Large Group Facilitator Guide: Winnti – Biotech R&D Espionage

Large Group Facilitator Guide: Winnti – Biotech R&D Espionage

Tip

Quick Reference

• Format: Multi-Team Coordination
• Session length: 150 min + 25 min debrief
• Teams: Alpha (Forensics) / Bravo (Network/Infrastructure) / Charlie (Business Impact)
• Organization: BioGenix Solutions (Danish biosolutions firm, 1,800 employees) – DK variant only
• Expertise level: Expert (recommended for IMs with 3+ standard sessions)
• IC structure: Two ICs, mid-session handover after Round 2-3 (approx. T+70)
• Central dilemma: Preserve forensic evidence for counterintelligence value vs. immediate eradication – and disclose the merger data room compromise now or scope it first?
• Red herring: None. Expert difficulty comes from multi-thread coordination (forensic preservation + regulatory + merger + counterintelligence), not deception.
• For format selection, IC briefing, and general facilitation mechanics, see the Large Group Facilitation Guide.

Tip

First time running this scenario?

Three things to do before reading further:

1. Go to the Envelope Packing Checklist at the bottom of this guide – pack envelopes first.
2. Go to the Session Timeline Card at the bottom of this guide – print and laminate.
3. Read the Session Preparation and Execution Guide for room setup and day-of execution.

Then come back and read from the top.

Note

Optional: Dice

• IC containment rolls: Hard (15+), from Round 3
• Time pressure modifier: -2 (merger timeline; data room compromise disclosure urgency)
• Best roll moment: Round 4 – the preserve/eradicate call or the merger disclosure call; both are valid single-decision roll points
• Dual-IC note: The IC handover at T+70 is a facilitation moment, not a dice moment. The incoming IC makes any Round 4+ rolls. Advantage triggers when all 3 teams and the outgoing IC have aligned on a recommendation before the incoming IC calls it.

21 Artifacts at a Glance

No red herring. Winnti runs clean – the complexity is in the multi-thread decision coordination, not in tracking deception. Six injects, Expert difficulty, four NPC roles, IC handover, and a 3-way regulatory cascade at T+95.

Tier	Team	Card	Key Content
R1	Alpha	Initial Indicator 1: CaliSyncPro Update Manifest and Process Tree	calibsvc.exe spawning encoded PowerShell; net.exe user svc-rdbridge-admin /domain; OCSP: NOT CHECKED
R1	Alpha	Initial Indicator 2: Azure AD Sign-In Anomaly	svc-rdbridge-admin from HANSEN-SAP-01; Risk: HIGH; CA: BYPASSED (COLLBRIDGE-EXCL-003)
R1	Bravo	Initial Indicator 1: Collaborative Bridge VPN Connection Log	NTLM auth from HANSEN-SAP-01 to cloud R&D; no MFA; off-hours; active right now
R1	Bravo	Initial Indicator 2: Calibration Workstation Network Baseline Deviation	All 3 workstations to 203.0.113.44:443 within 9 minutes of update chain
R1	Charlie	Initial Indicator 1: GenixLibrary R&D Scope and Merger Data Room Status	3 years of sequence data; acquisition data room packages prepared; Friday deadline
R1	Charlie	Initial Indicator 2: HANSEN-SAP-01 Decommissioning Record	ITSM-29847 open 18 months; no owner; unpatched; SOC excluded; network connected
R2-3	Alpha	Deep Analysis 1: HANSEN-SAP-01 Memory Forensics Output	Hidden PID 4028 with active C2 to 203.0.113.44:443; DKOM hook; 5 hidden processes
R2-3	Alpha	Deep Analysis 2: Kernel Driver Certificate Revocation Chain	SN 4A9F02B1 revoked 2025-11-14 (110 days before deployment); key compromise reason
R2-3	Alpha	Deep Analysis 3: Pass-the-Hash Authentication Forensics	11 sessions, 0 interactive logons, 0 Kerberos TGTs; NTLM hash reuse confirmed
R2-3	Bravo	Deep Analysis 1: Collaborative Bridge Lateral Movement Log	11 NTLM sessions Dec–Mar; all off-hours; all bypassing CA via COLLBRIDGE-EXCL-003
R2-3	Bravo	Deep Analysis 2: Azure Conditional Access Bypass Detail	Exception created 2024-11-14; never reviewed; no expiry; CTO approved
R2-3	Bravo	Deep Analysis 3: Legacy Auth Exception Policy Record	ITSM-29847 timeline; unassigned owner; patching paused; SOC excluded
R2-3	Charlie	Deep Analysis 1: Merger Counterparty Data Room Exposure Assessment	Both acquisition packages accessed by attacker; v1 already shared with counterparty
R2-3	Charlie	Deep Analysis 2: GDPR Article 33 Notification Obligation Framework	72-hour window; partial notification accepted; Datatilsynet ref DT-2026-0847
R2-3	Charlie	Deep Analysis 3: CTO Decision Paper – GenixLibrary Access Suspension	Recommends full suspension; 3 active fermentation programs affected; IC decision
R4-5	Alpha	Development 1: Forensic Evidence Preservation Status	Memory image + driver captured (chain of custody); NetFlow window closes 48 hrs
R4-5	Alpha	Development 2: CFCS Attribution Bulletin CB-2026-0312	4 Danish biotech victims; same cert SN; same C2; CFCS requests kernel driver
R4-5	Bravo	Development 1: 90-Day Exfiltration Traffic Analysis	847 GB to graph-api-sync.bioanalytics.net; 20x legitimate Microsoft volume
R4-5	Bravo	Development 2: DLP Classification Failure Detail	3 independent DLP gaps; acquisition packages were largest sessions (19-21 GB each)
R4-5	Charlie	Development 1: Regulatory and Intelligence Authority Workstream Map	3 parallel non-blocking tracks: Datatilsynet, CFCS, PET – each needs a named owner
R4-5	Charlie	Development 2: Merger Advisor Briefing Position Paper	Options A/B/C; C ruled out; advisor needs position before boarding in 2 hours

Opening Delivery

Winnti is a slow discovery, not a crisis event. BioGenix discovered this at 07:45 on a Monday during routine SOC shift handover – not during a ransom screen moment. The drama builds as layers are peeled back: supply chain compromise, then kernel persistence, then 3 months of data walking out the door disguised as Microsoft telemetry.

Brief both ICs before session open: IC #1 manages Rounds 1–2, IC #2 takes over at the handover point after Round 2-3. Both ICs need to understand the 5-item handover checklist (see below) before the session begins.

Brief IC #1: your job in Round 1 is synthesis, not decision-making. You will hear three separate threads from three teams. Your task is to find the connection – specifically, which thread represents the active attack path right now. Hint: ask Bravo.

Brief IC #2 before the session starts (or during R2-3 while IC #1 is running): you are inheriting a mid-incident command. The 5-item handover checklist is your contract with IC #1. If IC #1 cannot fill it in, that is a debrief finding.

“It is Monday morning at BioGenix Solutions. CISO Bent Sejrø has escalated to you after overnight monitoring flagged a cluster of anomalies. Three bioreactor calibration workstations began generating unexpected process activity after last week’s CaliSyncPro software update. GenixLibrary shows 44 off-hours batch reads with no authenticated sessions. Legacy admin credentials from HANSEN-SAP-01 – a server scheduled for decommissioning 18 months ago – are authenticating into the Azure cloud R&D environment right now. Your merger data room meeting is on Friday. Turn over your cards.”

Critical note for opening: Do not say “the attacker is in.” Say “credentials from a server that should be offline are authenticating into your R&D environment right now.” The framing must stay in symptoms – teams should arrive at “live attacker access” through their analysis, not from the opening script.

IC Handover – T+70 (After Round 2-3 Cross-Team Briefing)

The handover occurs after the Round 2-3 cross-team briefing – when exfiltration has been confirmed but the regulatory cascade has not yet hit. This is the highest-stakes transfer moment: IC #1 has the technical picture (containment done, forensics preserved) but IC #2 is about to receive the merger advisor call, Datatilsynet contact, CFCS bulletin, and PET coordination request simultaneously.

Hand the IC Handover Checklist to IC #1 five minutes before the handover. IM stays silent during the transfer. After the handover, IM asks IC #2: “What do you still not know?”

Important

IC Handover Checklist (print and hand to IC #1 at T+65)

Give this card to IC #1 before the handover. IC #1 must complete all 5 items verbally to IC #2.

• 1. Containment status: What is isolated, what credentials are revoked, what path is closed
• 2. What is still active or unconfirmed: Do not omit uncertainties – what does IC #2 NOT know yet?
• 3. Exfiltration scope: The confirmed figure (847 GB) AND its confidence level (“confirmed to identified infrastructure; other channels not yet ruled out”)
• 4. Open decisions: Merger data room posture, Datatilsynet notification owner, CFCS artifact handoff scope
• 5. What IC #2 must get from Round 4-5 artifacts: Name the 3 key questions still open

After handover: IC #2 tells the room one thing they still don’t know.

If IC #2 cannot answer “what do you still not know?” – the handover failed. Name it as a debrief finding.

Round-by-Round Facilitation Notes

Round 1 – Initial Indicators

Released: All 6 R1 cards at session open

Alpha discovers: calibsvc.exe spawning encoded PowerShell + domain account query on all 3 workstations; OCSP check skipped; Azure AD HIGH risk sign-in from HANSEN-SAP-01 with CA bypassed

Bravo discovers: Active Collaborative Bridge NTLM session from HANSEN-SAP-01 right now; calibration workstations phoning home to unknown external IP 203.0.113.44 within minutes of the update chain

Charlie discovers: GenixLibrary holds 3 years of core IP and the acquisition data room packages; ITSM-29847 is 18 months overdue with no owner, no patches, and no SOC monitoring on HANSEN-SAP-01

IC synthesis: Bravo knows the active access path – HANSEN-SAP-01 is providing live cloud R&D access right now. Alpha knows the entry vector. Charlie knows why HANSEN-SAP-01 was still connected. The IC must connect: “the attacker’s active access is through the Bridge, not the workstations.”

IM navigation prompt (at 8-minute mark): “Ask Bravo: is there an active attacker session happening right now? Ask Alpha: what does the domain account query tell you about what the attacker is reaching for? Ask Charlie: what does ITSM-29847 tell you about how HANSEN-SAP-01 was still connected at all?”

End-of-round check: Has the IC identified HANSEN-SAP-01 as the active access path (not the workstations)? Has anyone raised the need to preserve memory before isolating?

Timing: 20–25 min

Round 2 – Deep Analysis, First Pass

Released: 3 cards per team at start of Round 2

Alpha discovers: 5 hidden processes on HANSEN-SAP-01 via DKOM hook; PID 4028 has active C2 connection; certificate revoked 110 days before deployment; Pass-the-Hash pattern confirmed across all 11 sessions

Bravo discovers: Full 90-day lateral movement log – 11 NTLM sessions all off-hours, all bypassing CA; COLLBRIDGE-EXCL-003 has no expiry, no review, no security sign-off; ITSM-29847 governance failure chain

Charlie discovers: Both acquisition data room packages were accessed by the attacker; GDPR 72-hour clock is running; CTO wants an IC decision on GenixLibrary access suspension

IC synthesis: Three independent parallel decisions now visible: (1) forensic preservation before isolation (Alpha); (2) close credential and exception gap simultaneously (Bravo); (3) GenixLibrary access decision + start GDPR notification owner assignment (Charlie). None of these decisions blocks the others.

IM navigation prompt: “You have three briefings in front of you. Which of these decisions depends on another one being made first – and which ones can run in parallel?”

Red flag to watch: If any team proposes reimaging HANSEN-SAP-01 before Alpha briefs the memory forensics card, play the CISO NPC line immediately: “We will lose the kernel driver artifact if we do that now. CFCS has already asked for it.”

Timing: 25 min

Round 3 – Deep Analysis, Second Pass

No new artifacts – teams continue with R2-3 material.

Alpha: Confirm chain of custody plan for memory image and kernel driver. Has CFCS been notified that the artifact exists?

Bravo: Confirm that both actions are planned: (1) credential revocation AND (2) COLLBRIDGE-EXCL-003 closure. Revoking credentials alone is insufficient if the exception persists.

Charlie: GDPR notification owner must be named. CTO’s GenixLibrary suspension decision must have an IC response – deferral without a timeline is not acceptable.

IC synthesis: The Round 3 IC task is to confirm that the Round 2 decisions have owners and deadlines – not to make new decisions. If decisions from Round 2 remain unowned entering Round 3, that is a debrief finding.

IM navigation prompt: “Before we move to the next release: name one person who owns each of the three decisions from Round 2 briefing. Who has the forensic preservation decision? Who has the exception closure? Who has the Datatilsynet notification?”

Timing: 20 min

Round 4 – Developments (IC #2 Now in Command)

Released: 2 cards per team at start of Round 4

Alpha: Preservation is complete (memory image, driver, process logs); NetFlow window closes in 48 hours; CFCS has confirmed attribution to coordinated Danish biotech campaign – 4 victims

Bravo: 847 GB confirmed to identified attacker infrastructure – 20x the legitimate Microsoft volume; 3 independent DLP gaps all failed simultaneously; acquisition data room packages were the largest individual sessions

Charlie: Three parallel authority workstreams all non-blocking – Datatilsynet, CFCS, PET each need a named owner; merger advisor has ruled out Option C, needs position before boarding

IC synthesis: IC #2 must now make the merger data room decision and assign the three authority track owners. These are the decisions IC #2 inherited at handover. The 847 GB scope statement + the merger advisor’s 2-hour deadline create real urgency.

IM navigation prompt: “Charlie hasn’t briefed yet. Hold the merger decision until all three teams have reported.”

If IC #2 tries to move to the merger decision before Bravo briefs: “Hold – Bravo hasn’t reported yet. Does their finding change your position?”

Timing: 20–25 min

Round 5 – Closing Decisions (Optional at 155 Min)

IC #2: Confirm merger data room position (A or B – not C). Confirm Datatilsynet notification owner and content scope. Confirm CFCS artifact handoff status. Confirm NetFlow export assigned.

IM reads each gap’s debrief_question aloud in sequence. The room must name an owner before moving to the next gap.

Close: “Name one thing. One owner. One date. Go around the room – one sentence per person.”

The Central Dilemma

Preserve forensic evidence for counterintelligence value vs. immediate eradication – and disclose the merger data room compromise now or scope it first?

Winnti’s dilemma is actually two dilemmas that must be managed simultaneously:

Dilemma 1 (Technical): HANSEN-SAP-01 has an active C2 connection and a kernel rootkit. Isolating immediately cuts the active attacker access but may degrade evidence quality. The CFCS counterintelligence case depends on the kernel driver artifact with chain of custody intact. The correct sequence is: preserve memory image first, then isolate – but operational urgency creates pressure to cut the connection first.

Dilemma 2 (Commercial/Regulatory): 847 GB of genomic R&D has been exfiltrated including the acquisition data room packages. The merger counterparty has already seen v1 under NDA. Friday’s data room meeting is 4 days away. Option C (proceed without disclosure) is legally indefensible. But the merger advisor needs a scope statement with uncertainty qualifiers before Friday – which requires the IC to make a decision under incomplete information.

The central insight: these two dilemmas do not need to resolve at the same time. Technical containment decisions (Round 1-2) can and should proceed independently of the merger disclosure decision (Round 4-5). Teams that try to resolve both simultaneously will fail at both. The IC’s job is to sequence them – but the counterintelligence and regulatory workstreams create pressure to conflate them.

Information Asymmetry Map

Alpha knows	Bravo knows	Charlie knows	IC must synthesize
HANSEN-SAP-01 has active C2; kernel rootkit is live; memory image must precede isolation	The active attacker path is Collaborative Bridge NTLM from HANSEN-SAP-01 – this is the live access, not the calibration workstations	GenixLibrary holds the acquisition data room packages; the Friday meeting depends on data integrity	Isolate HANSEN-SAP-01 (Bravo), but preserve memory first (Alpha) – these are sequenced actions, not simultaneous
Certificate SN 4A9F02B1 was revoked 110 days before deployment; CFCS will need the kernel driver artifact	COLLBRIDGE-EXCL-003 has no expiry – revoking credentials without closing the exception leaves a second exploitation path open	GDPR 72-hour clock is running from awareness; Datatilsynet expects a partial notification	Credential revocation AND exception closure (Bravo) = two distinct actions the IC must confirm both completed
CFCS has confirmed 4 Danish biotech victims with same certificate and C2 infrastructure	847 GB to identified infrastructure; 3 DLP rules each had an independent gap; per-session volume never triggered threshold	Three parallel authority workstreams (Datatilsynet, CFCS, PET) are non-blocking – each needs a separate named owner	Attribution confirmed (Alpha) + exfiltration scope (Bravo) = defensible merger scope statement with uncertainty qualifiers (Charlie)

Common Failure Modes

1. Team reimages HANSEN-SAP-01 before memory image is captured

What it looks like: Bravo or Alpha initiates isolation as the first action, before Alpha’s Deep Analysis 1 (memory forensics) has been briefed.

IM response: Play CISO NPC line immediately – do not wait for the cross-team briefing: “We will lose the kernel driver artifact if we do that now. CFCS has already asked for it.”

2. Credential revocation without closing the exception

What it looks like: IC confirms svc-rdbridge-admin is revoked but does not ask whether COLLBRIDGE-EXCL-003 has been closed. The path remains open for exploitation via another account in the HANSEN-SAP-01 subnet.

IM response: “Bravo – if the credentials are revoked, is the Conditional Access path into Azure AD still open via that exception? What would close it completely?”

3. CFCS coordination delays GDPR notification

What it looks like: Team treats the Datatilsynet notification as blocked until CFCS coordination is complete, or believes they must wait for PET clearance before notifying the regulator.

IM response: “Which of these conversations has a legal deadline – and which one can wait 24 hours? Datatilsynet requires a response within 72 hours of awareness. CFCS coordination has no mandatory deadline.”

4. Merger scope statement overstated

What it looks like: IC tells the merger advisor “847 GB of R&D is confirmed exfiltrated” without the uncertainty qualifier (“to identified infrastructure; other channels not yet ruled out”).

IM response: Play merger advisor NPC immediately: “When you say 847 GB – is that confirmed to all channels, or just the one you’ve identified so far?”

5. IC handover drops the merger data room thread

What it looks like: IC #1 hands over containment status and forensic preservation state but does not communicate the open merger decision or the Friday deadline.

IM response: Ask IC #2 immediately after handover: “What do you still not know? What decisions are still open that IC #1 handed you?” If IC #2 cannot name the merger decision and the Datatilsynet owner – the handover failed.

6. All three authority workstreams merged into one conversation

What it looks like: A single person is assigned to speak to Datatilsynet, CFCS, and PET, treating them as a single regulatory track.

IM response: “Charlie – are these three conversations on the same topic with the same authority? What does Datatilsynet want that CFCS doesn’t – and what does PET want that neither of them need to know?”

7. GenixLibrary suspension decision deferred indefinitely

What it looks like: IC receives the CTO’s decision paper and defers without a timeline or an alternative (e.g., read-only for critical programs). The CTO’s paper presented a 24–48 hour window for a clean baseline – deferring beyond that without rationale leaves the integrity question open for the merger.

IM response: “The CTO’s paper presented three options. Which one did you choose – and who communicated that to Dr. Fønsmark?”

Discussion Prompts by Tier and Team

Initial Indicators – Round 1

ALPHA – Initial Indicator 1: CaliSyncPro Update Manifest and Process Tree

• calibsvc.exe spawning encoded PowerShell across all 3 workstations – what does a calibration update binary need PowerShell for?
• The domain account query net.exe user svc-rdbridge-admin /domain runs 8 seconds after the update chain. What is the attacker trying to understand with that query?
• The OCSP check shows NOT CHECKED for the update certificate. What does a skipped OCSP check mean for the integrity of the update that was installed?
• CaliSyncPro is a third-party calibration vendor. What does the timing of this process activity relative to the update chain tell you about where the attacker’s initial access originated?
• This activity is visible on Monday morning. Why would the attacker’s process tree still be visible on the workstation rather than cleaned up after a weekend of dwell?

ALPHA – Initial Indicator 2: Azure AD Sign-In Anomaly

• svc-rdbridge-admin is a service account signing in from HANSEN-SAP-01 with a HIGH risk score. What kind of account is this, and why would it be initiating cloud sign-ins?
• Conditional Access was BYPASSED via exception COLLBRIDGE-EXCL-003. What authentication checks did that exception prevent the system from applying?
• Azure AD Identity Protection flagged the sign-in as HIGH risk but no one was alerted or blocked. What monitoring gap does that represent?
• This account is authenticating right now. What is the first action Alpha needs to surface to the IC before any other analysis continues?
• If this account has been authenticating via this exception path before today, how far back do the Azure AD logs need to be reviewed?

BRAVO – Initial Indicator 1: Collaborative Bridge VPN Connection Log

• The NTLM authentication from HANSEN-SAP-01 bypasses MFA entirely. What made that bypass technically possible?
• The connection is off-hours and still active right now. What does “active right now” mean for the IC’s immediate decision – compared to a historical log entry?
• NTLM is a legacy protocol. In what operational context would NTLM still be permitted in a modern Azure AD environment – and was that context still valid here?
• Is there evidence of other accounts using this same Collaborative Bridge path, or is svc-rdbridge-admin the exclusive account in this log?
• This connection provides access to the cloud R&D environment. What data does that environment hold, and how does that change the severity assessment?

BRAVO – Initial Indicator 2: Calibration Workstation Network Baseline Deviation

• All 3 workstations connect to 203.0.113.44:443 within 9 minutes of each other. What does synchronized timing across 3 independent endpoints suggest about how the connection was initiated?
• Port 443 is standard HTTPS. How would Bravo distinguish legitimate cloud telemetry from C2 traffic over that port?
• 203.0.113.44 is not in BioGenix’s approved destination list. What network monitoring would have caught this deviation faster – and why didn’t it?
• These workstations are on the calibration network segment. What is their legitimate function – and what is unusual about outbound internet connectivity from that segment?
• If these connections are still active, what network action does Bravo recommend first?

CHARLIE – Initial Indicator 1: GenixLibrary R&D Scope and Merger Data Room Status

• GenixLibrary holds 3 years of genomic sequence data and the acquisition data room packages. If an attacker had read access to GenixLibrary, what specifically would be at risk?
• The Friday merger data room meeting is 4 days away. How does the timing of this incident relative to that deadline affect what decisions need to happen first?
• 44 off-hours batch reads with no authenticated sessions – what are the possible explanations for that pattern, and which explanation is most consistent with the other evidence?
• The acquisition data room packages are prepared and present in GenixLibrary. Are they accessible right now – and if so, to whom?
• What is the minimum factual picture Charlie needs before briefing the CEO on merger data room exposure?

CHARLIE – Initial Indicator 2: HANSEN-SAP-01 Decommissioning Record

• ITSM-29847 has been open 18 months with no owner assigned. What organizational process failure allowed an open decommission ticket to remain unowned for that long?
• The server was excluded from SOC monitoring. What was the stated justification – and was a compensating control documented when that exclusion was approved?
• HANSEN-SAP-01 is unpatched and network-connected. What class of vulnerabilities does 18 months without patches represent on a Windows server in this network position?
• The decommission was paused because teams could not confirm which systems depended on it. What process would have resolved that dependency question?
• The SOC exclusion and the decommission delay were decisions made by two separate teams. Did anyone have visibility over both decisions simultaneously?

Deep Analysis – Rounds 2-3

ALPHA – Deep Analysis 1: HANSEN-SAP-01 Memory Forensics Output

• Hidden PID 4028 with 5 concealed processes via DKOM hook. What is a DKOM hook, and why does it make live detection with standard tooling unreliable?
• PID 4028 has an active outbound connection to 203.0.113.44:443 – the same IP the calibration workstations contacted. What does that shared destination tell you about the infection chain?
• Before HANSEN-SAP-01 is isolated, what must Alpha capture to preserve evidence – and in what order?
• The memory forensics output was captured this morning. Is the rootkit still active, or was this memory captured post-isolation?
• Alpha needs to brief the IC on sequencing: preserve memory first, then isolate. How does Alpha communicate the urgency of that sequence without triggering immediate isolation by Bravo?

ALPHA – Deep Analysis 2: Kernel Driver Certificate Revocation Chain

• Certificate SN 4A9F02B1 was revoked 110 days before deployment on HANSEN-SAP-01. What does that lead time tell you about how and when the attacker acquired this certificate?
• The revocation reason was “key compromise.” Who originally issued this certificate – and was the revocation status propagated to systems that subsequently encountered it?
• A real-time OCSP check at deployment would have caught the revoked certificate. Why was that check skipped – and is that skip a deliberate attacker action or a systemic gap in BioGenix’s deployment verification?
• CFCS has requested the kernel driver artifact for national threat intelligence. What does CFCS need from it that Alpha’s own investigation does not require?
• If Alpha provides the kernel driver to CFCS, does that affect Alpha’s ability to use their own copy for internal forensic purposes?

ALPHA – Deep Analysis 3: Pass-the-Hash Authentication Forensics

• 11 sessions, 0 interactive logons, 0 Kerberos TGTs. What does the complete absence of Kerberos authentication tell you about how these sessions were established?
• Pass-the-Hash reuses a credential hash without knowing the plaintext password. What would an attacker need to extract a valid NTLM hash from HANSEN-SAP-01?
• The sessions span December through March. When did the attacker first have usable credentials – and what changed in December that may have provided access?
• All 11 sessions are off-hours. What monitoring threshold or behavioral rule would have surfaced this pattern during the 90-day window?
• Revoking svc-rdbridge-admin’s credentials stops future authentication. What happens to sessions already established before the revocation?

BRAVO – Deep Analysis 1: Collaborative Bridge Lateral Movement Log

• 11 NTLM sessions across December–March, all off-hours, all bypassing CA. What does that operational discipline suggest about the attacker’s awareness of BioGenix’s monitoring posture?
• The Collaborative Bridge path was the attacker’s consistent access route to cloud R&D over 4 months. At which point in that timeline was detection most feasible?
• COLLBRIDGE-EXCL-003 allowed every one of these sessions to bypass CA without review. Was there a review scheduled – and if not, why not?
• Were any of these sessions initiated from a source other than HANSEN-SAP-01 – or was that server the exclusive entry point throughout the campaign?
• What two distinct actions must Bravo confirm to close this access path completely?

BRAVO – Deep Analysis 2: Azure Conditional Access Bypass Detail

• COLLBRIDGE-EXCL-003 was created November 2024, CTO-approved, never reviewed, no expiry. What governance process should have required periodic review of this exception?
• A CA exception with no expiry date creates an indefinite bypass. What is the risk profile of any exception with no defined review or expiry?
• The exception was created to enable the Collaborative Bridge integration. Was there a documented alternative that would have achieved the same integration without bypassing CA?
• This exception allowed NTLM authentication into Azure AD from a network segment that should not have had cloud access. How did that gap survive the integration design review?
• Closing COLLBRIDGE-EXCL-003 may break the Collaborative Bridge integration. What is the business impact of that – and how does it compare to leaving the exception open?

BRAVO – Deep Analysis 3: Legacy Auth Exception Policy Record

• ITSM-29847 is 18 months old with no assigned owner. Who should have owned this ticket from creation – and at what point should escalation have been automatic?
• The patching pause was justified by unresolved system dependencies. What process would have resolved those dependencies – and what is the maximum acceptable pause before that process must deliver an answer?
• The SOC exclusion was approved without a compensating control. What compensating control should have been required as a condition of that approval?
• Three governance decisions – decommission delay, patch pause, SOC exclusion – all applied simultaneously to HANSEN-SAP-01. Was any single person or team aware that all three applied to the same system?
• If ITSM-29847 had been resolved within 30 days of creation, would this incident have been possible?

CHARLIE – Deep Analysis 1: Merger Counterparty Data Room Exposure Assessment

• Both acquisition data room packages were accessed by the attacker. Version 1 has already been shared with the counterparty under NDA. What is the legal significance of a shared NDA document being in a compromised data room?
• The counterparty has seen material from the same repository the attacker accessed. What disclosure obligations does BioGenix now have toward the counterparty?
• Charlie’s task is to scope the exposure, not to make the merger decision. What specific facts does the CEO need from Charlie before they can make that call?
• The merger meeting is Friday. What is the consequence of going into that meeting without having disclosed the breach – and what is the consequence of disclosing it?
• Is there any scenario in which the acquisition could proceed without informing the counterparty? What would need to be true for that to be legally defensible?

CHARLIE – Deep Analysis 2: GDPR Article 33 Notification Obligation Framework

• The 72-hour notification window runs from “awareness.” When did awareness begin – at 07:45 this morning, or earlier?
• A partial notification is acceptable to Datatilsynet at this stage. What must the partial notification include at minimum – and what can be deferred to a supplement?
• GDPR notification and CFCS counterintelligence coordination are separate processes. Can BioGenix notify Datatilsynet without briefing CFCS first?
• The Datatilsynet reference DT-2026-0847 is already assigned in the card. Has a notification already been filed – and if so, by whom and with what content?
• Who at BioGenix has the authority and the relevant facts to sign and submit a GDPR Article 33 notification?

CHARLIE – Deep Analysis 3: CTO Decision Paper – GenixLibrary Access Suspension

• The CTO recommends full suspension of GenixLibrary access. Three active fermentation programs are in production phase. What is the operational impact of a full suspension on those programs?
• The paper’s goal is to establish a clean baseline. Is there an alternative – read-only access, isolated verification – that achieves integrity without full suspension?
• The IC must make this decision. What information does the IC need from Alpha before they can answer whether GenixLibrary data was written to – or only read?
• If GenixLibrary is not suspended and the data turns out to be corrupted, what is the downstream risk to the fermentation programs – and to the merger’s data integrity representations?
• The CTO’s paper frames this as a 24–48 hour decision window. What happens if the IC defers beyond that window without providing an alternative?

Developments – Rounds 4-5

ALPHA – Development 1: Forensic Evidence Preservation Status

• Memory image, driver, and process logs are captured with chain of custody established. What does chain of custody mean specifically – and who must sign it for a CFCS handoff to be valid?
• The NetFlow window closes in 48 hours. What does NetFlow hold that the memory image and kernel driver do not?
• Alpha has completed preservation. What is Alpha’s next technical priority – and does it depend on any decision IC #2 is still making?
• CFCS has confirmed attribution to a coordinated campaign. Does that allow Alpha to narrow their investigation scope – or does it expand what Alpha needs to preserve?
• Is HANSEN-SAP-01 still live with the rootkit active, or was isolation completed during the preservation process?

ALPHA – Development 2: CFCS Attribution Bulletin CB-2026-0312

• CFCS has confirmed 4 Danish biotech firms targeted with the same certificate SN 4A9F02B1 and the same C2 infrastructure. What does coordinated multi-victim targeting tell you about this threat actor’s objectives?
• CFCS needs the kernel driver artifact. Alpha has it with chain of custody. What does the handoff entail – and does providing it to CFCS affect the integrity of Alpha’s own retained copy?
• The bulletin names BioGenix as one of 4 victims. Does BioGenix have any obligation or right to know who the other 3 are – and does CFCS have the authority to share that?
• The bulletin is classified. Who at BioGenix can receive it – and what clearance or handling requirements apply?
• PET has requested a separate counterintelligence call distinct from the CFCS threat intelligence track. What is PET trying to understand that CFCS’s bulletin does not address?

BRAVO – Development 1: 90-Day Exfiltration Traffic Analysis

• 847 GB to graph-api-sync.bioanalytics.net disguised as Microsoft Graph API telemetry over 90 days. What made this traffic blend effectively into the baseline?
• 847 GB is the confirmed volume to the identified infrastructure. What uncertainty qualifier must Bravo attach to that figure when it goes into the merger scope statement?
• The exfiltration volume was 20x the legitimate Microsoft telemetry threshold. Did that ratio ever appear as an alert or anomaly in Bravo’s monitoring tools during the 90-day window?
• The acquisition data room packages were the largest individual sessions at 19-21 GB each. What does that per-session volume tell you about when those packages were exfiltrated relative to the data room preparation timeline?
• Has graph-api-sync.bioanalytics.net been blocked – and if so, when was the block applied?

BRAVO – Development 2: DLP Classification Failure Detail

• Three independent DLP gaps all failed simultaneously on the same exfiltration events. What does simultaneous independent control failure indicate about the robustness of the overall DLP architecture?
• Each gap was independently insufficient – but the combination made detection impossible. Which of the three gaps would have been cheapest or fastest to remediate before this incident?
• The acquisition data room packages were the largest sessions in the 90-day log. Were they classified as sensitive data in the DLP policy – or did a classification gap explain why they were not flagged?
• These three gaps are now documented. Who owns each one – and what is the remediation timeline before each is closed?
• If only one of these three DLP rules had been correctly configured, would the 90-day exfiltration campaign have been detected?

CHARLIE – Development 1: Regulatory and Intelligence Authority Workstream Map

• Three parallel tracks: Datatilsynet (regulatory), CFCS (threat intelligence), PET (counterintelligence). Do these three authorities need the same set of facts – or does each require a different brief?
• The card says these are non-blocking – they can proceed in parallel. What does IC #2 need to put in place to make that true operationally?
• Each track needs a named owner who combines legal knowledge with technical facts. For each authority, who at BioGenix is best positioned to own that conversation?
• PET’s counterintelligence interest is described as distinct from CFCS’s request. What is PET trying to understand that the CFCS attribution bulletin does not answer?
• The merger advisor also needs a response before boarding. Is the merger advisor a fourth parallel track – or does their brief draw on what is already being prepared for one of the three authorities?

CHARLIE – Development 2: Merger Advisor Briefing Position Paper

• Option C – proceeding without disclosure – is legally ruled out. Who made that determination, and on what legal basis?
• The advisor boards in 2 hours. IC #2 must provide a position with uncertainty qualifiers. What does a defensible position look like when the investigation is still ongoing?
• Options A and B both involve some form of disclosure to the counterparty. What is the material difference between them – and what additional information would IC #2 need to choose between them?
• The merger advisor is not a security professional. What language does Charlie need to use to communicate breach scope and uncertainty in terms the advisor can relay accurately to a counterparty?
• If IC #2 provides a position now and material new information emerges after the advisor boards, what update protocol should be established?

NPC Reference

NPC	When to play	Key line
CEO Phillip Christensen	Round 1 (post-briefing) if merger deadline isn’t surfacing	“I need a defensible scope statement – not certainty. If we can document what we know and what we do not know, I can have that conversation with the counterparty. What I cannot do is walk in without a position.”
CTO Katrine Fønsmark	Round 2-3 if GenixLibrary access suspension decision is delayed	“I need approval to close the Collaborative Bridge legacy auth exception immediately – and a decision on whether we halt all GenixLibrary access until we confirm a clean baseline.”
CISO Bent Sejrø	INJ-002 if reimaging is proposed without preservation	“We will lose the kernel driver artifact if we do that now. CFCS has already asked for it.”
VP R&D Dr. Ida Woetmann	Round 2-3 if research continuity isn’t raised	“I cannot confirm active fermentation project data integrity until we establish a clean baseline on GenixLibrary access. I have 3 programs in production phase.”
Datatilsynet caller	INJ-005 – play on cue, not early	“We have received your preliminary notification reference DT-2026-0847. We understand the investigation is ongoing. A partial notification is acceptable – we need: the nature of the breach, the data categories affected, and measures taken or proposed.”
CFCS caller	INJ-005 – simultaneous with Datatilsynet	“We have identified 3 other Danish biotech firms with identical indicators – the same certificate SN 4A9F02B1, the same C2 infrastructure. We need your kernel driver artifact and anonymized IoCs for national threat intelligence.”
PET counterintelligence	INJ-005 – can be held if time is short	“We want to understand the counterintelligence dimensions of this campaign. We need a separate call – this is distinct from the CFCS threat intelligence track.”
Merger advisor	INJ-004 if team delays scope statement	“I board the plane in 2 hours. I need a position – even a qualified one. Option C is not available to us legally.”

Red Flag Dashboard

Inject	Red flag	IM response if triggered
INJ-001	No owner assigned for HANSEN-SAP-01 isolation after 10 min	“Which team owns the isolation action – and who is accountable to the IC?”
INJ-002	Reimaging proposed before memory image captured	Play CISO NPC immediately – do not wait for cross-team briefing
INJ-003	svc-rdbridge-admin revoked but COLLBRIDGE-EXCL-003 not closed	“Bravo – if the credentials are revoked, is the Azure AD path still open via that exception?”
INJ-004	Merger counterparty given 847 GB without confidence qualifier	Play merger advisor NPC: “Is that confirmed to all channels, or just the one you’ve identified?”
INJ-005	CFCS coordination blocks GDPR notification decision	“Which conversation has a legal deadline – and which can wait 24 hours?”
INJ-006	Debrief opens with “what the attacker did” rather than governance gaps	“We know what they did. What did your organization’s own decisions make possible?”

Session Timeline Card

For a 09:00 start. Print on card stock and laminate.

09:00  IC briefing + both ICs introduced (5 min)
09:05  Release R1 envelopes → teams begin analysis
09:17  Navigation check (12 min in -- prompt if teams still reading)
09:20  Cross-team briefing + IC synthesis (IC #1)
09:28  Release R2-3 envelopes → teams begin
09:40  Navigation check
09:43  Cross-team briefing + IC synthesis (IC #1)
09:50  ⚑ Hand IC handover checklist to IC #1 quietly (5 min before handover)
09:55  IC #1 handover to IC #2 -- IM stays silent, observes
09:58  IC #2: "What do you still not know?" (IM asks, then steps back)
10:00  Release R4-5 envelopes → teams begin (IC #2 in command)
10:12  Navigation check
10:15  Cross-team briefing + IC synthesis (IC #2)
10:18  ▶ Play merger advisor NPC if merger position not addressed
10:22  Play Datatilsynet / CFCS / PET NPC cascade (INJ-005)
10:28  IM reads gap debrief_questions -- room names owner before each next question
10:35  "Name one thing. One owner. One date." -- around the room
10:35  Timebox closes → debrief begins
10:35--11:00  Debrief (25 min)

Envelope Packing Checklist

Night before. One set per table.

☐ Alpha R1 envelope:
    CaliSyncPro Update Manifest and Process Tree
    Azure AD Sign-In Anomaly

☐ Bravo R1 envelope:
    Collaborative Bridge VPN Connection Log
    Calibration Workstation Network Baseline Deviation

☐ Charlie R1 envelope:
    GenixLibrary R&D Scope and Merger Data Room Status
    `HANSEN-SAP-01` Decommissioning Record

☐ Alpha R2-3 envelope:
    `HANSEN-SAP-01` Memory Forensics Output
    Kernel Driver Certificate Revocation Chain
    Pass-the-Hash Authentication Forensics

☐ Bravo R2-3 envelope:
    Collaborative Bridge Lateral Movement Log
    Azure Conditional Access Bypass Detail
    Legacy Auth Exception Policy Record

☐ Charlie R2-3 envelope:
    Merger Counterparty Data Room Exposure Assessment
    GDPR Article 33 Notification Obligation Framework
    CTO Decision Paper -- GenixLibrary Access Suspension

☐ Alpha R4-5 envelope:
    Forensic Evidence Preservation Status
    CFCS Attribution Bulletin CB-2026-0312

☐ Bravo R4-5 envelope:
    90-Day Exfiltration Traffic Analysis
    DLP Classification Failure Detail

☐ Charlie R4-5 envelope:
    Regulatory and Intelligence Authority Workstream Map
    Merger Advisor Briefing Position Paper

☐ 2 blank spares
☐ IC handover checklist card (×2, one for each IC)
☐ IC decision packet (5 pages, stapled) -- print from session-materials/ic-decision-packet
☐ NPC reference card (laminated)
☐ Session timeline card (laminated)
☐ Tent cards: 5× Alpha, 5× Bravo, 5× Charlie, 2× IC
☐ Round transition signal (bell or clapper)
☐ Sticky note pads (1 per team) + thick markers

Debrief Focus

1. “The memory image had to be captured before isolation. But the attacker’s C2 connection was still active during that window. What decision process – or what pre-agreed protocol – would let a team sequence those two actions without a moment of debate under pressure?”

Surfaces: forensic preservation vs. operational urgency; the gap between knowing the right answer and having the authority structure to act on it quickly.

2. “The credential was revoked. Was the attack path closed? What second action was required – and how many teams completed both?”

Surfaces: the two-step close (credential revocation + exception closure); the failure mode of treating one action as sufficient.

3. “Three authority workstreams arrived simultaneously: Datatilsynet, CFCS, PET. How many owners were assigned before the first call was answered – and how many of those conversations had the right person on the line?”

Surfaces: authority track separation; the failure mode of merging regulatory and counterintelligence conversations.

4. “The merger advisor needed a scope statement with uncertainty qualifiers – not certainty. Did your team produce one? If not, what specifically was missing – the number, the qualifier, or the governance process to approve releasing either?”

Surfaces: the distinction between a defensible position and a certain one; the governance gap that makes merger decisions impossible under security pressure.

5. “HANSEN-SAP-01 was 18 months past its decommission date with no patches, no monitoring, and active cloud access. How many systems in your organization are in a similar position right now – and what is the process that would surface them before an attacker does?”

Surfaces: decommissioning backlog as structural attack surface; the governance gap between IT operations and security operations on long-running open tickets.