Bonus Inject Cards: Winnti – Biotech R&D Espionage
Print this deck before the session. One card per page. Hand any card to the appropriate team when they finish a round early or need additional depth. These cards do not advance the scenario timeline – they add detail within the team's existing domain. Facilitator notes are hidden when printed.
BONUS – CHARLIE – Round 1
CFCS Preliminary Indicator Validation Call
Type: Cross-border intelligence coordination – indicator validation request Source: CFCS liaison officer (via CISO Bent Sejrø), 2026-04-16 08:45 UTC
“CFCS has come back on the secure line. They need BioGenix to validate a subset of indicators from their cross-border intelligence package before they can update the EU CSIRTs Network bulletin. They’re asking specifically about three things they’ve seen at other victims but need confirmation from the Danish side. The liaison officer says they need this within two hours – the bulletin update window closes at 11:00 UTC.”
- Has BioGenix confirmed outbound traffic to any IP in the 203.0.113.0/24 range?
- If yes: which specific IPs, from which internal hosts, over what time period?
- Does the traffic pattern match the off-hours clustering (00:00–03:00 UTC, 08:00–11:00 UTC) seen at other victims?
- Has BioGenix identified kernel-level Direct Kernel Object Manipulation (DKOM) hooks on any systems?
- If yes: which specific hook (NtQuerySystemInformation, NtQueryDirectoryFile, other)?
- Can BioGenix provide the driver load address and certificate serial number for cross-victim comparison?
- Does the delivery vector at BioGenix match vendor-signed calibration software distributed via legitimate update portals?
- If yes: which vendor, which software version, and what is the signing certificate serial number?
- Was the update portal itself compromised, or was the binary modified post-distribution?
Facilitator Notes (hidden when printed):
- When to use: Charlie finishes reviewing the CFCS sector threat advisory and TI platform enrichment data early. This card gives Charlie active TI work in Round 1.
- Intent: Charlie must cross-reference with Alpha and Bravo’s findings before responding to CFCS. Indicator 1 (network traffic to 203.0.113.0/24) requires input from Bravo’s firewall logs. Indicator 2 (DKOM hooks) requires input from Alpha’s memory forensics. Indicator 3 (delivery vector) requires input from Alpha’s supply chain analysis. This forces Charlie to initiate cross-team coordination rather than working in isolation. The 2-hour deadline creates realistic time pressure without being punitive.
- Resolution: Charlie should be able to confirm all three indicators based on the evidence from Alpha and Bravo’s R1 cards. If Charlie attempts to respond without consulting the other teams, ask them how they know the answers. The learning value is in the coordination process, not the validation itself.
BONUS – ALPHA – Round 4
CFCS Artifact Sharing Request – Scope and Counterintelligence Value
Type: CFCS follow-up request Source: CFCS liaison (via CISO Bent Sejrø), 2026-04-16 12:15 UTC
“CFCS has come back with a specific ask. They want to know what BioGenix is willing to share for national threat intelligence. They’ve given you three options: anonymized IoCs only, the full kernel driver binary with certificate chain, or the complete raw memory image from HANSEN-SAP-01. Each option has different counterintelligence value – and different exposure for BioGenix. CISO Bent Sejrø wants Alpha’s recommendation before he responds.”
- C2 IP: 203.0.113.44
- Domain: graph-api-sync.bioanalytics.net
- Certificate SN: 4A9F02B1C3D7E8F6 (valid, vendor-signed)
- DKOM technique indicators (load address pattern)
- Complete kernel driver artifact (147,456 bytes)
- Full certificate chain with OCSP/CRL responses
- Driver load timestamps and hook configuration
- Full HANSEN-SAP-01 memory dump (hardware-assisted)
- All 92 process states including 5 hidden PIDs
- Active network connection state (PID 4028 → 203.0.113.44)
- Credential material in memory (NTLM hashes, session tokens)
- Memory image contains svc-rdbridge-admin NTLM hash
- Memory image contains BioGenix internal hostnames, IPs, configs
- Memory image may contain fragments of GenixLibrary data in cache
- Sharing requires legal review (identifiable employee data in memory)
Facilitator Notes (hidden when printed):
- When to use: Alpha finishes reviewing the forensic evidence preservation status and CFCS attribution bulletin ahead of schedule. This card asks Alpha to make a policy recommendation, not a technical finding.
- Intent: Force Alpha to think beyond forensic collection into the policy implications of sharing. Most forensics teams default to maximum cooperation with national authorities. This card challenges that instinct by making the exposure trade-offs explicit. Tier 2 is the most defensible recommendation for most teams – high counterintelligence value without exposing credentials or GenixLibrary fragments. Tier 3 is justifiable but requires legal review that may not be possible during the session. Tier 1 is low-risk but low-value.
- Resolution: There is no single correct answer. If Alpha recommends Tier 2 with conditions (redact any embedded BioGenix configuration from the binary before handoff), that is a strong outcome. If Alpha recommends Tier 3, ask them who approves sharing identifiable employee data and whether they’ve consulted Charlie. The cross-team question is the real learning moment.
BONUS – BRAVO – Round 4
DLP Architecture Enhancement Assessment
Type: Vendor proposal summary – DLP enhancement tiers Source: DLP vendor (Netskope), account team rapid-response assessment, 2026-04-16 12:00 UTC
“Your DLP vendor got wind of the incident – your account manager called offering help. They’ve sent over a rapid assessment with 3 enhancement tiers. Each one addresses a different layer of the failure that let ~7 GB of R&D data walk out the door disguised as Microsoft telemetry – with active transfers still running when you caught it. The question isn’t what you want – it’s what would have actually caught this, and what BioGenix can operationally sustain.”
| Attribute | Detail |
|---|---|
| What it does | Validates presented TLS certificate against expected CA for “trusted” destinations. graph-api-sync.bioanalytics.net presented a self-signed cert with CN=graph.microsoft.com — this would have been flagged immediately. |
| Implementation | 2–3 weeks, configuration change only |
| Annual cost | Included in existing license |
| Operational impact | LOW — may generate false positives on misconfigured internal services using self-signed certs |
| Attribute | Detail |
|---|---|
| What it does | Tracks per-destination outbound volume over rolling 30-day baseline. Alerts when any single destination exceeds 2x baseline volume in a 24-hour window. |
| Implementation | 4–6 weeks, requires baseline calibration period |
| Annual cost | EUR 45,000 (analytics module add-on) |
| Operational impact | MODERATE — baseline calibration generates initial alert noise; requires SOC tuning for 2–3 weeks |
| Attribute | Detail |
|---|---|
| What it does | Decrypts and inspects all outbound HTTPS from service accounts. Removes service account exemption from off-hours DLP policy. Content-inspects all outbound data against GenixLibrary classification tags. |
| Implementation | 8–12 weeks, requires certificate deployment to all endpoints + service account reconfiguration |
| Annual cost | EUR 180,000 (inspection module + additional capacity) |
| Operational impact | HIGH — certificate deployment to 1,800 endpoints; service account workflows may break during migration; privacy review required; performance impact on high-throughput research workflows |
Facilitator Notes (hidden when printed):
- When to use: Bravo finishes reviewing the exfiltration traffic analysis and DLP classification failure detail ahead of schedule. This card shifts Bravo from analysis to recommendation.
- Intent: Force Bravo to design the detection they wish they’d had, with realistic trade-offs. Most network teams will gravitate toward Tier 3 (maximum visibility), but the operational and privacy costs are substantial. Tier 1 is the quick win that would have caught this specific attack. A strong recommendation is Tier 1 immediately (weeks) plus Tier 2 as a medium-term investment (months), with Tier 3 deferred pending privacy review. Bravo teams that recommend all three simultaneously are not thinking about operational capacity.
- Resolution: Accept any well-reasoned recommendation. The learning value is in the trade-off analysis, not the specific tier. If Bravo recommends Tier 1 only, ask “what happens when the next attacker uses a properly signed certificate?” If Bravo recommends Tier 3 only, ask “what does BioGenix do for the 8–12 weeks before it’s operational?”
BONUS – BRAVO – Round 4
Secondary DLP Alert: Employee Policy Violation
Type: DLP alert log – policy enforcement contrast Source: DLP console, automated alert, 2026-04-16 12:10 UTC
“While reviewing the DLP configuration gaps, a new alert fires in real time. User k.vestergaard@biogenix just attempted to send 82 MB of files to personal.onedrive.com. The DLP correctly flagged it under rule DLP-002 (Sensitive File Outbound) and blocked the transfer. The alert is routine – an employee trying to move work files to personal cloud storage. But it raises an uncomfortable question: the same DLP system that caught an 82 MB policy violation completely missed ~7 GB of exfiltration to attacker infrastructure. Why?”
| Field | Value |
|---|---|
| Alert ID | DLP-45001 |
| Timestamp | 2026-04-16 12:10:33 UTC |
| Rule triggered | DLP-002 (Sensitive File Outbound) |
| Account | k.vestergaard@biogenix |
| Account type | User account (interactive) |
| Destination | personal.onedrive.com |
| Volume | 82 MB (14 files) |
| Content match | Source code, internal project documentation |
| Verdict | BLOCKED |
| User notification | Policy violation notice sent to user and manager |
| Factor | k.vestergaard (DLP-44921) | svc-rdbridge-admin |
|---|---|---|
| Account type | User account | Service account |
| DLP-002 result | Matched | No match |
| DLP-003 result | Matched | No match |
| Destination | personal.onedrive.com | SNI: graph.microsoft.com |
| DLP-004 result | Triggered | No match |
| Transfer hours | 12:10 UTC | 00:00–03:00 UTC |
| Volume | 82 MB | ~2–3 GB/session |
Facilitator Notes (hidden when printed):
- When to use: Bravo finishes the DLP enhancement assessment (previous bonus card) or the exfiltration traffic analysis ahead of schedule. This card provides a concrete contrast that makes the DLP architecture gaps viscerally clear.
- Intent: The same DLP that caught an employee sending 82 MB to personal OneDrive completely missed ~7 GB of exfiltration to attacker infrastructure. Why? Because the attacker’s traffic looked like Microsoft Graph API, came from a service account exempt from content inspection, and ran during off-hours when the DLP’s user-focused rules don’t apply. This is a design gap, not a broken system. The contrast table forces Bravo to articulate exactly which policy assumptions the attacker exploited. This is a powerful finding for the cross-team briefing and for justifying the DLP enhancement recommendation.
- Resolution: If Bravo asks why service accounts were excluded, the answer is practical: service accounts generate high-volume automated traffic that would flood DLP queues with false positives. The exclusion was a deliberate operational decision that created a security blind spot. The learning value is in recognizing that rational operational decisions can create exploitable gaps.
BONUS – CHARLIE – Round 4
Media Inquiry: Biotech Industry Journalist
Type: External communication – media inquiry Source: Email to BioGenix communications team, 2026-04-16 12:30 UTC
“Your communications manager just forwarded an email to the IC. A biotech industry journalist from MedWatch Denmark says they’ve ‘heard reports of a cybersecurity incident at a Danish biosolutions firm’ and is asking for comment. The email doesn’t name BioGenix specifically – but the journalist covers the Danish biotech sector regularly. The communications manager wants to know: do we respond, what do we say, and who approves it?”
From: Lars Bundgaard <l.bundgaard@medwatch.dk>
To: press@biogenix.dk
Date: 2026-04-16 12:30 UTC
Subject: Media inquiry -- cybersecurity incident report
Dear BioGenix Communications,
MedWatch Denmark has received information suggesting that a Danish
biosolutions company has experienced a cybersecurity incident affecting
its research data systems. We understand this may involve a supply
chain compromise of laboratory calibration software.
We are preparing a report for publication and would like to offer
BioGenix Solutions the opportunity to comment before we go to print.
Our deadline is 2026-04-17 14:00 CET.
Specifically:
1. Can BioGenix confirm or deny a cybersecurity incident?
2. Has any proprietary research data been compromised?
3. Has BioGenix contacted CFCS or other relevant authorities?
We will note "BioGenix declined to comment" if we do not receive
a response by deadline.
Best regards,
Lars Bundgaard
Senior Correspondent, Life Sciences
MedWatch DenmarkFacilitator Notes (hidden when printed):
- When to use: Charlie finishes the recovery prioritization and containment verification work ahead of schedule. This card introduces media pressure as a fourth concurrent workstream.
- Intent: Force Charlie to draft a holding statement under time pressure while balancing active CFCS coordination and containment operations. The journalist’s specific knowledge (supply chain, calibration software) suggests either a leak from within BioGenix, information from one of the other CFCS-identified European victims, or a CFCS/industry source. “No comment” risks a hostile article; an overshared response risks prejudicing the CFCS coordination or ongoing containment.
- Resolution: Do not provide a template response. The team must draft their own statement. Evaluate whether they coordinate with CFCS before responding. If Charlie drafts something that confirms the breach scope or names CFCS, flag it as a red flag.
- Playing the journalist: The journalist is polite but persistent. They have a deadline and will publish with or without a comment. They know about the supply chain vector but not the specific vendor.