GaboonGrabber Education Scenario Planning

GaboonGrabber - StateU Financial Aid Crisis

1. Quick Reference

Element Details
Malmon GaboonGrabber (Trojan/Stealth) ⭐⭐
Difficulty Tier Tier 1 (Beginner) - Intermediate complexity with FERPA considerations
Scenario Variant Higher Education - Financial Aid Operations
Organizational Context StateU: State university system, 25,000 students, 3,500 faculty/staff, critical financial aid disbursement deadline
Primary Stakes Student financial records + FERPA compliance + Academic operations continuity + Student success
Recommended Formats Full Game, Advanced Challenge (120-180 min)
Essential NPCs Rebecca Turner (Financial Aid Director), Marcus Johnson (Student), Dr. Lisa Thompson (IT Director)
Optional NPCs Christopher Bennett (Student Services VP), Additional students, Parent contacts, Media representatives

Scenario Hook

“It’s Wednesday afternoon at StateU in the final week of spring semester financial aid disbursement. Thousands of students await payments for summer housing and tuition. The attacker monitored academic calendar timing, knowing stressed financial aid staff will click through security warnings to keep disbursements on schedule.”

Victory Condition

Successfully protect student financial data while ensuring critical financial aid disbursements proceed, demonstrating that student-centered security balances data protection with student success requirements.

2. Game Configuration Templates

Quick Demo Configuration (35-40 min)

Pre-Configured Settings:

  • Number of Rounds: 1 round
  • Actions per Player: 1 action
  • Investigation Structure: Guided
  • Response Structure: Pre-defined
  • Team Size: 2-3 players
  • Success Mechanics: Automatic
  • Evidence Type: Obvious
  • NPC Count: Essential only (Rebecca, Marcus)

Experience Focus: Fast demonstration of academic deadline vulnerability and student-centered decision-making.

Time Breakdown:

  • Introduction & Roles: 5 min
  • Scenario Briefing: 5 min
  • Gameplay: 20 min
  • Quick Debrief: 5 min (student impact focus)
  • Q&A: 5 min

Facilitation Notes: Present Marcus’s urgent need for financial aid (housing deposit due tomorrow) alongside technical investigation. Show how student pressure creates institutional vulnerability. Debrief centers on balancing security with student success.

Lunch & Learn Configuration (75-90 min)

Pre-Configured Settings:

  • Number of Rounds: 2 rounds
  • Actions per Player: 2 actions per round
  • Investigation Structure: Guided with player choice
  • Response Structure: Mix of pre-defined and creative
  • Team Size: 3-5 players
  • Success Mechanics: Dice/Cards (simple)
  • Evidence Type: Mixed
  • NPC Count: Standard (Rebecca, Marcus, Lisa, Christopher)

Experience Focus: Explore tension between student services and security compliance in realistic educational setting.

Time Breakdown:

  • Introduction & Roles: 8 min
  • Scenario Briefing: 7 min
  • Round 1 (Discovery): 20 min
  • Round 2 (Investigation & Response): 25 min
  • Standard Debrief: 10 min
  • Q&A: 5 min

Facilitation Notes: Use Marcus as emotional anchor (real student with immediate need) while Christopher represents institutional pressure. Let players navigate student advocacy vs security requirements.

Full Game Configuration (120-140 min)

Pre-Configured Settings:

  • Number of Rounds: 3 rounds
  • Actions per Player: 2 actions per round
  • Investigation Structure: Open
  • Response Structure: Creative
  • Team Size: 4-6 players
  • Success Mechanics: Dice/Cards with modifiers
  • Evidence Type: Mixed (realistic)
  • NPC Count: Full cast (4-6)
  • Badge Tracking: On

Experience Focus: Complete exploration of educational institution security culture, student impact, and FERPA compliance.

Time Breakdown:

  • Introduction & Roles: 10 min
  • Scenario Briefing: 10 min
  • Round 1 (Discovery): 25 min
  • Round 2 (Investigation): 30 min
  • Round 3 (Response): 25 min
  • Standard Debrief: 10 min
  • Advanced Discussion: 10 min

Facilitation Notes: Connect to real-world educational security challenges. Emphasize student-centered decision-making while maintaining data protection. Include FERPA breach notification requirements.

Advanced Challenge Configuration (180+ min)

Pre-Configured Settings:

  • Number of Rounds: 4+ rounds
  • Actions per Player: 2 actions per round
  • Investigation Structure: Complex multi-threaded
  • Response Structure: Innovative solutions required
  • Team Size: 6+ players
  • Success Mechanics: Complex (Network Security Status)
  • Evidence Type: Subtle with red herrings
  • Attack Complexity: Multi-stage evolution
  • NPC Count: Full cast + media (6+)
  • Badge Tracking: On with achievements

Experience Focus: Expert-level challenge including media pressure, multiple stakeholder demands, and sophisticated attack progression.

Time Breakdown:

  • Introduction & Roles: 15 min
  • Scenario Briefing: 15 min
  • Round 1: 30 min
  • Round 2: 35 min
  • Round 3: 30 min
  • Round 4: 30 min
  • Extended Debrief: 20 min
  • Advanced Discussion: 15 min

Facilitation Notes: Add complications: local media investigates “financial aid problems,” parent calls threaten legal action, additional students report personal data theft. Require innovation balancing student success with compliance.

3. Scenario Overview

Opening Presentation

“It’s Wednesday afternoon at StateU, and the financial aid office is in crisis mode. Spring semester aid disbursements must be completed by Friday—just 48 hours away—to ensure thousands of students can pay summer housing deposits and register for fall classes.

Marcus Johnson, a senior studying computer science, is one of 3,200 students awaiting his financial aid check. His summer housing deposit is due tomorrow morning, and without that aid payment, he’ll lose his apartment and miss summer session enrollment. He’s not alone—hundreds of students face similar deadlines.

Rebecca Turner, the Financial Aid Director, understands the urgency. Yesterday evening, her team was working overtime to process the final wave of disbursements. Multiple staff received what appeared to be urgent FAFSA system updates requiring immediate installation to continue processing. Stressed and focused on student deadlines, everyone clicked through.

Now, it’s Wednesday afternoon. Multiple computers in the financial aid office are running 40% slower during peak processing time. Students are calling about ‘new financial aid software’ requesting personal information updates. The help desk is overwhelmed.

Rebecca just gathered the team: ‘We have 48 hours to complete disbursements for over 3,000 students. Something’s wrong with our systems. We need answers—fast—without delaying payments that students are counting on.’”

Initial Symptoms to Present

  • “Financial aid office computers running 40% slower during peak processing time”
  • “Students calling help desk about ‘new financial aid software’ requiring personal information updates”
  • “Staff report receiving ‘emergency FAFSA processing’ emails Tuesday evening from apparent federal sources”
  • “University ID card systems experiencing intermittent connectivity issues”
  • “Financial aid database queries taking 2-3x longer than normal”

Organizational Context Details

Organization Profile:

  • Name: StateU (State University System)
  • Type: Public higher education institution
  • Size: 25,000 students, 3,500 faculty/staff, multiple campus locations
  • Key Assets: Student financial records, FAFSA data, SSNs, banking information, academic records, enrollment systems
  • Regulatory Environment: FERPA, state education regulations, federal financial aid compliance, data protection requirements

Cultural Factors:

  • Student-centered mission where “student success” often overrides other considerations
  • Financial aid office operates under extreme seasonal pressure during disbursement periods
  • IT security seen as barrier to student services rather than protection mechanism
  • Culture of “emergency exceptions” during critical academic calendar periods
  • Staff trained to prioritize student needs and quick service delivery

Business Pressure:

  • 3,200 students awaiting spring semester financial aid (Friday deadline)
  • Summer housing deposits due within days of aid disbursement
  • Fall registration dependent on summer housing confirmation
  • Student retention metrics affected by timely financial aid delivery
  • Institutional reputation for student support at stake

Malmon Characteristics in This Scenario

GaboonGrabber exploits academic calendar pressure and student-centered institutional culture. The attack specifically targets financial aid deadline periods when security awareness is lowest and staff are conditioned to process requests immediately for “student success.”

Key Capabilities Demonstrated:

  • Perfect Mimicry (+3 social engineering): Fake “emergency FAFSA processing” emails from apparent federal sources, mimicking Department of Education communications, appearing exactly during disbursement deadline stress
  • Fileless Deployment (+2 vs traditional AV): Memory-resident operation avoids detection during high-volume processing periods when staff unlikely to notice performance degradation
  • Multi-Payload Deployment (Hidden): Secondary payloads target student SSNs, banking information, and university administrative credentials after 24+ hours

Vulnerabilities to Exploit:

  • Behavioral Analysis Weakness (-3 penalty): Process behavior monitoring can detect credential harvesting and data exfiltration attempts
  • User Education Susceptibility: Student services staff training on recognizing federal communication spoofing would prevent initial compromise

4. NPC Reference

Essential NPCs (Must Include)

NPC 1: Rebecca Turner - Financial Aid Director

  • Position: Financial Aid Director, responsible for disbursement operations and FERPA compliance
  • Personality: Under enormous pressure, deeply committed to student success, defensive about emergency shortcuts, exhausted
  • Agenda: Complete Friday disbursements on schedule, protect students from aid delays, maintain institutional reputation for student support
  • Knowledge: Approved “emergency FAFSA processing tools” yesterday, knows disbursement deadline is non-negotiable, understands student impact
  • Pressure Point: 3,200 students counting on her, career built on student advocacy, fears being responsible for aid delays
  • IM Portrayal Notes: Express genuine concern for students like Marcus, initially resist anything delaying disbursements, become collaborative when shown student data protection is also student advocacy

NPC 2: Marcus Johnson - Student, Senior

  • Position: Senior student dependent on financial aid, represents student voice and immediate human impact
  • Personality: Anxious, focused, personally affected, doesn’t understand IT security concerns
  • Agenda: Receive financial aid check by tomorrow to pay housing deposit and secure summer enrollment
  • Knowledge: Clicked on “urgent financial aid update” email, provided personal information to “verify eligibility”
  • Pressure Point: Loses housing and summer enrollment opportunity if aid delayed, represents thousands of students in similar situation
  • IM Portrayal Notes: Make him sympathetic and real—describe his specific situation (computer science senior, summer internship requiring local housing, deadline tomorrow morning), ask direct questions: “Am I going to get my financial aid?”

NPC 3: Dr. Lisa Thompson - IT Director

  • Position: IT Director responsible for university technology infrastructure and security
  • Personality: Concerned about security, pressured to support “critical student services,” caught between security and service
  • Agenda: Maintain system security while supporting student success mission, prove IT isn’t obstacle to student services
  • Knowledge: Expedited approval of financial aid software without full security review, knows normal processes were bypassed
  • Pressure Point: IT department seen as barrier to student services, needs to demonstrate support for institutional mission
  • IM Portrayal Notes: Acknowledge security vs service tension, provide technical cooperation, admit pressure to approve software quickly

Optional NPCs (Add Depth)

NPC 4: Christopher Bennett - Student Services VP

  • Position: VP for Student Services, represents institutional leadership and student success mission
  • Personality: Results-oriented, impatient with delays, focused on student retention metrics
  • Agenda: Ensure all financial aid processed on schedule, protect university reputation for student support
  • Knowledge: Board reports on student retention, competitive landscape for student recruitment
  • Pressure Point: Quarterly retention reports, university reputation, student and parent expectations
  • IM Portrayal Notes: Demand solutions that prioritize student needs, resist security explanations initially, respond to framing about protecting students

NPC 5: Additional Student (Sarah Martinez)

  • Position: Single parent student, even more vulnerable than Marcus
  • Personality: Desperate, anxious, represents most vulnerable student population
  • Agenda: Immediate financial aid for childcare and housing
  • Knowledge: Provided extensive personal information to “verify” aid eligibility
  • Pressure Point: Single parent with immediate financial crisis
  • IM Portrayal Notes: Use sparingly for emotional impact, represents why timeline matters

NPC 6: Parent Contact (Mr. Rodriguez)

  • Position: Parent of student awaiting aid, represents external stakeholder pressure
  • Personality: Frustrated, demanding, doesn’t understand complexity
  • Agenda: Immediate resolution for child’s financial aid
  • Knowledge: Child reported “problems with financial aid system”
  • Pressure Point: Paying for student’s backup housing option pending aid
  • IM Portrayal Notes: Brief phone call adding pressure, represents broader parent community concern

NPC Interaction Guidelines

When to introduce NPCs:

  • Rebecca Turner: Opening presentation as primary contact
  • Marcus Johnson: Round 1 to establish student impact
  • Dr. Lisa Thompson: Round 1 for technical context
  • Christopher Bennett: Round 2 when institutional pressure escalates
  • Additional students: Round 2-3 for emotional impact
  • Parent contact: Round 3 if additional pressure needed

How NPCs advance the plot:

  • Rebecca provides insider knowledge about what happened and institutional culture
  • Marcus makes abstract “student data” concrete and immediate
  • Lisa reveals IT security compromises and technical cooperation
  • Christopher escalates institutional pressure and student success mission
  • Additional students amplify emotional stakes and decision urgency
  • NPCs create tension between security thoroughness and student-centered mission

5. Investigation Timeline

Round 1: Discovery Phase

Automatic Reveals:

  • Initial reports started Tuesday evening during overtime financial aid processing
  • Help desk logs show multiple “new software” installations after “FAFSA update” emails
  • 15 workstations in financial aid office showing performance issues

Detective Investigation Leads:

  • Email forensics reveal sophisticated spoofing of federal Department of Education communications
  • Sender domains: “FAFSAprocessing.gov” and “StudentAid.ed-gov.com” (recently registered)
  • File analysis discovers “FAFSAProcessor.exe” and “AidDisbursement.exe” in user directories
  • Log analysis shows unauthorized access attempts to student information systems
  • Timeline: All infections occurred Tuesday 6pm-9pm during overtime processing session

Protector System Analysis:

  • Memory analysis reveals process injection into financial aid processing applications
  • Network monitoring detects unusual data flows from student records systems toward external IPs
  • System integrity scans show modifications to financial aid database access controls
  • Security logs reveal failed authentication attempts using harvested credentials

Tracker Network Investigation:

  • DNS logs show queries to domains mimicking federal student aid websites
  • Traffic analysis reveals attempted exfiltration of student financial records (SSNs, banking info)
  • Email pattern analysis shows coordinated phishing targeting both staff and students
  • External C2 infrastructure identified with poor reputation scores

Communicator Stakeholder Interviews:

  • Rebecca admits clicking on urgent processing tools to meet student deadlines
  • Marcus reports providing SSN, bank account, and birth date to “verify financial aid eligibility”
  • Lisa explains expedited software approval due to “critical student service needs”
  • Financial aid staff describe culture where student needs override security procedures

Crisis Manager Coordination Discoveries:

  • 15 infected workstations in financial aid office (75% of financial aid staff)
  • Unknown number of students provided personal information to fake verification system
  • 48 hours remaining until disbursement deadline affecting 3,200 students
  • FERPA breach notification required if student data confirmed compromised

Threat Hunter Proactive Findings:

  • Behavioral patterns match GaboonGrabber Trojan
  • Threat intelligence shows similar attacks targeting universities during financial aid periods
  • Attribution suggests financially motivated threat actor specializing in educational institutions
  • Pattern indicates this is Trojan-type optimized for credential harvesting and data theft

Round 2: Investigation Phase

Situation Update:

“It’s Wednesday evening. Your investigation confirms GaboonGrabber infection, and you’re approaching the 24-hour threshold for Multi-Payload Deployment. Christopher Bennett just called an emergency meeting: ‘200 students are waiting in line outside the financial aid office. They need answers. Marcus Johnson’s housing deposit deadline is tomorrow morning. What’s your plan?’

Meanwhile, your forensic analysis reveals something alarming: Student data has been exfiltrated. SSNs, banking information, addresses—all accessed and transmitted to attacker infrastructure. FERPA breach notification is now mandatory.”

Automatic Reveals:

  • Student data exfiltration confirmed (triggering FERPA requirements)
  • 24-hour threshold approaching for secondary payload deployment
  • Marcus and 200+ students physically present demanding answers

Detective Investigation Leads:

  • Forensic timeline shows 2,847 student records accessed from compromised systems
  • Evidence of credential harvesting—financial aid staff passwords captured
  • Data exfiltration logs reveal SSNs, banking info, addresses transmitted to C2 infrastructure
  • Secondary payload staging detected (preparing to deploy additional malware)

Protector System Analysis:

  • Real-time monitoring detects attempted deployment of Redline stealer and Snake Keylogger
  • Database access patterns show attacker reconnaissance for additional student data
  • System hardening assessment reveals financial aid systems insufficiently isolated
  • Security architecture review shows normal controls disabled for “processing efficiency”

Tracker Network Investigation:

  • C2 communication analysis reveals attacker preparing identity theft operations using stolen student data
  • Dark web intelligence shows similar student data packages being sold
  • Network traffic indicates attacker establishing persistence for long-term access
  • Pattern suggests coordinated campaign across multiple university financial aid offices

Communicator Stakeholder Interviews:

  • Christopher demands explanation for anything delaying disbursements
  • Lisa reveals additional pressure: IT agreed to disable security controls temporarily for “student service”
  • Parent calls begin arriving: “Why is my daughter’s financial aid delayed?”
  • Local news contacts university about “financial aid processing problems”

Crisis Manager Coordination Discoveries:

  • FERPA breach notification required (48-hour window to notify Department of Education)
  • Containment decision needed: isolate systems vs maintain disbursement processing
  • Student communication strategy required: notify 2,847 students of data breach
  • Institutional reputation crisis: balance transparency with student confidence

Threat Hunter Proactive Findings:

  • Intelligence indicates attacker specifically targets academic financial aid deadline periods
  • Proactive hunting discovers 3 additional compromised systems in registrar’s office
  • Attribution research reveals organized group specializing in educational institution targeting
  • Vulnerability analysis: institutional culture prioritizing student service over security created exploitation opportunity

Round 3: Response Phase

Situation Update:

“It’s Thursday morning. You’ve confirmed GaboonGrabber infection and student data breach. Marcus Johnson just arrived at your office: ‘My housing deposit is due in 3 hours. Am I going to get my financial aid or not? I have nowhere to live for summer session without that money.’

Christopher Bennett sent an urgent email: ‘Board meeting in 2 hours. Need to report on financial aid status and student data security. What do I tell them?’

Rebecca is in tears: ‘I was trying to help students. Now their data is compromised because of decisions I made.’

And your threat intelligence just confirmed: Student data is being sold on dark web markets. Identity theft operations are already beginning.

What’s your response strategy?”

Evidence emerging during response:

  • Student data confirmed for sale on dark web (active identity theft threat)
  • Secondary payload deployment beginning (Redline stealer attempting activation)
  • Media investigation intensifying (reporter asking about “student data breach”)
  • Additional universities reporting similar attacks (coordinated campaign)

Success and Failure Branches:

If team chooses thorough response with student protection focus:

“You make the difficult call: Immediate containment, FERPA breach notification, transparent student communication, and 24-hour delay to disbursements for complete security verification.

Marcus’s reaction: ‘I’m going to lose my housing because of this?’

But then the team does something important. You don’t just secure the systems—you help Marcus. Emergency procedures, alternative housing assistance, direct communication about what happened and what you’re doing to protect him.

The response includes: Complete student notification about data breach, credit monitoring services offered to all 2,847 affected students, financial aid disbursements resume Friday evening with enhanced security, transparent media communication about incident and student protection measures.

Christopher Bennett’s board report: ‘We discovered and contained a sophisticated attack targeting our students. Our response prioritized student data protection and demonstrated our commitment to student welfare. The incident actually strengthened our security posture.’

Outcome: Student trust maintained through transparency, FERPA compliance achieved, security culture begins changing toward student-centered protection rather than security-vs-service conflict.”

If team balances security with immediate student needs:

“You develop a hybrid approach: Partial system isolation with enhanced monitoring, immediate disbursement for non-compromised records (including Marcus’s), phased processing with security verification for remaining students, proactive FERPA notification with comprehensive student support.

Marcus gets his aid check Thursday afternoon. His reaction: ‘Thank you for figuring this out and still helping me.’

The response includes: Same-day credit monitoring setup for affected students, transparent communication about what happened and what’s being done, financial aid processing continues with increased security, post-disbursement complete system remediation.

Christopher’s board report: ‘Sophisticated attack detected and contained. Student services maintained while implementing enhanced security. Incident demonstrates effective crisis management balancing student needs with data protection.’

Outcome: Student success mission maintained, security improved, institutional culture begins evolving toward integrated student-centered security.”

If team minimizes incident or delays student notification:

“You decide to downplay the breach and continue disbursements normally without full student notification.

Two weeks later: Multiple students report identity theft. Marcus had his bank account drained. Local news runs story: ‘StateU Hid Student Data Breach.’ Department of Education launches investigation into FERPA violations.

Christopher’s statement: ‘We are shocked and disappointed by this failure to protect our students and comply with federal requirements.’

Outcome: Institutional reputation severely damaged, FERPA penalties imposed, student trust destroyed, security culture problem worsens.”

6. Response Options

Type-Effective Approaches

Most Effective (Trojan Strengths - Behavioral Analysis):

  • Runtime behavioral monitoring (+3 effectiveness): Detect credential harvesting and data exfiltration attempts. DC 12-15
  • Memory forensics (+3 effectiveness): Identify process injection and stolen credential storage. DC 15
  • Data access pattern analysis (+2 effectiveness): Detect abnormal student record queries. DC 15

Moderately Effective:

  • Network microsegmentation (+1 effectiveness): Isolate financial aid systems while maintaining disbursement processing. DC 18 (Hard to balance)
  • Credential reset and MFA implementation (0 modifier): Mitigate stolen passwords but doesn’t remove malware. Trade-off: Security vs processing complexity
  • Student data monitoring services (+1 long-term): Credit monitoring for affected students addresses identity theft risk

Least Effective:

  • Signature-based detection (-2 effectiveness): GaboonGrabber’s fileless deployment evades traditional AV. DC 25+
  • Simple password reset without malware removal (-1 effectiveness): Attacker captures new credentials immediately
  • Hiding breach from students (-3 effectiveness): FERPA violations, ethical failure, worsens student impact when identity theft occurs

Creative Response Guidance

Encourage innovation in:

  • Student-centered security communication: Frame data protection as student advocacy rather than obstacle to service
  • Phased disbursement with security verification: Process cleared students immediately while thoroughly checking compromised systems
  • Collaborative student support: Combine security response with direct student assistance (emergency housing, credit monitoring)
  • Cultural transformation: Turn incident into catalyst for student-centered security culture

Common creative solutions:

  • “Student advocate security team”: Some teams create dedicated role ensuring student needs integrated into security response (adjudicate positively as excellent stakeholder management)
  • Emergency disbursement fund: Temporary support for students like Marcus while security verification proceeds (adjudicate as innovative student-centered approach)
  • Transparent town hall: Public student meeting explaining incident, protection measures, and commitment to student welfare (adjudicate as excellent crisis communication)

7. Round-by-Round Facilitation Guide

Round 1: Discovery

Opening Narration:

“It’s Wednesday afternoon at StateU. In the financial aid office, the atmosphere should be focused but optimistic—spring semester disbursements are on track to meet Friday’s deadline. Three thousand two hundred students are waiting for the financial aid checks that will enable summer housing deposits, fall registration, and continued education.

But something’s wrong.

Rebecca Turner, the Financial Aid Director, has gathered her team. Multiple workstations are running slowly. Students are calling about ‘new financial aid software’ requesting personal information. And yesterday evening, during overtime processing to meet the Friday deadline, everyone received urgent emails about ‘emergency FAFSA processing updates’ that needed immediate installation.

As Rebecca starts to explain the situation, there’s a knock on the door. It’s Marcus Johnson, a senior computer science student. ‘I’m sorry to interrupt,’ he says, ‘but my summer housing deposit is due tomorrow morning. Without my financial aid, I can’t pay it, and I’ll lose my apartment. When will the disbursement be ready?’

Rebecca looks at your team. The stress in her face is clear. ‘We have 48 hours to process aid for over 3,000 students like Marcus. Something’s affecting our systems. We need to figure this out—fast—without delaying payments students are counting on.’

What do you do?”

IM Questions to Ask:

  • “Hearing these symptoms—slowdowns after ‘emergency FAFSA’ emails during a critical deadline period—what would concern you most?”
  • “Marcus represents 3,200 students with immediate financial needs. How does that human impact affect your investigation approach?”
  • “What would make experienced financial aid staff, who process FAFSA data daily, click on suspicious emails? What does that tell you about the attack?”
  • “How do you investigate thoroughly while respecting the real urgency of student needs like Marcus’s housing deadline?”

Expected Player Actions:

  • Detective examining emails: Reveal sophisticated Department of Education spoofing. Ask: “How would you distinguish legitimate federal communications from these forgeries?”
  • Protector analyzing systems: Show memory-resident malware and process injection. Ask: “What does it mean that malware is hiding in financial aid processing software?”
  • Tracker investigating network: Display data exfiltration to external infrastructure. Ask: “What student data would attackers target from financial aid systems?”
  • Communicator interviewing staff/students: Rebecca admits shortcuts, Marcus describes providing personal information. Ask: “What organizational culture factors enabled this attack?”
  • Crisis Manager assessing impact: 15 infected systems, 48-hour deadline, unknown number of students compromised. Ask: “What’s your priority: complete information or timely decisions for students?”

Malmon Identification Moment:

“Your evidence shows sophisticated social engineering targeting academic calendars, process injection into financial aid software, and credential harvesting focused on student data. The behavioral patterns—especially exploiting institutional pressure and student-centered culture—match what type of Malmon?

When identified as Trojan, introduce GaboonGrabber: ‘Your threat intelligence confirms GaboonGrabber. This Trojan has a hidden ability: Multi-Payload Deployment after 24 hours. You’re approaching that threshold. And there’s something else—your forensic analysis shows student data has already been accessed.’”

Round Conclusion:

“As Round 1 ends, you’ve identified GaboonGrabber and confirmed student data exposure. But the situation is escalating.

Marcus is still waiting outside the office. He’s not alone—word has spread, and 50 students have gathered, asking about their financial aid status.

Christopher Bennett, the Student Services VP, just called Rebecca: ‘I’m hearing about problems in financial aid. We have a board meeting tomorrow. I need to know: Will Friday’s disbursements proceed on schedule?’

And your forensic timeline shows you’re 90 minutes from the 24-hour threshold where GaboonGrabber typically deploys secondary payloads.

You understand what happened. Now you need to understand how bad this is—and what it means for students like Marcus.”

Round 2: Investigation

Situation Update:

“It’s Wednesday evening. The financial aid office has officially closed, but the lights are still on. Outside, the number of students has grown to over 200. Someone made a social media post about ‘financial aid system problems,’ and now anxiety is spreading across campus.

Marcus is among them, checking his phone repeatedly. His summer internship starts in two weeks—but only if he has housing.

Your deeper investigation has revealed the full scope: 2,847 student records were accessed and exfiltrated. Names, SSNs, bank account information, addresses—all transmitted to attacker infrastructure. FERPA breach notification is now mandatory.

Christopher Bennett just arrived in person. ‘I have 200 students outside demanding answers,’ he says. ‘I have a board meeting in the morning where I’m supposed to report on our commitment to student success. What am I supposed to tell them?’

How bad is this, and what are you going to do about it?”

IM Questions to Ask:

  • “You’ve confirmed student data breach affecting 2,847 students. What are your legal obligations under FERPA, and how do those affect your response timeline?”
  • “Marcus’s housing deadline is tomorrow. How do you balance his immediate need against the security thoroughness required for 3,200 disbursements?”
  • “What does ‘student-centered security’ mean in this situation—is it protecting student data, ensuring financial aid delivery, or both?”
  • “How do you communicate with students about a data breach in a way that maintains trust while being transparent about risks?”

Pressure Points to Introduce:

  • Student pressure (Hour 1): 200 students outside, social media amplifying anxiety, Marcus’s deadline approaching
  • Institutional pressure (Hour 2): Christopher demands board presentation plan, threatens to override security decisions “for student welfare”
  • Regulatory pressure (Hour 3): Lisa reminds team of FERPA 48-hour notification requirement, potential penalties for non-compliance
  • Technical escalation (Hour 4): Secondary payload deployment detected, Redline stealer attempting activation, additional data at risk

Round Conclusion:

“Your investigation has revealed a crisis on multiple levels. Technical: GaboonGrabber with data breach confirmed and secondary payloads deploying. Human: Marcus and 3,200 students whose educational futures depend on Friday’s disbursements. Institutional: Rebecca in tears about compromising student data while trying to help students. Regulatory: FERPA breach notification required within 48 hours.

Christopher Bennett’s voice is sharp: ‘I need a decision. Do we proceed with Friday disbursements or not? What do I tell students outside?’

Rebecca adds quietly: ‘And what do I tell Marcus about his housing?’

Your threat intelligence just sent an alert: Student data from this breach is already appearing on dark web markets. Identity theft operations are beginning.

It’s time to decide. What’s your response strategy?”

Round 3: Response

Critical Decision Point:

“It’s Thursday morning. Marcus’s housing deposit deadline is in 3 hours. Christopher’s board meeting is in 2 hours. Rebecca needs to know what to tell her team. Lisa needs to know what security measures to implement.

And 2,847 students need to know that their personal information—SSNs, bank accounts, addresses—has been compromised.

The technical picture is clear: GaboonGrabber confirmed, data breach confirmed, secondary payloads attempting deployment, complete remediation will take 36-48 hours.

The student picture is equally clear: 3,200 students depending on Friday disbursements for housing, tuition, and continued education. Real people with immediate needs like Marcus.

The regulatory picture is unambiguous: FERPA requires breach notification within 48 hours. Non-compliance brings federal penalties and institutional reputation damage.

Sarah Chen from IT walks in: ‘We can contain the immediate threat with enhanced monitoring and partial isolation. Not perfect, but we could maintain disbursement processing while implementing full security verification. It’s a calculated risk.’

Christopher Bennett counters: ‘Or we delay everything, secure systems completely, and deal with the student impact. Either way, we need a decision now.’

Rebecca looks at Marcus waiting outside. ‘What do I tell him?’

What do you do?”

IM Questions to Ask:

  • “What does student-centered security mean to you in this specific moment—for Marcus, for the 2,847 students whose data was stolen, for the 3,200 waiting for disbursements?”
  • “How do you design a response that protects students while serving students—not as conflicting goals but as integrated mission?”
  • “What communication strategy addresses student anxiety, institutional reputation, regulatory requirements, and human compassion simultaneously?”
  • “How does your team coordinate technical response, student support, regulatory compliance, and crisis communication in parallel?”

Success and Failure Branches:

[Detailed outcomes as specified in earlier section]

Resolution Narration:

“[Based on team’s approach, narrate outcome emphasizing student impact and institutional learning]

Three weeks later, Marcus stops by the IT office. ‘I wanted to thank you,’ he says. ‘Not just for [getting my aid/protecting my data/being honest about what happened]. But for showing that security and student support aren’t opposites. That protecting student data is student advocacy.’

Rebecca sends a follow-up email: ‘This incident changed how we think about security in student services. We’re implementing [specific changes]. But more than that, we’re changing the culture. Security isn’t a barrier to helping students—it’s how we help students.’

Christopher’s final board report: ‘[Adapt based on outcome - either praising student-centered security response or discussing lessons learned from crisis]’

The StateU financial aid disbursement will continue—your decisions determined whether students trust that their university protects them while serving them.”

8. Pacing & Timing Notes

Time Management Strategies

If Running Long:

  • Condense student impact moments: Brief mentions of Marcus rather than extended scenes
  • Fast-forward FERPA details: “Breach notification is required” without lengthy regulatory explanation
  • Summarize forensic analysis: “Your investigation reveals…” rather than detailed technical walkthrough
  • Reduce NPC interactions: Focus on Rebecca and Marcus, minimize Christopher and additional students

If Running Short:

  • Expand student stories: Introduce Sarah Martinez (single parent) or additional students with compelling situations
  • Add parent pressure: Phone calls from concerned parents demanding explanations
  • Include media subplot: Local news reporter investigating “financial aid problems”
  • Extend board meeting preparation: Christopher demands detailed presentation plan

If Team Stuck:

  • Discovery phase: Rebecca volunteers: “I should probably mention we had students calling about providing information to ‘verify’ financial aid eligibility…”
  • Investigation phase: Marcus asks directly: “Did someone steal my information? My SSN was on those systems.”
  • Response planning: Lisa offers framework: “We need to think about this in terms of technical security, student service continuity, and regulatory compliance. What’s our approach to each?”
  • Reframe if overwhelmed: “Let’s focus on Marcus. What does he need, and how do we protect him while serving him?”

Engagement Indicators

Positive Signs:

  • Team discussing student impact alongside technical analysis (indicates engagement with student-centered framing)
  • Debate about balancing security thoroughness with student needs (indicates wrestling with realistic dilemma)
  • Creative solutions that integrate security and student advocacy (indicates deep engagement)
  • Questions about FERPA and regulatory requirements (indicates taking institutional context seriously)

Warning Signs:

  • Dismissing student impact as “not our problem” or “just business pressure”
  • Excessive technical focus without connecting to student welfare
  • Frustration with Christopher or Rebecca without exploring organizational culture issues
  • Silence when Marcus’s situation is presented
  • Treating students as abstract “records” rather than real people

Interventions:

  • Refocus on students: “While you’re analyzing logs, Marcus just updated his social media: ‘Might lose my apartment because of financial aid system problems. Where am I going to live?’ How does that affect your approach?”
  • Humanize the data: “Those 2,847 student records include real people—computer science majors like Marcus, single parents, first-generation college students. What’s your responsibility to them?”
  • Validate frustration while maintaining realism: “You’re right that institutional pressure complicates security response. That’s also the reality in educational institutions. How do cybersecurity professionals navigate this?”
  • Energy injection: Christopher arrives in person with 200 students outside, or parent calls threatening legal action

9. Debrief Discussion Points

Critical Learning Objectives

Technical Concepts:

  • Targeted social engineering: How attackers research organizational calendars and pressure points to time attacks for maximum vulnerability
  • Credential harvesting and data theft: Understanding Trojan-type focus on stealing data rather than disrupting systems
  • FERPA compliance and breach notification: Legal and ethical requirements when student data is compromised
  • Behavioral detection for data theft: Why traditional security fails against sophisticated credential harvesting

Collaboration Skills:

  • Student-centered security: Integrating data protection with student advocacy rather than treating them as conflicting goals
  • Crisis communication to vulnerable populations: How to inform students about data breaches while maintaining trust
  • Regulatory compliance under pressure: Navigating FERPA requirements during crisis with tight timelines
  • Balancing immediate needs with thorough response: Marcus’s housing deadline vs comprehensive security verification

Reflection Questions

Scenario-Specific:

  • “What made this attack successful beyond the technical vulnerabilities? How did institutional culture create exploitation opportunities?”
  • “How did you balance Marcus’s immediate need for financial aid against the 2,847 students whose data was stolen? What framework guided that decision?”
  • “What would you tell Rebecca about preventing similar incidents—is it technical controls, cultural change, or both?”
  • “How does this scenario change your thinking about ‘student-centered’ institutions? Can security be student-centered too?”

Real-World Connections:

  • “Have you seen deadline pressure override security controls in your organizations? How do you navigate that tension?”
  • “Educational institutions often face the security-vs-service dilemma. How would you address this systemically at your workplace?”
  • “How would you design security awareness training for student services staff that respects their student advocacy mission?”
  • “What’s your responsibility when cybersecurity decisions directly affect vulnerable populations like students depending on financial aid?”

MalDex Documentation Prompts

Encourage documentation of:

  • Investigation technique: “How did you identify that student data had been exfiltrated? What forensic indicators were most valuable?”
  • Response innovation: “How did your team balance student service continuity with security thoroughness? What approach could other institutions use?”
  • Cultural insight: “What did this teach you about how institutional missions create security vulnerabilities? How would you address student-centered culture issues?”
  • Crisis communication: “How did you communicate with students about the data breach in a way that maintained trust? What language or approaches worked?”

10. Facilitator Quick Reference

Type Effectiveness Chart

GaboonGrabber (Trojan/Stealth):

  • Resists: Signature Detection (-2), Static Analysis (-2)
  • Weak Against: Behavioral Analysis (+3), Data Access Monitoring (+2), Memory Forensics (+2)
  • Special: Credential harvesting particularly effective in student services context

Common Facilitation Challenges

Challenge 1: Team dismisses student impact as “not security’s problem”

IM Response: “Marcus is standing outside Rebecca’s office. His housing deposit deadline is in 2 hours. Your security decision directly determines whether he has a place to live while attending summer session. How is that not cybersecurity’s problem?”

Challenge 2: Team wants to delay everything for perfect security

IM Response: “Perfect security would mean delaying disbursements until complete remediation—36-48 hours minimum. That means 3,200 students miss critical deadlines. Some will lose housing. Some will miss enrollment. Some may leave the university. Is that an acceptable outcome?”

Challenge 3: Team minimizes data breach significance

IM Response: “Those 2,847 student records are already for sale on dark web markets. Marcus’s SSN and bank account information are being sold right now. Identity theft operations are beginning. What’s your responsibility?”

Challenge 4: Players frustrated by Christopher or Rebecca’s pressure

IM Response: “You’re right, the institutional pressure is intense. Christopher’s mission is student success. Rebecca’s career is built on student advocacy. They’re not wrong—they’re advocating for real students with real needs. How do you integrate their perspective with security requirements?”

Dice/Success Mechanics Guidelines

Investigation Actions:

  • Basic evidence discovery: DC 10-12
  • FERPA requirement research: DC 12
  • Data exfiltration confirmation: DC 15
  • Attribution analysis: DC 18-20

Containment Actions:

  • Behavioral monitoring deployment: DC 12-15
  • Partial isolation with disbursement continuity: DC 18 (Hard - balancing act)
  • Complete system remediation: Automatic success but 36-48 hour timeline
  • Signature detection: DC 25+ (ineffective)

Student Communication:

  • Clear breach notification to students: DC 15
  • Maintaining trust during crisis: DC 18
  • Managing 200 anxious students: DC 20

Modifiers:

  • Type-effective approach (behavioral analysis): -3 DC
  • Student-centered framing: -2 DC for communication
  • Team coordination: -2 DC
  • Deadline pressure: +2 DC
  • Transparent honesty with stakeholders: -2 DC

11. Scenario Customization Notes

Difficulty Adjustments

Make Easier:

  • Remove FERPA complexity—focus on basic incident response
  • Reduce student data exposure—minimize regulatory requirements
  • Extend deadline—give team more time for response
  • Make Christopher more collaborative
  • Simplify to 2 rounds

Make Harder:

  • Add media investigation—local news story
  • Include parent legal threats
  • Expand to multiple university departments
  • Introduce evidence of student identity theft already occurring
  • Add legitimate financial aid software bugs creating confusion

Industry Adaptations

For Corporate Financial Services:

  • Adapt to employee payroll crisis during tax season
  • Replace FERPA with financial regulations
  • Change NPCs to HR director, employees, executives
  • Emphasize employee financial hardship

For Healthcare:

  • Adapt to patient billing during insurance deadline
  • Replace FERPA with HIPAA
  • Change NPCs to billing director, patients, administrators
  • Emphasize patient care access

For Government:

  • Adapt to constituent services during benefit disbursement
  • Replace FERPA with government transparency requirements
  • Change NPCs to agency administrators, citizens, elected officials
  • Emphasize public trust

12. Cross-References

Related Handbook Content

Additional Resources

Real-World Context:

  • Educational institutions frequently targeted during financial aid periods
  • Student data particularly valuable due to clean credit histories
  • Academic calendar creates predictable high-pressure periods

MITRE ATT&CK:

  • T1566.001 (Spearphishing Attachment)
  • T1204.002 (Malicious File)
  • T1555 (Credentials from Password Stores)
  • T1005 (Data from Local System)

Notes for IM Customization

[Space for personal notes and insights]

End of Planning Document

This scenario emphasizes student-centered security and balancing protection with service. The goal is demonstrating that cybersecurity serves people, not just systems.