Poison Ivy Scenario: Supply Chain Infiltration

Poison Ivy Scenario: Supply Chain Infiltration

TechBridge IT Solutions: Managed service provider with 300 employees serving 200+ client companies

Supply Chain Surveillance • PoisonIvy

STAKES

Client trust + Release integrity + Downstream security + Contractual resilience

HOOK

Platform operations teams report unauthorized changes in automation scripts, unexplained remote sessions on release engineering hosts, and after-hours access to client integration repositories. Network review shows encrypted outbound traffic from core management nodes while routine endpoint scans show fragmented indicators.

PRESSURE

• Decision deadline: Thursday 5:30 PM
• Client scope: 200+ downstream client companies
• Exposure estimate: $4.8 million projected incident response and contractual exposure

FRONT • 120 minutes • Intermediate

TechBridge IT Solutions: Managed service provider with 300 employees serving 200+ client companies

Supply Chain Surveillance • PoisonIvy

NPCs

• Michael Torres (CEO): Owns strategic risk decisions and contractual posture
• Jessica Wu (CTO): Leads release-pipeline integrity investigation
• Ryan Cooper (CISO): Directs containment and evidential preservation
• Karen Shah (VP Client Services): Coordinates client communications and trust recovery

SECRETS

• Privileged automation channels were trusted broadly across production release workflows
• Access boundaries around client deployment profiles exceeded least-privilege expectations
• Covert activity prioritized orchestration and profile-management repositories before visible disruption

Poison Ivy Scenario: Supply Chain Infiltration

Nihon IT Services: Managed service provider with 400 employees serving 250+ client companies

Supply Chain Surveillance • PoisonIvy

STAKES

Client trust + Release integrity + Downstream security + Contractual resilience

HOOK

Platform operations teams report unauthorized changes in automation scripts, unexplained remote sessions on release engineering hosts, and after-hours access to client integration repositories. Network review shows encrypted outbound traffic from core management nodes while routine endpoint scans show fragmented indicators.

PRESSURE

• Decision deadline: Thursday 17:30
• Client scope: 250+ downstream client companies
• Exposure estimate: JPY 620 million projected incident response and contractual exposure

FRONT • 120 minutes • Intermediate

Nihon IT Services: Managed service provider with 400 employees serving 250+ client companies

Supply Chain Surveillance • PoisonIvy

NPCs

• Shacho Kenji Nakamura (CEO): Owns strategic risk decisions and contractual posture
• Sakura Ito (CTO): Leads release-pipeline integrity investigation
• Ryota Sato (CISO): Directs containment and evidential preservation
• Mei Takahashi (VP Client Services): Coordinates client communications and trust recovery

SECRETS

• Privileged automation channels were trusted broadly across production release workflows
• Access boundaries around client deployment profiles exceeded least-privilege expectations
• Covert activity prioritized orchestration and profile-management repositories before visible disruption

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

PoisonIvy Supply Chain Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

PoisonIvy Supply Chain Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

“It is Tuesday at 9:05 AM at TechBridge IT Solutions. Release teams preparing scheduled client updates report unauthorized script changes, unexplained control activity on management hosts, and unusual after-hours access to integration repositories. Security staff confirm recurring outbound encrypted sessions from systems used to manage multiple client environments. Leadership must contain the breach before downstream client operations are affected.”

“Initial command alert logged at 9:05 AM. Regional context: US.”

“Operational scale: Managed service provider with 300 employees serving 200+ client companies.”

“It is Tuesday at 09:05 at Nihon IT Services. Release teams preparing scheduled client updates report unauthorized script changes, unexplained control activity on management hosts, and unusual after-hours access to integration repositories. Security staff confirm recurring outbound encrypted sessions from systems used to manage multiple client environments. Leadership must contain the breach before downstream client operations are affected.”

“Initial command alert logged at 09:05. Regional context: Japan.”

“Operational scale: Managed service provider with 400 employees serving 250+ client companies.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• “Release orchestration jobs show unauthorized modifications in automation scripts”
• “Privileged management hosts register unexplained remote-control behavior”
• “Client deployment profiles show after-hours access outside approved change windows”
• “Encrypted outbound traffic persists from systems that manage multi-client environments”

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• Timeline review shows covert access preceding visible release anomalies
• Access records indicate targeting of deployment orchestration and profile repositories
• Evidence suggests sustained observation designed for downstream leverage

Protector System Analysis:

Note🛡️ Protector System Analysis

• Host triage confirms covert-control indicators on release-management nodes
• Privilege review identifies overbroad trust relationships in deployment automation
• Containment must preserve evidence while reducing downstream client risk immediately

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• Beaconing patterns indicate coordinated command infrastructure and staged transfer behavior
• Lateral activity traces follow pathways connecting release systems to client profile stores
• Traffic profile aligns with supply-chain surveillance and downstream expansion tactics

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• Client account teams need defensible language for integrity and remediation posture
• Engineering leadership requires clear release freeze and rollback criteria
• Legal and oversight stakeholders require evidence quality indicators for disclosure timing

Mid-Scenario Pressure Points:

• Hour 1: Client operations teams report unexplained behavior linked to the latest managed updates
• Hour 2: Leadership cannot confirm integrity status for recently staged deployments
• Hour 3: Enterprise clients demand immediate assurance on provider-channel trust
• Hour 4: Contractual escalation risk increases as unresolved scope grows

Evolution Triggers:

• If containment is delayed, downstream risk expands through trusted provider pathways
• If release systems are reset too early, evidential confidence is lost
• If client communication lags, trust and contractual resilience degrade quickly

Resolution Pathways:

Technical Success Indicators:

• Covert access paths are removed and release systems return to trusted baselines
• Evidence timeline is preserved for contractual and regulatory review
• Deployment governance is hardened for profile and orchestration integrity

Business Success Indicators:

• Client communication remains timely, accurate, and confidence-scoped
• Release decisions remain defensible under documented risk analysis
• Incident response preserves strategic relationships across major client accounts

Learning Success Indicators:

• Team recognizes provider-channel surveillance patterns in managed-service environments
• Participants balance containment urgency with evidence-preservation discipline
• Group coordinates engineering, security, and client-facing decisions effectively

Common IM Facilitation Challenges:

If Teams Focus on Internal Recovery Only:

“What immediate controls reduce client-side risk in the next hour while your investigation is still incomplete?”

If Teams Delay Oversight Coordination:

“State Attorney General contacts and key client audit teams request incident status, evidential controls, and assurance of release pipeline integrity.”

“PPC contacts and key client audit teams request incident status, evidential controls, and assurance of release pipeline integrity.”

If Teams Skip Trust-Restoration Planning:

“Which client segments require direct escalation first, and what evidence supports your assurance language?”

Success Metrics for Session:

• Team identifies covert access paths affecting release and profile-management systems
• Containment actions reduce downstream client risk without sacrificing evidence quality
• Oversight and client communication remains timely and defensible
• Release-governance decisions align with verified integrity confidence
• Long-term managed-service supply-chain resilience controls are clearly scoped

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Detect covert release-pipeline surveillance and set immediate downstream protections
Key Actions: Freeze risky workflows, preserve evidence, and issue initial client-integrity posture

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Coordinate release triage, client communication, and oversight escalation
Key Actions: Build integrity confidence, isolate high-risk automation paths, align account messaging

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end managed-service supply-chain response under enterprise client pressure
Key Actions: Balance release continuity with defensible containment and contractual trust recovery

Advanced Challenge (150-170 minutes)

Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Ambiguous integrity scope, multi-client escalation, and contractual authority conflict
Additional Challenges: Compressed response windows and contested release-decision governance

Quick Demo Materials (35-40 min)

Guided Investigation Clues

• Clue 1 (Minute 5): Security operations at TechBridge IT Solutions confirms covert control on release management infrastructure.
• Clue 2 (Minute 10): Karen Shah confirms that update orchestration logs show unauthorized access to client deployment profiles tied to this week’s release cohort.
• Clue 3 (Minute 15): CEO Michael Torres starts an emergency leadership brief and states that client trust will collapse if update integrity is uncertain. CTO Jessica Wu confirms unexplained process execution in release orchestration systems. CISO Ryan Cooper reports persistent remote-control artifacts across high-privilege service hosts. VP Client Services Karen Shah requests immediate guidance for client-facing risk communications.

• Clue 1 (Minute 5): Security operations at Nihon IT Services confirms covert control on release management infrastructure.
• Clue 2 (Minute 10): Mei Takahashi confirms that update orchestration logs show unauthorized access to client deployment profiles tied to this week’s release cohort.
• Clue 3 (Minute 15): Shacho Kenji Nakamura starts an emergency leadership brief and states that client trust will collapse if update integrity is uncertain. CTO Sakura Ito confirms unexplained process execution in release orchestration systems. CISO Ryota Sato reports persistent remote-control artifacts across high-privilege service hosts. VP Client Services Mei Takahashi requests immediate guidance for client-facing risk communications.

Pre-Defined Response Options

• Option A: Evidence-First Release Containment

  • Action: Isolate affected orchestration hosts, preserve artifacts, and enforce staged release validation before any redeployments.
  • Pros: Maximizes evidential confidence and long-term client trust.
  • Cons: Short-term disruption to release cadence and account expectations.
  • Type Effectiveness: Super effective for durable supply-chain resilience.

• Option B: Continuity-First Operations

  • Action: Maintain broad release operations while applying targeted controls around identified high-risk components.
  • Pros: Preserves near-term service continuity for clients.
  • Cons: Increases likelihood of ongoing covert access and downstream uncertainty.
  • Type Effectiveness: Partially effective with elevated trust risk.

• Option C: Phased Integrity Restoration

  • Action: Prioritize highest-risk client pathways and restore lower-risk workflows in controlled waves.
  • Pros: Balances operational urgency with verification discipline.
  • Cons: Extended uncertainty can strain enterprise-client confidence.
  • Type Effectiveness: Moderately effective with strong governance controls.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Provider-Channel Exposure (30-35 min)

• Opening: CEO Michael Torres starts an emergency leadership brief and states that client trust will collapse if update integrity is uncertain. CTO Jessica Wu confirms unexplained process execution in release orchestration systems. CISO Ryan Cooper reports persistent remote-control artifacts across high-privilege service hosts. VP Client Services Karen Shah requests immediate guidance for client-facing risk communications.
• Clue 1 (Minute 10): Host telemetry indicates repeated after-hours control sessions on release-management systems.
• Clue 2 (Minute 20): Karen Shah confirms that update orchestration logs show unauthorized access to client deployment profiles tied to this week’s release cohort.

• Opening: Shacho Kenji Nakamura starts an emergency leadership brief and states that client trust will collapse if update integrity is uncertain. CTO Sakura Ito confirms unexplained process execution in release orchestration systems. CISO Ryota Sato reports persistent remote-control artifacts across high-privilege service hosts. VP Client Services Mei Takahashi requests immediate guidance for client-facing risk communications.
• Clue 1 (Minute 10): Host telemetry indicates repeated after-hours control sessions on release-management systems.
• Clue 2 (Minute 20): Mei Takahashi confirms that update orchestration logs show unauthorized access to client deployment profiles tied to this week’s release cohort.

Round 2: Oversight and Client-Trust Decisions (30-35 min)

• Clue 3 (Minute 35): State Attorney General contacts and key client audit teams request incident status, evidential controls, and assurance of release pipeline integrity.
• Clue 4 (Minute 45): FBI and CISA cite repeated campaigns where managed-service compromise enabled broad downstream access through trusted provider channels.
• Pressure Event (Minute 55): “Leadership requires a release and communication decision by Thursday 5:30 PM.”
• Coordination Note: “Immediate external coordination: FBI and CISA plus State Attorney General channels under SOC 2 and state privacy obligations.”

• Clue 3 (Minute 35): PPC contacts and key client audit teams request incident status, evidential controls, and assurance of release pipeline integrity.
• Clue 4 (Minute 45): NISC and JPCERT/CC cite repeated campaigns where managed-service compromise enabled broad downstream access through trusted provider channels.
• Pressure Event (Minute 55): “Leadership requires a release and communication decision by Thursday 17:30.”
• Coordination Note: “Immediate external coordination: NISC and JPCERT/CC plus PPC supervisory channels under APPI obligations under PPC oversight.”

Debrief Focus

• How provider-channel surveillance changes downstream risk assumptions
• What evidence quality is required before client-integrity assurances
• Which release controls should be prebuilt for future managed-service incidents
• How Operation Cloud Hopper lessons apply to current MSP trust models