pressure Points:

  • Hour 1: Healthcare client questions how competitor learned details of confidential medical campaign
  • Hour 2: IT discovers evidence of persistent RAT access across creative and account management teams
  • Hour 3: Legal warns that healthcare client data exposure may trigger HIPAA breach notifications
  • Hour 4: Competitor submits proposal with suspiciously similar strategy to agency’s confidential approach

Evolution Triggers:

  • If response is delayed, attackers may exfiltrate complete client database affecting multiple sectors
  • If containment fails, confidential proposals may appear in competitor presentations
  • If client notification is inadequate, professional relationships face irreparable damage across sectors

Resolution Pathways:

Technical Success Indicators:

  • Complete Poison Ivy RAT removal from all infected employee and server systems
  • Network security enhanced to detect sophisticated marketing document trojans
  • Client data access monitoring implemented preventing unauthorized exfiltration

Business Success Indicators:

  • Multi-client relationships maintained through transparent security incident communication
  • Competitive proposals protected through enhanced confidentiality and secure collaboration
  • Professional reputation preserved preventing client defection to competitors

Learning Success Indicators:

  • Team understands third-party risk amplification through service provider compromise
  • Participants recognize regulatory complexity affecting multi-sector client data
  • Group demonstrates incident response balancing multiple client interests simultaneously

Common IM Facilitation Challenges:

If Multi-Client Impact Is Underestimated:

“Your RAT removal is progressing, but forensics shows attackers accessed healthcare, financial, and government client data through your agency. How does multi-sector compromise change your notification strategy and regulatory obligations?”

If Regulatory Complexity Is Ignored:

“While investigating, Lisa reports that healthcare client data was accessed, potentially triggering HIPAA breach notification requirements. How do you balance technical response with complex regulatory compliance across multiple sectors?”

If Competitive Intelligence Theft Is Missed:

“Your technical cleanup is solid, but Tom discovered a competitor submitted a proposal with your exact strategy. How do you address intellectual property theft while managing client trust?”

Success Metrics for Session:

Template Compatibility

Quick Demo (35-40 min)

  • Rounds: 1
  • Actions per Player: 1
  • Investigation: Guided
  • Response: Pre-defined
  • Focus: Use the “Hook” and “Initial Symptoms” to quickly establish 2005 marketing agency crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing third-party risk and multi-client impact.

Lunch & Learn (75-90 min)

  • Rounds: 2
  • Actions per Player: 2
  • Investigation: Guided
  • Response: Pre-defined
  • Focus: This template allows for deeper exploration of service provider security challenges. Use the full set of NPCs to create realistic multi-client pressure and regulatory complexity. The two rounds allow discovery of cross-client data exposure, raising stakes. Debrief can explore balance between competing client interests, plus modernization discussion.

Full Game (120-140 min)

  • Rounds: 3
  • Actions per Player: 2
  • Investigation: Open
  • Response: Creative
  • Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing healthcare, financial, and government client data protection, competitive intelligence theft, and professional reputation. The three rounds allow for full narrative arc including multi-sector impact assessment. Include modernization discussion exploring contemporary supply chain risks.

Advanced Challenge (150-170 min)

  • Rounds: 3
  • Actions per Player: 2
  • Investigation: Open
  • Response: Creative
  • Complexity: Add red herrings (e.g., legitimate marketing collaboration causing false positives). Make containment ambiguous, requiring players to justify conflicting client notification decisions. Remove access to reference materials to test knowledge recall of RAT behavior and third-party risk principles. Include deep modernization discussion comparing 2005 service provider risks to contemporary supply chain threats.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “Email forensics reveal Poison Ivy RAT hidden in marketing creative brief attachments sent to Regional Marketing Agency employees. The sophisticated trojan uses authentic campaign proposal formats that perfectly match legitimate business documents. Network analysis shows complete remote access capabilities including file exfiltration, keylogging, and screen capture affecting employee systems handling healthcare, financial, and government client data.”

Clue 2 (Minute 10): “Endpoint analysis reveals persistent command and control connections indicating long-term access across creative and account management teams. Timeline shows attackers have monitored client campaigns, competitive proposals, and business strategies for months. Security assessment reveals agency was specifically targeted to access multiple sensitive client sectors through single service provider compromise.”

Clue 3 (Minute 15): “Traffic analysis shows systematic exfiltration of healthcare campaign data (HIPAA implications), financial client proposals, and government contractor strategies. Competitor submitted proposal with suspiciously similar approach to agency’s confidential strategy. Legal counsel warns healthcare client data exposure may trigger regulatory breach notifications and professional liability across multiple sectors.”

Pre-Defined Response Options

Option A: Complete RAT Removal & Multi-Client Notification

  • Action: Remove all Poison Ivy infections, implement enhanced email security and client data protection, immediately notify all affected clients across healthcare, financial, and government sectors, coordinate with regulatory authorities about compliance requirements.
  • Pros: Completely eliminates persistent access; demonstrates transparent professional practices; maintains multi-client trust through early notification.
  • Cons: Multi-sector notifications may damage professional reputation and competitive position; regulatory compliance requires significant legal resources.
  • Type Effectiveness: Super effective against APT malmon type; complete removal prevents further multi-client data exfiltration.

Option B: Selective Remediation & Sector-Specific Response

  • Action: Remediate confirmed infected systems, implement sector-specific security controls, notify only clients with confirmed data exposure, conduct forensic investigation before broader multi-client communication.
  • Pros: Allows targeted response matching each sector’s regulatory requirements; minimizes immediate professional relationship damage; enables focused client protection.
  • Cons: Risks continued data exfiltration during investigation; delayed notifications may violate sector-specific regulations (HIPAA, etc.).
  • Type Effectiveness: Moderately effective against APT threats; reduces but doesn’t eliminate persistent access across client sectors.

Option C: Phased Client Communication & Business Continuity

  • Action: Implement emergency secure client collaboration channels, phase remediation by client sensitivity, notify clients after establishing alternative secure procedures minimizing operational disruption.
  • Pros: Maintains critical client relationships through continued service; protects professional reputation through controlled communication timing; enables sector-specific response approaches.
  • Cons: Phased approach extends remediation timeline; attackers may maintain partial access during transition; delayed notification may violate regulatory requirements.
  • Type Effectiveness: Partially effective against APT malmon type; prioritizes business continuity over complete security remediation.

Historical Context & Modernization Prompts

Understanding 2005 Technology Context

This scenario represents actual Poison Ivy RAT attacks from 2005. Key historical elements to understand:

  • Email Attachments: Primary malware delivery vector with limited scanning and sandboxing capabilities
  • RAT Technology: Remote administration tools were sophisticated but detection was signature-based
  • Regulatory Environment: HIPAA and financial regulations existed but cybersecurity requirements were minimal
  • Business Networks: Simple network architectures with limited segmentation or access controls
  • Incident Response: Most small businesses had no formal cybersecurity or incident response capabilities

Collaborative Modernization Questions for Players

Present these questions after initial investigation to guide modernization:

  1. “How would attackers target marketing agencies in today’s digital landscape?”
    • Guide toward: Cloud collaboration platforms, social media intelligence, supply chain attacks
  2. “What modern techniques provide similar remote access capabilities to 2005 RATs?”
    • Guide toward: Cloud-based remote tools, legitimate software abuse, fileless attacks
  3. “How has regulatory compliance changed since 2005 for businesses handling sensitive data?”
    • Guide toward: GDPR, state privacy laws, breach notification requirements, cybersecurity frameworks
  4. “What would client data storage and sharing look like in modern marketing agencies?”
    • Guide toward: Cloud storage, collaboration platforms, mobile access, API integrations
  5. “How would modern threat detection identify persistent remote access?”
    • Guide toward: Endpoint detection, behavioral analysis, cloud security monitoring, threat hunting

Modernization Discovery Process

After historical investigation, facilitate modernization discussion:

  1. Industry Evolution: Explore how marketing has moved to digital platforms and cloud services
  2. Regulatory Changes: Discuss how privacy laws have created new compliance requirements
  3. Attack Sophistication: Compare basic RAT techniques to modern supply chain and cloud attacks
  4. Client Risk Amplification: Consider how interconnected business relationships create cascading risk
  5. Detection Advancement: Examine how behavioral analysis improves on signature-based detection

Learning Objectives

  • Third-Party Risk: Understanding how service providers create attack vectors to multiple targets
  • Regulatory Implications: Learning how data breaches trigger complex compliance requirements
  • Persistent Access: Recognizing techniques for maintaining long-term system access
  • Business Process Targeting: Appreciating how attackers exploit industry-specific workflows

IM Facilitation Notes

  • Multi-Client Impact: Emphasize how single compromise affects multiple organizations
  • Regulatory Complexity: Help players understand compliance implications without legal expertise
  • Business Relationship Focus: Highlight how attacks target trust relationships between organizations
  • Evolution Discussion: Guide conversation toward modern supply chain and third-party risks
  • Detection Challenges: Discuss why legitimate-looking remote access can evade detection

This historical foundation demonstrates how targeted attacks on service providers can amplify impact across multiple client organizations, while helping teams understand the evolution from basic remote access to complex supply chain threats.