Facilitator Session Checklist – Winnti Large Group

Start: ____:____

If running long: Cut Round 4 analysis time. Cut analysis time before briefing time. Guardrail times are ceilings, not targets. Advance on event triggers. Only compress to the guardrail if the event hasn’t occurred in time. Threat clock: Check skip conditions on IC whiteboard before reading each card.

Preparation: see the Preparation Checklist.

Opening (T+0 to T+5)

• Read opening line: “It is Thursday afternoon…”
• Release R1 envelopes (2 per team)
• Start timer

Round 1 (T+5 to T+28)

• Circulate, listen, don’t interject
• Navigation prompt if stuck after 10 min: “What is the minimum you need to make a provisional decision?”
• Call cross-team briefing when ready
• IC #1 synthesizes on whiteboard
• Check: Has IC identified HANSEN-SAP-01 as active threat?
• Guardrail: advance by T+28

Round 2 (T+28 to T+70)

• Release R2 envelopes (3 per team)
• Watch for: reimaging before memory capture – play CISO NPC immediately (isolation is safe – only reimaging destroys artifacts)
• Threat clock T1 at ~T+45: credential not revoked? Read T1 card. Skip if svc-rdbridge-admin CONTAINED
• Cross-team briefing
• Three decisions need owners: credential, exception, memory
• Threat clock T2 at ~T+60: exception not closed? Read T2 card. Skip if COLLBRIDGE-EXCL-003 CONTAINED
• NPC trigger: CTO if GenixLibrary or exception delayed
• NPC trigger: VP R&D if GenixLibrary shutdown discussed without research continuity
• Guardrail: handover by T+70

Handover (T+70 to T+78)

• Hand IC #1 the SBAR card (IC Cards page 2, top half)
• Call IC #2 back into the room, hand incoming commander card (IC Cards page 2, bottom half)
• Stay SILENT during briefing
• Wait for IC #2 to say “I have command”
• Ask IC #2: “What do you still not know?”

Round 3 (T+78 to T+95)

• Release R3 envelopes (1 per team)
• IC #2 orients, verifies whiteboard
• IC #2 calls first briefing
• Respond to Charlie’s C2 rotation alert if raised
• Guardrail: advance by T+95

Round 4 (T+95 to T+125)

• Release R4 envelopes (2 per team)
• Threat clock T3: memory not preserved? Read T3 card. Skip if memory image CONTAINED
• Watch for: scope statement without nuance – play CEO NPC
• Cross-team briefing
• CFCS NPC if artifact handoff not discussed
• Threat clock T4: GenixLibrary not isolated? Read T4 card. Skip if GenixLibrary CONTAINED, or both credential + exception CONTAINED
• VP R&D NPC if competitive exposure not raised
• Guardrail: close by T+125

Closing (T+125)

• Threat clock T5: read success or failure version
• “Name one thing. One owner. One date.” – go around room
• If senior customer contact present (CISO, head of IR): hand this moment to them – brief them beforehand

Debrief (T+125 to T+150)

• “Write down the one decision you most want to revisit.”
• Question 1: Could this happen to your organisation? What would be different – what would be the same?
• Question 2: Credential revoked – attack path closed? What second action was needed?
• Question 3: CFCS tipped you off. What if they hadn’t called? Would your own monitoring have caught this?
• Question 4: CaliSync’s pipeline is still compromised. When did you notify them? Who owned that decision?
• Question 5: HANSEN-SAP-01 – 18 months overdue, no patches, no monitoring, cloud access. How many like this in your org?
• After each question: “Who owns fixing this?”
• Close: “One thing I’ll do differently.” One sentence each.

---

Quick Reference: Threat Clock Skip Conditions

Card	Trigger	Skip If
T1 – Cloud access persists	~T+45 (mid R2), credential not revoked	svc-rdbridge-admin CONTAINED
T2 – Subnet exception exposed	~T+60 (late R2), exception not closed	COLLBRIDGE-EXCL-003 CONTAINED
T3 – Anti-forensics	Start of R4, memory not preserved	Memory image CONTAINED
T4 – Exfil spike	During R4, GenixLibrary not isolated	GenixLibrary CONTAINED, or both credential + exception CONTAINED
T5 – Full exfil	End of session, not fully contained	All paths CONTAINED

Check skip conditions against IC whiteboard before reading each card.

Quick Reference: NPC Lines

NPC	When	Line
CISO	Reimaging before preservation	“We will lose the kernel driver artifact. CFCS has already asked for it.”
CTO	GenixLibrary or exception delayed	“Close the exception immediately. GenixLibrary — can we confirm which projects were accessed, or do we suspend?”
CEO	Containment urgency not addressed	“Exposure shrinking or growing? What is still open and who owns it?”
VP R&D	Research continuity not raised	“I need to know which research projects were accessed. 3 programs in production phase.”
CFCS	CFCS coordination stalls	“We need your kernel driver artifact. What is your timeline?”

Quick Reference: Follow-Up Bank

Four responses, in priority order:

1. Release a card early — if they’re asking for something in a later envelope, give it now. Reward the good question.
2. Read from the follow-up bank below — pre-written answers for the most likely questions per card.
3. Cross-team referral — “That’s a Bravo/Charlie question — have you asked them?”
4. Dead end — “That data wasn’t captured” or “that system wasn’t monitored.” Close the thread cleanly.

Improvise rule: Confirm anything consistent with existing card content. For investigation-advancing claims not in any card, redirect rather than invent. Never contradict existing cards.

Card	If they ask…	Say…
A-R1-1 (system profile)	Is the cert expired or revoked?	“OCSP VALID, CRL NOT REVOKED. The certificate is legitimately valid — that is the puzzle.”
A-R2-2 (supply chain)	What does the software actually do when it runs?	Release behavioral supplement from the A-R2-2 IM notes — verbal, on demand.
A-R2-2 (supply chain)	Could the signing key have been stolen separately?	“Both are consistent with the evidence. Compromised build pipeline, stolen signing key, insider — all are valid. Which does your team think is most likely?”
A-R2-2 (supply chain)	Has CaliSync been notified?	“Not yet. That is your decision to make.”
A-R2-2 (supply chain)	Is the portal itself compromised?	“Portal integrity check shows no third-party modification or redirect. The portal is serving what it believes to be a legitimate update.”
A-R2-1 (memory forensics)	Is the C2 connection still active right now?	“PID 4028 shows an active outbound connection. Yes — the beacon is live.”
A-R2-1 (memory forensics)	Is there capability beyond what the five PIDs show?	“Nothing further at this stage.” (Targeting specificity detail is in Round 4.)
A-R1-1 (system profile)	Why is the update from November but the server is active now?	“The update was installed in November. The C2 beacon activity started in December. It has been active for months.” Let teams work out the persistence implication.
B-R2-2 (CA bypass)	Why wasn’t the exception flagged in an access review?	“COLLBRIDGE-EXCL-003 has no expiry date and no review owner. The review cycle was never triggered.”
B-R2-3 (ITSM ticket)	Who is the current ticket owner?	“The owner departed without handover. The ticket is currently unassigned.”
C-R1-1 (CFCS advisory)	Can we contact CFCS directly?	“Yes — CFCS is the contact who issued the advisory. Your CISO already has the relationship.”
C-R2-3 (C2 enrichment)	Can we get a malware sample?	“The update was auto-delivered via vendor channel. No standalone sample isolated. The kernel driver artifact on HANSEN-SAP-01 is what CFCS has asked for.”

Cross-Team Referral Matrix

Team asking	Question area	Point to
Alpha	Network traffic from HANSEN-SAP-01	Bravo — B-R1-2
Alpha	C2 infrastructure enrichment	Charlie — C-R1-2, C-R2-3
Alpha	Is the lateral movement path confirmed?	Bravo — B-R2-1
Bravo	What is running on HANSEN-SAP-01?	Alpha — A-R2-1
Bravo	What triggered this investigation?	Charlie — C-R1-1
Bravo	Threat actor attribution	Charlie — C-R2-3
Charlie	Confirmed malware behaviour on host	Alpha — A-R1-1, A-R2-1
Charlie	How did the attacker get initial access?	Alpha (A-R2-2) + Bravo (B-R2-1)
Charlie	What data has been exfiltrated?	Bravo — B-R4-1 (Round 4 only; not available yet)

Quick Reference: Dead Ends

Tell teams “that data wasn’t captured” or “that system wasn’t monitored” for:

• Email logs — not in scope
• SIEM alerts for HANSEN-SAP-01 — excluded from monitoring per COLLBRIDGE-EXCL-003
• EDR telemetry from HANSEN-SAP-01 — excluded from Defender scope (same exception)
• Full content of exfiltrated data — volume and destination are known; content is not recoverable from available logs
• CaliSync internal systems — requires vendor cooperation; not in scope for this exercise
• HANSEN-SAP-02 detail — not available until Round 4
• Individual attacker identities — not in scope; actor group attribution only

Quick Reference: Bonus Inject Cards

Round	Team	Card	When to use
R1	Charlie	CFCS indicator validation call	Charlie finishes advisory + TI enrichment early
R4	Alpha	CFCS artifact sharing scope	Alpha finishes rootkit + lateral movement early
R4	Bravo	DLP enhancement assessment (3 tiers)	Bravo finishes traffic + DLP analysis early
R4	Bravo	Secondary DLP alert (employee contrast)	Bravo finishes DLP enhancement or traffic early
R4	Charlie	Media inquiry (journalist)	Charlie finishes integrity + CFCS comparison early

Release only if a team has genuinely finished their core cards. Do not release to fill time — silence and discussion are more valuable than more data.

Quick Reference: Action Resolution

1. “Which team owns this?” – team lead answers
2. “What’s the difficulty?” – Easy 5+ / Medium 10+ / Hard 15+
3. “What happens if it goes wrong?” – team states the risk
4. Roll d20. Success = works. Partial (miss 1-3) = works BUT risk. Failure (miss 4+) = risk happens.
5. IC updates whiteboard.

Modifiers: +2 all teams briefed, +1 written rationale, Advantage if risk pre-identified.

Roll when: meaningful risk + uncertain outcome. Don’t roll: information gathering, no-consequence actions.

Quick Reference: IC Intervention Ladder

1. Do nothing for 30 seconds. Silence often resolves itself.
2. Redirect: “What did Bravo tell you? How does that change what Alpha found?”
3. Navigate: “What is the minimum you need to make a provisional decision?”
4. Direct: “Alpha lead, give the IC your top finding in 30 seconds.”