Poison Ivy Scenario: Supply Chain Software Infiltration
Planning Resources
Scenario Details for IMs
SecureFlow Systems
Software development company, 320 employees, providing supply chain management software to Fortune 500 companies
Key Assets At Risk:
- Customer trust
- Supply chain integrity
- Intellectual property
- Software integrity
Business Pressure
Customer panic about supply chain security - any compromise could affect global commerce and manufacturing
Cultural Factors
- Development environment compromise through vendor email account takeover and social engineering
- Malicious code injection into software updates using legitimate development tools and processes
- Command and control infrastructure disguised as legitimate cloud storage and content delivery networks
Opening Presentation
“It’s Tuesday morning at SecureFlow Systems, and your software company provides critical supply chain management solutions to hundreds of Fortune 500 manufacturers, retailers, and logistics companies worldwide. Your development team is preparing this quarter’s software update release when they discover unauthorized modifications in the build environment. Code repositories show suspicious commits bypassing normal approval processes, and automated deployment systems contain unfamiliar configurations. Security analysis reveals sophisticated remote access techniques using legitimate cloud services and system administration tools. Unknown to your team, attackers have already injected malicious code into recent software updates, and poisoned software may already be running in customer production environments across global supply chains.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Command and Control Analysis:
- Network monitoring reveals use of legitimate cloud services for covert command and control
- Software supply chain analysis discovers coordinated attack targeting multiple software vendors
- Threat intelligence reveals broader campaign against software development companies
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Major retailer reports unusual network activity traced to recently deployed SecureFlow software update
- Hour 2: Security team discovers malicious code in production builds dating back three months affecting hundreds of customers
- Hour 3: Fortune 500 manufacturer shuts down production lines citing potential supply chain compromise
- Hour 4: News outlet contacts company about reports of widespread supply chain security incident
Evolution Triggers:
- If response is delayed, customer organizations may suffer production outages from compromised software
- If containment fails, malicious code may propagate further through customer supply chain networks
- If customer notification is inadequate, trust relationships face irreparable damage affecting company survival
Resolution Pathways:
Technical Success Indicators:
- Complete removal of malicious code from development environment and build systems
- Verified clean software builds deployed to all affected customer organizations
- Enhanced DevSecOps security controls preventing future build pipeline compromise
Business Success Indicators:
- Customer relationships maintained through transparent communication and rapid remediation
- Software supply chain integrity restored with verified code signing and deployment processes
- Industry leadership demonstrated through proactive supply chain security response
Learning Success Indicators:
- Team understands software supply chain attack vectors and development environment security
- Participants recognize modern remote access techniques using legitimate cloud services
- Group demonstrates incident response balancing software integrity with customer trust
Common IM Facilitation Challenges:
If Supply Chain Impact Is Underestimated:
“Your code cleanup is progressing, but forensics shows malicious updates were deployed to 347 customer organizations over three months. How does massive supply chain scope change your notification strategy and remediation timeline?”
If Customer Trust Is Ignored:
“While investigating technical details, Jennifer reports that your largest customer is publicly questioning whether to continue using SecureFlow software. How do you balance investigation with customer relationship management?”
If Development Security Is Missed:
“Your malware removal is complete, but Sarah discovered attackers gained access through basic developer credential phishing. How do you prevent future development environment compromise while maintaining development velocity?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish software supply chain crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing supply chain attacks and development environment security.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of supply chain security challenges. Use the full set of NPCs to create realistic customer panic and development security pressures. The two rounds allow discovery of supply chain scope affecting hundreds of customers, raising stakes. Debrief can explore balance between software integrity and customer trust.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing development environment security, customer software integrity verification, Fortune 500 relationship management, and supply chain incident coordination. The three rounds allow for full narrative arc including supply chain compromise scope and customer trust recovery.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate DevOps automation causing false positives). Make containment ambiguous, requiring players to justify customer-facing decisions with incomplete forensic data. Remove access to reference materials to test knowledge recall of APT behavior and supply chain security principles.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “Software forensics reveal sophisticated remote access techniques using PowerShell, WMI, and legitimate cloud storage services to maintain persistent access to SecureFlow’s development environment. Build pipeline analysis shows malicious code injected into automated deployment systems, bypassing code review and signing processes. Customer reports indicate unusual network behavior from recently deployed software updates affecting Fortune 500 manufacturers and retailers.”
Clue 2 (Minute 10): “Timeline analysis shows attackers compromised developer credentials through targeted social engineering three months ago, systematically injecting malicious code into production software builds affecting 347 customer organizations across global supply chains. Command and control infrastructure uses legitimate cloud services and content delivery networks making detection extremely difficult. Security assessment reveals attackers specifically targeted SecureFlow to access multiple Fortune 500 customers through single software vendor compromise.”
Clue 3 (Minute 15): “Major Fortune 500 retailer reports production system shutdown traced to compromised SecureFlow software update. News outlets investigating reports of widespread supply chain security incident affecting manufacturing and logistics sectors. Legal counsel warns that software liability and customer trust implications could threaten company survival without immediate transparent communication and verified clean software deployment.”
Pre-Defined Response Options
Option A: Complete Development Environment Remediation & Customer Notification
- Action: Completely rebuild development environment from verified clean systems, implement enhanced DevSecOps security controls, immediately notify all affected customers about software supply chain compromise, deploy verified clean software updates with emergency patch coordination.
- Pros: Completely eliminates persistent access and prevents further supply chain poisoning; demonstrates transparent software vendor security practices; maintains customer trust through proactive communication.
- Cons: Development environment rebuild requires significant time affecting software release schedules; customer notifications may damage reputation and competitive position; some customers may abandon SecureFlow software.
- Type Effectiveness: Super effective against APT malmon type; complete environment remediation prevents continued development pipeline compromise and supply chain poisoning.
Option B: Selective Remediation & Targeted Customer Response
- Action: Remediate confirmed compromised systems, implement enhanced monitoring of development environment, selectively notify only customers with confirmed malicious code deployment, conduct thorough forensic investigation before broader communication.
- Pros: Allows continued software development during remediation; minimizes immediate customer relationship damage; enables targeted security response focused on verified compromises.
- Cons: Risks continued supply chain poisoning during investigation period; delayed notifications may violate software vendor ethical obligations; partial remediation may leave backdoors for re-compromise.
- Type Effectiveness: Moderately effective against APT threats; reduces but doesn’t eliminate development environment access; delays complete supply chain security restoration.
Option C: Phased Software Integrity Verification & Customer Support
- Action: Implement emergency software integrity verification tools for customer deployment, phase development environment remediation by priority systems, establish secure customer communication channels, deploy verified clean updates while investigating full compromise scope.
- Pros: Enables customers to verify software integrity in their environments; maintains critical development operations during investigation; demonstrates customer-focused security response.
- Cons: Phased approach extends remediation timeline; integrity tools may not detect all supply chain compromises; customers performing their own verification may lose confidence in SecureFlow software.
- Type Effectiveness: Partially effective against APT malmon type; prioritizes customer protection over complete vendor environment remediation; doesn’t guarantee supply chain security restoration.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Software Supply Chain Compromise Discovery (35-40 min)
Investigation Clues (Time-stamped)
T+0 (Round Start): “It’s Tuesday morning at SecureFlow Systems. Your software company provides critical supply chain management solutions to 347 Fortune 500 manufacturers, retailers, and logistics companies. Development team preparing quarterly software update when unauthorized modifications discovered in build environment. Security analysis suggests sophisticated attackers may have injected malicious code into customer deployments.”
T+10 (Detective): “Development Manager Sarah Kim’s build pipeline forensics reveal sophisticated remote access using PowerShell, WMI, and legitimate cloud services for persistent access. Code repositories show suspicious commits bypassing normal approval processes. Timeline analysis indicates compromise three months ago through developer credential phishing - systematic malicious code injection into production builds affecting hundreds of customer organizations.”
T+15 (Protector): “Security Architect Alex Thompson’s analysis confirms development environment compromise with fileless execution and legitimate system administration tools. Build systems show code injection circumventing code signing processes. Endpoint analysis reveals attackers used cloud CDN networks for command and control - extremely difficult to detect. Customer deployment assessment suggests poisoned software may be running in production environments across global supply chains.”
T+20 (Tracker): “Command and control infrastructure analysis reveals APT-level sophistication targeting software vendors to compromise multiple downstream customers. Traffic patterns indicate supply chain poisoning campaign affecting software development companies. Threat intelligence shows similar attacks on other enterprise software vendors - coordinated operation targeting B2B software distribution chains to maximize impact across Fortune 500 customer base.”
T+25 (Communicator): “Customer Success Director Jennifer Chen receiving urgent inquiries from major clients about unusual software behavior. CTO Marcus Rodriguez analyzing customer reports showing unexpected network activity from deployed SecureFlow updates. Legal counsel warning about software vendor liability for supply chain security. Fortune 500 manufacturer reports production line shutdown traced to suspicious SecureFlow software activity.”
Response Options
Option A: Emergency Development Environment Isolation - Action: Immediately halt all software releases, isolate development environment, initiate comprehensive supply chain forensics, prepare emergency customer notification - Pros: Stops supply chain poisoning immediately; demonstrates responsible vendor security practices - Cons: Disrupts customer software update schedules; may trigger customer panic - NPC Reactions: - Marcus: “This stops all releases, but customer trust requires immediate action.” - Jennifer: “Major customers will demand explanations about production shutdowns.”
Option B: Monitored Investigation - Action: Continue development operations while implementing enhanced monitoring, document full compromise scope, prepare comprehensive customer communication after complete investigation - Pros: Maintains business operations; gathers complete forensic evidence before customer notification - Cons: Risks continued supply chain poisoning during investigation; delayed notification may violate vendor obligations - NPC Reactions: - Alex: “We can learn full scope, but every release risks more customer compromise.” - Legal: “Delayed notification after knowing about compromise creates significant liability.”
Option C: Selective Build Verification - Action: Implement emergency build integrity verification, selective customer notification for confirmed compromised versions, phased development environment remediation - Pros: Balances customer protection with business continuity; targeted response to verified compromises - Cons: Partial approach may miss some poisoned builds; complex customer communication - NPC Reactions: - Marcus: “Reasonable compromise - verify builds while remediating environment.” - Fortune 500 Customer: “How do we know which versions are safe?”
Pressure Events
T+30: “PRESSURE EVENT - Major Fortune 500 retailer CIO: ‘Our security team detected suspicious network activity from SecureFlow software. We’ve shut down affected systems impacting 500 retail locations. Explain immediately what’s happening with your software or we’re terminating our multi-million dollar contract and pursuing damages.’ Response required within hours.”
Round 1 Transition
Based on team response choice, reveal:
If Emergency Isolation: “Your rapid isolation prevented further supply chain poisoning. Forensics confirms approximately 40% of quarterly builds compromised - affecting 139 customer organizations. Attackers maintained persistent development environment access for 3 months. Customer notification will trigger immediate scrutiny of your entire software supply chain security.”
If Monitored Investigation: “Your monitoring documented extensive supply chain poisoning. Attackers compromised 65% of builds affecting 225 customer organizations. Evidence shows malicious code designed for data exfiltration and backdoor access. Legal warns: continued operations knowing about compromise constitutes gross negligence with severe liability implications.”
If Selective Verification: “Critical builds verified and some customers notified, but investigation reveals deeper compromise. Approximately 55% build poisoning affecting 191 customers. Emergency verification process identifies most compromised versions, but some variants may have evaded detection. Customer trust implications significant regardless of phased approach.”
Round 2: Customer Trust & Supply Chain Recovery (35-40 min)
Investigation Clues (Time-stamped)
T+35 (Round Start): “Development environment partially secured, but supply chain compromise scope now clear. Hundreds of Fortune 500 customers potentially running poisoned software. Team must decide: immediate transparent disclosure to all customers, targeted notification to confirmed-compromised deployments, or phased communication while deploying verified clean updates.”
T+45 (Detective): “Supply chain forensics complete. Malicious code capabilities: data exfiltration, remote access backdoors, credential harvesting. Attackers specifically targeted SecureFlow to access multiple Fortune 500 supply chains through trusted vendor software. Timeline shows systematic poisoning aligned with quarterly release cycles. Evidence sufficient for law enforcement notification but attribution remains uncertain.”
T+50 (Protector): “Customer deployment security assessment reveals extensive impact. Poisoned software deployed across manufacturing, retail, and logistics Fortune 500 organizations. Some customers already detecting suspicious activity and initiating their own investigations. Security rebuild estimated at 4-6 weeks for comprehensive development environment remediation. Emergency verified clean builds possible in 7-10 days with intensive validation protocols.”
T+55 (Tracker): “Supply chain attack analysis indicates highly sophisticated APT operation. Similar targeting patterns detected against other B2B software vendors suggest coordinated campaign. Attribution points toward state-sponsored actors or well-resourced criminal organization. Industry intelligence sharing reveals SecureFlow is one of multiple vendors compromised in broader supply chain operation affecting Fortune 500 ecosystem.”
T+60 (Communicator): “Jennifer managing customer crisis communications - multiple Fortune 500 clients threatening contract termination and pursuing damages for production disruptions. Marcus coordinating emergency patch development while managing developer morale after credential compromise. Industry media investigating rumors of widespread software supply chain attack. Competitor vendors leveraging incident for competitive advantage.”
Response Options
Option A: Transparent Supply Chain Disclosure - Action: Immediate notification to all 347 customers about supply chain compromise, deploy verified clean updates, offer comprehensive security assessment support, coordinate industry-wide supply chain security response - Pros: Demonstrates vendor accountability; protects customer environments; maintains long-term trust through transparency - Cons: May trigger immediate contract terminations; competitive disadvantage; potential financial damages - Victory Conditions: - Technical: Clean development environment with verified secure builds - Business: Customer relationships preserved through transparent crisis management - Learning: Team understands supply chain security vendor obligations
Option B: Targeted Customer Response - Action: Notify only confirmed-compromised customers, enhanced monitoring for all deployments, comprehensive investigation before broader disclosure, deploy targeted patches - Pros: Minimizes immediate business impact; focused response to verified compromises; maintains some customer confidence - Cons: May violate vendor ethical obligations; risks customer discovery before notification; incomplete protection - Victory Conditions: - Technical: Confirmed compromises remediated with validation - Business: Critical customer relationships maintained through managed disclosure - Learning: Team appreciates complexity of supply chain disclosure decisions
Option C: Phased Industry Coordination - Action: Coordinate with industry vendors and security organizations, implement customer verification tools, phase disclosure while deploying verified updates, establish supply chain security consortium - Pros: Industry-wide approach reduces competitive disadvantage; customer-empowering verification tools; demonstrates leadership - Cons: Complex coordination delays full disclosure; customers may distrust vendor-provided verification; regulatory scrutiny - Victory Conditions: - Technical: Customer verification enables independent security validation - Business: Industry coordination mitigates competitive impact - Learning: Team learns collaborative supply chain security response
Pressure Events
T+70: “PRESSURE EVENT - Security researcher publicly discloses: ‘Major supply chain attack affecting Fortune 500 companies traced to SecureFlow Systems software. Hundreds of organizations potentially compromised. Vendor awareness unclear. Customers deserve immediate transparency.’ Tweet viral with 50K+ retweets. Media demanding immediate response.”
Facilitation Questions
- “What obligations exist to protect customers when your software becomes attack vector?”
- “How do you balance business survival with transparent supply chain disclosure?”
- “What industry coordination is needed when supply chain attacks affect entire ecosystems?”
- “How do you rebuild software vendor trust after systematic supply chain poisoning?”
Victory Conditions
Technical Victory: - Complete development environment remediation with verified security - Customer deployments cleaned with validated patches - Build pipeline security enhanced preventing future compromise - Industry threat intelligence shared for collective security
Business Victory: - Customer relationships maintained through appropriate crisis response - Competitive position protected despite supply chain incident - Legal liability minimized through responsible disclosure - Industry leadership demonstrated through transparent security practices
Learning Victory: - Team understands software supply chain attack mechanics - Participants recognize vendor obligations transcend business interests - Group demonstrates sophisticated crisis management balancing multiple stakeholder demands - Discussion includes lessons for DevSecOps and supply chain security
Debrief Topics
- Supply Chain Attack Mechanics: How vendor compromise enables downstream customer impact
- Software Vendor Obligations: Ethical and legal responsibilities during supply chain incidents
- DevSecOps Security: Build pipeline protection and code signing integrity
- Customer Trust Economics: Impact of supply chain breaches on vendor relationships
- Industry Coordination: Collaborative security response to systemic threats
Full Game Materials (120-140 min, 3 rounds)
[Comprehensive materials adapted for supply chain context with focus on:]
- Round 1: Initial build pipeline compromise discovery with developer environment forensics
- Round 2: Customer impact assessment with Fortune 500 relationship management
- Round 3: Supply chain recovery strategy balancing transparency, business survival, and industry coordination
- NPCs: Sarah Kim (Development Manager), Marcus Rodriguez (CTO), Jennifer Chen (Customer Success Director), Alex Thompson (Security Architect)
- Pressure Events: Customer production shutdowns, public disclosure, competitive exploitation, media investigation
- Strategic Decisions: Customer notification approach, development rebuild timing, industry coordination, legal liability management
Advanced Challenge Materials (150-170 min, 3+ rounds)
Additional Complexity Layers
Red Herrings
- Legitimate DevOps Automation:
- CI/CD pipeline automated processes creating build modifications
- Cloud-based development tools generating unusual network patterns
- Developer productivity tools with remote access features
- IM Challenge: Distinguish malicious code injection from authorized DevOps automation
- Developer Workflow Complexity:
- Remote developers accessing build systems from various locations
- Offshore development teams creating off-hours activity patterns
- Open-source component integration triggering security alerts
- IM Challenge: Separate authorized development activity from attacker persistence
- Customer Environment Variation:
- Different customer deployment configurations creating varied behavior
- Customer customizations affecting software functionality
- Network monitoring false positives from legitimate software features
- IM Challenge: Differentiate malicious behavior from customer configuration issues
Knowledge Recall Testing
Teams must recall from training:
- Supply Chain Security:
- What defines software supply chain attack?
- How do vendor compromises amplify to downstream customers?
- What code signing and verification processes prevent tampering?
- When are software vendors liable for customer security impacts?
- DevSecOps Principles:
- What security controls protect build pipelines?
- How do you verify software integrity throughout development?
- What role does code signing play in supply chain trust?
- How do you implement secure software development lifecycle?
- Vendor Crisis Management:
- When must software vendors disclose security incidents?
- What customer notification obligations exist during supply chain attacks?
- How do you balance business survival with transparent disclosure?
- What industry coordination mechanisms exist for supply chain security?
Advanced Facilitation Challenges
Challenge 1: Vendor Liability Dilemma “Forensics shows supply chain poisoning but legal argues immediate disclosure triggers customer lawsuits for damages exceeding company assets - bankruptcy certain. Delayed disclosure violates ethical obligations but preserves some business capacity. Do you prioritize vendor survival or customer protection knowing disclosure means company failure?”
Challenge 2: Industry Coordination vs. Competitive Advantage “Coordinating with other vendors shares threat intelligence but also reveals your security failures to competitors who may exploit incident for market share. Solo response protects competitive position but leaves industry vulnerable. What obligation exists to industry-wide security vs. business interests?”
Challenge 3: Customer Verification Trust “You offer tools for customers to verify software integrity, but some customers don’t trust vendor-provided verification. They demand third-party assessment costing millions. Do you fund independent verification acknowledging distrust, or maintain vendor-provided tools risking customer departure?”
Challenge 4: Attribution Uncertainty “Evidence suggests state-sponsored actors but attribution not conclusive. Public attribution risks geopolitical implications and potential counterattacks. Attributing to criminals simplifies response but may be incorrect. How do you handle attribution uncertainty in customer communications and law enforcement coordination?”
Scenario Variations
Variation 1: Customer Discovers Compromise First - Fortune 500 customer security team detects supply chain attack - Customer publicly announces SecureFlow compromise before vendor notification - Team must respond to customer-initiated public disclosure - Additional pressure: Reactive vendor response after customer lost trust
Variation 2: Competitor Exploitation - Competing vendor leverages incident aggressively for market share - Customer migration accelerating during investigation - Competitor claims superior security but may face similar risks - Additional pressure: Competitive crisis during security remediation
Variation 3: Regulatory Investigation - FTC investigates supply chain security practices - Congressional hearing on software supply chain security - Industry-wide regulatory scrutiny and potential legislation - Additional pressure: Regulatory compliance during crisis management
Modernization Discussion
Contemporary Parallels: - SolarWinds Orion supply chain attack affecting 18,000+ organizations - Kaseya VSA supply chain ransomware affecting 1,500+ downstream victims - Codecov supply chain compromise affecting thousands of software companies - Log4Shell vulnerability demonstrating supply chain dependency risks
Evolution Questions: - How do modern cloud-based development environments change supply chain security? - What role does software bill of materials (SBOM) play in supply chain transparency? - How has zero trust architecture affected software vendor security? - What new regulatory frameworks address software supply chain risks (Executive Order 14028)?