GaboonGrabber Healthcare Scenario Planning

GaboonGrabber - Healthcare Implementation Crisis

1. Quick Reference

Essential at-a-glance information for session setup

Element Details
Malmon GaboonGrabber (Trojan/Stealth) ⭐⭐
Difficulty Tier Tier 1 (Beginner) - Perfect for new teams
Scenario Variant Healthcare - Medical Technology Implementation
Organizational Context MedTech Solutions: Healthcare technology, 200 employees, implementing EMR for Riverside General Hospital
Primary Stakes Patient safety data + HIPAA compliance + Life-critical medical device networks + $2M client relationship
Recommended Formats Lunch & Learn, Full Game (90-140 min)
Essential NPCs Sarah Chen (IT Director), Mike Rodriguez (Head Nurse), David Kim (Riverside General CIO)
Optional NPCs Jennifer Park (COO), Security team members, Hospital administrators

Scenario Hook

“It’s Friday afternoon at MedTech Solutions, and your biggest implementation ever goes live Monday morning at Riverside General Hospital. Instead of celebration, there’s growing concern—multiple staff report computer slowdowns after clicking ‘critical security updates’ during the final implementation push.”

Victory Condition

Successfully identify and contain GaboonGrabber infection while maintaining Monday go-live schedule and client relationship, demonstrating that security vigilance during high-pressure projects protects both technical systems and business partnerships.

2. Game Configuration Templates

Quick Demo Configuration (35-40 min)

Pre-Configured Settings:

  • Number of Rounds: 1 round
  • Actions per Player: 1 action
  • Investigation Structure: Guided (IM presents clues on timeline)
  • Response Structure: Pre-defined (IM presents 2-3 clear options)
  • Team Size: 2-3 players (hybrid roles)
  • Success Mechanics: Automatic (good idea = success)
  • Evidence Type: Obvious
  • NPC Count: Essential only (Sarah Chen, David Kim)

Experience Focus: Fast-paced demonstration showing how project pressure creates security vulnerabilities. Focus on immediate recognition and basic containment.

Time Breakdown:

  • Introduction & Roles: 5 min
  • Scenario Briefing: 5 min
  • Gameplay: 20 min (rapid investigation and containment decision)
  • Quick Debrief: 5 min (focus on deadline pressure vulnerabilities)
  • Q&A: 5 min

Facilitation Notes: Present the “Hook” and “Initial Symptoms” to establish urgency. Guide players through the “Detective Investigation Leads” at 5-minute intervals. Offer Pre-Defined Response Options focusing on network isolation vs. complete re-imaging. Debrief centers on why security controls matter even during critical project deadlines.

Lunch & Learn Configuration (75-90 min)

Pre-Configured Settings:

  • Number of Rounds: 2 rounds
  • Actions per Player: 2 actions per round
  • Investigation Structure: Guided with player choice
  • Response Structure: Mix of pre-defined and creative approaches
  • Team Size: 3-5 players (standard roles)
  • Success Mechanics: Dice/Cards (simple)
  • Evidence Type: Mixed (obvious and subtle)
  • NPC Count: Standard (Sarah, Mike, David, Jennifer)

Experience Focus: Balanced experience exploring social engineering + technical analysis + stakeholder pressure. Allows for Malmon evolution showing multi-payload deployment capability.

Time Breakdown:

  • Introduction & Roles: 8 min
  • Scenario Briefing: 7 min
  • Round 1 (Discovery): 20 min
  • Round 2 (Investigation & Response): 25 min
  • Standard Debrief: 10 min
  • Q&A: 5 min

Facilitation Notes: Use full NPC cast to create complex decision-making. Round 1 focuses on discovery and identification. Round 2 introduces Malmon evolution (secondary payload deployment) raising stakes. Debrief explores balance between security and business operations.

Full Game Configuration (120-140 min)

Pre-Configured Settings:

  • Number of Rounds: 3 rounds
  • Actions per Player: 2 actions per round
  • Investigation Structure: Open (players choose investigation paths)
  • Response Structure: Creative (players develop their own approaches)
  • Team Size: 4-6 players (full role complement)
  • Success Mechanics: Dice/Cards with modifiers
  • Evidence Type: Mixed (realistic blend)
  • NPC Count: Full cast (4-6 characters)
  • Badge Tracking: On

Experience Focus: Complete immersive M&M experience with player-driven investigation, creative problem-solving, and full narrative arc showing villain’s complete plan.

Time Breakdown:

  • Introduction & Roles: 10 min
  • Scenario Briefing: 10 min
  • Round 1 (Discovery): 25 min
  • Round 2 (Investigation): 30 min
  • Round 3 (Response): 25 min
  • Standard Debrief: 10 min
  • Advanced Discussion: 10 min

Facilitation Notes: Players explore independently using “Key Discovery Paths” as guidance. Facilitate dynamically based on player choices. All three rounds allow full narrative arc including complete villain plan execution. Connect to real-world principles: social engineering awareness, behavioral analysis importance, incident response coordination.

Advanced Challenge Configuration (180+ min)

Pre-Configured Settings:

  • Number of Rounds: 4+ rounds
  • Actions per Player: 2 actions per round
  • Investigation Structure: Complex multi-threaded
  • Response Structure: Innovative solutions required
  • Team Size: 6+ players (expanded roles or multiple teams)
  • Success Mechanics: Complex (Network Security Status tracking)
  • Evidence Type: Subtle with red herrings
  • Attack Complexity: Multi-stage with evolution
  • NPC Count: Full cast with hidden agendas (6+)
  • Badge Tracking: On with achievements

Experience Focus: Sophisticated challenge for expert teams. Add red herrings (unrelated EMR bugs), make containment ambiguous, require innovation under pressure. Remove reference materials to test knowledge recall.

Time Breakdown:

  • Introduction & Roles: 15 min
  • Scenario Briefing: 15 min
  • Round 1 (Initial Discovery): 30 min
  • Round 2 (Deep Investigation): 35 min
  • Round 3 (Response Planning): 30 min
  • Round 4 (Execution & Evolution): 30 min
  • Extended Debrief: 20 min
  • Advanced Discussion: 15 min

Facilitation Notes: Minimal guidance, maximum complexity. Introduce complications: EMR system has legitimate bugs creating confusion, hospital calls hourly with increasing pressure, management demands solutions that compromise security. Challenge assumptions. Facilitate innovation. Require justification of choices with limited information.

3. Scenario Overview

Opening Presentation

“It’s Friday afternoon at MedTech Solutions, and the mood should be celebratory—your biggest implementation ever goes live Monday morning at Riverside General Hospital. This $2M annual contract represents years of business development and will showcase your electronic medical records platform to the entire regional healthcare market.

But instead of champagne, there’s growing concern. Multiple staff members are reporting computer slowdowns, and the help desk has received several calls about unexpected pop-ups. Yesterday evening, during the final push to meet Monday’s deadline, several IT staff received what appeared to be critical security updates from trusted software vendors. With everything riding on Monday’s go-live, you need to investigate what’s happening—without derailing the most important implementation in company history.”

Initial Symptoms to Present

  • “Computers running 30% slower since yesterday afternoon during final implementation push”
  • “Help desk reports 5 calls about unexpected pop-ups appearing on workstations”
  • “IT staff mention receiving ‘urgent security update’ emails Thursday evening from apparent software vendors”
  • “Some applications taking longer to start than usual, affecting implementation timeline”
  • “One workstation exhibiting intermittent connection issues to hospital’s test environment”

Organizational Context Details

Organization Profile:

  • Name: MedTech Solutions
  • Type: Healthcare technology consulting and implementation
  • Size: 200 employees across 4 offices, primary implementation team of 25
  • Key Assets: Proprietary EMR platform, implementation methodologies, client healthcare data, hospital network access
  • Regulatory Environment: HIPAA, SOC 2, healthcare vendor security requirements

Cultural Factors:

  • High-pressure project culture where deadlines frequently override normal processes
  • “Client first” mentality that prioritizes customer satisfaction over internal procedures
  • Recent management emphasis on “user experience” over security to improve client satisfaction scores
  • IT department culture of working through security warnings during crunch periods

Business Pressure:

  • $2M annual recurring revenue from Riverside General contract
  • Reference case for regional healthcare market expansion
  • CEO personally involved in relationship with hospital leadership
  • Reputation at stake in tight-knit healthcare technology community

Malmon Characteristics in This Scenario

GaboonGrabber exploits the perfect storm of deadline pressure, security fatigue, and cultural prioritization of client success over internal controls. The Trojan’s “Perfect Mimicry” ability is particularly effective against stressed IT staff who are conditioned to click through warnings during implementation crunch periods.

Key Capabilities Demonstrated:

  • Perfect Mimicry (+3 social engineering): Appears as legitimate “critical security update” from trusted software vendors, using convincing file names, spoofed digital certificates, and familiar installer appearance exactly when IT staff expect such updates during implementation preparation
  • Fileless Deployment (+2 vs traditional AV): Operates primarily in memory to avoid disk-based detection, uses process injection to hide within legitimate processes, leaves minimal file system artifacts that could trigger standard antivirus
  • Multi-Payload Deployment (Hidden): After 24+ hours of successful infection, automatically deploys Snake Keylogger, AgentTesla, or Redline depending on discovered environment, creating complex multi-faceted incident response challenge

Vulnerabilities to Exploit:

  • Behavioral Analysis Weakness (-3 penalty): Runtime monitoring can detect abnormal process behavior, memory analysis reveals injected code patterns, network monitoring shows unusual communication patterns
  • User Education Susceptibility: Security awareness training would reduce success rate, email security training helps users identify suspicious attachments, organizational culture change improves resistance

4. NPC Reference

Essential NPCs (Must Include)

NPC 1: Sarah Chen - IT Director

  • Position: IT Director, responsible for MedTech’s infrastructure and implementation project technical success
  • Personality: Extremely competent but currently stressed, detail-oriented under normal circumstances but cutting corners under deadline pressure, defensive about security decisions made during crunch time
  • Agenda: Wants to solve security incident without delaying Monday go-live or jeopardizing client relationship, needs to protect team from blame while acknowledging mistakes were made
  • Knowledge: Knows IT department bypassed normal software approval process for “critical updates,” understands technical infrastructure, aware of recent security warnings that were ignored, has access to all systems
  • Pressure Point: Her career advancement depends on successful go-live, personally approved expedited software installation process, fears being held responsible for security incident
  • IM Portrayal Notes: Speak quickly when anxious, ask probing technical questions to understand scope, initially defensive about decisions but becomes collaborative when treated as partner rather than blamed. Will admit mistakes if team creates safe space.

NPC 2: Mike Rodriguez - Head Nurse, Riverside General

  • Position: Head Nurse at Riverside General Hospital, represents clinical staff perspective and operational readiness
  • Personality: Patient-focused, practical, frustrated with technical delays, doesn’t understand IT security concerns, direct communicator
  • Agenda: Needs Monday go-live to proceed on schedule for patient care continuity, concerned about staff training timing, wants assurance systems will work reliably
  • Knowledge: Clinical workflow requirements, nursing staff concerns about new EMR system, patient care implications of delays, hospital leadership expectations
  • Pressure Point: Staff training is complete and nurses are prepared for Monday transition, any delay requires rescheduling training and affects patient care continuity
  • IM Portrayal Notes: Focus relentlessly on patient impact, ask “how does this affect patient care?” frequently, express frustration with technical jargon, respond positively to explanations that prioritize patient safety

NPC 3: David Kim - Riverside General CIO

  • Position: Chief Information Officer at Riverside General Hospital, client decision-maker with contract authority
  • Personality: Business-focused, impatient, expects professionalism, threatens contract penalties, represents $2M relationship at risk
  • Agenda: Demands go-live proceeds on schedule or wants to know about contract penalty compensation, concerned about hospital reputation and operational continuity
  • Knowledge: Contract terms including penalty clauses, hospital board expectations, competitive vendor landscape, previous implementation project history
  • Pressure Point: Hospital board expects Monday go-live announcement, has alternative vendors ready if MedTech fails, represents make-or-break contract decision
  • IM Portrayal Notes: Call hourly for updates using formal business language, reference contract terms and penalty clauses, soften if team demonstrates competence and transparency, emphasize reputation and board pressure

Optional NPCs (Add Depth)

NPC 4: Jennifer Park - Chief Operating Officer, MedTech

  • Position: COO responsible for operational excellence and client satisfaction
  • Personality: Results-oriented, impatient with excuses, focused on metrics and outcomes
  • Agenda: Protect company reputation, ensure client retention, minimize revenue impact
  • Knowledge: Company financial dependence on this contract, competitive landscape, operational capabilities
  • Pressure Point: Quarterly earnings call next week, needs positive announcement
  • IM Portrayal Notes: Demand action plans with timelines, focus on business impact metrics, initially resistant to anything delaying go-live

NPC 5: Alex Martinez - Security Team Member

  • Position: Information Security Analyst who raised concerns about security shortcuts
  • Personality: Technically competent, “told you so” attitude, wants vindication
  • Agenda: Prove security warnings should have been heeded, implement stronger controls
  • Knowledge: Previous security warnings issued, normal approval process that was bypassed
  • Pressure Point: Feels security concerns are regularly dismissed during crunch time
  • IM Portrayal Notes: Provide technical insights but initially unhelpful emotionally, becomes collaborative if expertise is valued

NPC 6: Hospital Board Member (Background Pressure)

  • Position: Riverside General Board Member expecting Monday announcement
  • Personality: Influential, impatient, expects professionalism
  • Knowledge: High-level strategic importance of EMR implementation
  • Pressure Point: Public announcement scheduled for Monday board meeting
  • IM Portrayal Notes: Mentioned by David Kim as source of pressure, never directly appears but creates urgency

NPC Interaction Guidelines

When to introduce NPCs:

  • Sarah Chen: Opening presentation as key contact and information source
  • Mike Rodriguez: Round 1 when clinical/operational impact becomes relevant
  • David Kim: Round 1 or 2 via phone call demanding updates
  • Jennifer Park: Round 2 when business implications escalate
  • Alex Martinez: Round 2 if team needs technical security expertise
  • Hospital Board: Referenced by David Kim as pressure source, never appears

How NPCs advance the plot:

  • Sarah provides technical access and insider knowledge about what happened
  • Mike creates operational pressure and patient care urgency
  • David escalates business pressure and threatens contract penalties
  • Jennifer adds internal company pressure and deadline enforcement
  • Alex offers technical security expertise if team values security perspective
  • NPCs conflict over priorities (security vs speed, thoroughness vs deadline, client satisfaction vs internal controls)

5. Investigation Timeline

Round 1: Discovery Phase

Automatic Reveals (present to all teams):

  • Initial user reports of slowdowns and pop-ups started Thursday afternoon during final implementation push
  • Help desk logs show 5 separate reports of “new software” appearing after users clicked on security update emails
  • System monitoring dashboards show performance degradation on 12 workstations beginning Thursday evening

Detective Investigation Leads:

  • Email logs reveal suspicious “SecurityUpdate.exe” attachments from fake IT security vendors (domains registered 2 days ago)
  • Email headers show sophisticated spoofing: “Mic rosoft-Security.com” (zero instead of ‘o’)
  • File system analysis discovers “SecurityUpdate.exe”, “WindowsDefender_Update.exe”, “AdobeFlash_Critical.exe” in %TEMP% directories
  • Registry analysis reveals new startup entries: “HKCU”
  • Timeline analysis: All infections occurred Thursday 6pm-8pm during evening implementation work session

Protector System Analysis:

  • Process monitoring shows unfamiliar executables running from temp directories with legitimate-sounding names
  • Memory scans reveal process injection into svchost.exe and explorer.exe (legitimate Windows processes being used as hosts)
  • Network monitoring detects unusual outbound connections on port 443 to IP addresses in suspicious geolocations
  • System performance metrics show hidden processes consuming 15-20% CPU and gradual memory increase
  • Security tool logs show multiple failed attempts to quarantine files that immediately respawn

Tracker Network Investigation:

  • DNS logs show queries to recently registered domains mimicking security vendor sites (registered 48 hours before attack)
  • Network traffic analysis reveals encrypted communication to command and control servers (TLS-wrapped C2 traffic)
  • Email flow analysis shows phishing campaign specifically targeted during implementation stress period (Thursday evening when overtime work expected)
  • External IP reputation checks flag C2 infrastructure with poor reputation scores
  • Traffic patterns show initial infection beaconing every 15 minutes to establish persistence

Communicator Stakeholder Interviews:

  • Sarah admits entire IT team was working late Thursday preparing for go-live, clicking through security prompts to maintain speed
  • IT staff report receiving urgent security updates that seemed legitimate given implementation timing
  • Sarah reveals management pressure to prioritize “user experience” over security for client satisfaction
  • Hospital preliminary communication shows they’re expecting Monday launch confirmation by end of day Friday
  • Staff describe bypassing normal software approval process for “critical implementation updates” to meet deadline

Crisis Manager Coordination Discoveries:

  • 12 workstations confirmed infected across implementation team (50% of active project team)
  • Hospital test environment connectivity from 3 infected machines raises data exposure concern
  • Implementation timeline shows 48 hours remaining before go-live (critical decisions needed immediately)
  • Resource assessment: Weekend skeleton crew availability, limited incident response capacity
  • Business impact: $2M contract at risk, company reputation with healthcare market at stake

Threat Hunter Proactive Findings:

  • Behavioral analysis suggests this is GaboonGrabber based on process injection techniques and C2 communication patterns
  • Threat intelligence matching shows similar campaigns targeting healthcare technology vendors during implementation cycles
  • OSINT research reveals attacker infrastructure used in previous healthcare sector compromises
  • Pattern recognition identifies this as Trojan-type threat optimized for social engineering and stealth
  • Attribution indicators suggest financially motivated threat actor familiar with healthcare industry pressure points

Round 2: Investigation Phase

Situation Update:

“It’s now Friday evening, several hours into your investigation. David Kim just called for the third time demanding a go-live confirmation. Sarah Chen admits that three of the infected workstations had active VPN connections to Riverside General’s test environment when the malware was installed. Your behavioral analysis confirms this is GaboonGrabber, and based on the infection timeline, you’re approaching the 24-hour threshold where the hidden Multi-Payload Deployment ability typically activates. The question is no longer just ‘what happened’ but ‘how bad can this get?’”

Automatic Reveals:

  • Timeline confirms infections are approaching 24-hour threshold for secondary payload deployment
  • Analysis confirms hospital test environment exposure from 3 infected workstations
  • David Kim’s call emphasizes Monday go-live is non-negotiable from hospital board perspective

Detective Investigation Leads:

  • Forensic timeline analysis shows VPN access logs from infected machines connecting to hospital test environment
  • Memory dump analysis reveals GaboonGrabber’s secondary payload staging area (preparing to deploy additional malware)
  • Log correlation shows attacker reconnaissance of hospital network topology through compromised VPN connections
  • Evidence of attacker testing credential access to hospital systems (failed login attempts with harvested credentials)

Protector System Analysis:

  • Real-time monitoring detects GaboonGrabber attempting to download secondary payloads (Snake Keylogger, AgentTesla, Redline)
  • Network segmentation analysis reveals insufficient isolation between implementation team and hospital test environment
  • System hardening assessment shows weak application whitelisting allowed malware installation
  • Security architecture review reveals normal security controls were temporarily disabled for “implementation efficiency”

Tracker Network Investigation:

  • C2 infrastructure analysis reveals command for secondary payload deployment scheduled for 24-hour mark
  • Network traffic shows attempted data exfiltration toward hospital patient data repositories
  • Communication analysis reveals attacker specifically researching hospital EMR database schema
  • Pattern analysis shows attacker targeting healthcare implementation projects across multiple organizations (not isolated incident)

Communicator Stakeholder Interviews:

  • Mike Rodriguez calls expressing nursing staff concerns about readiness for Monday transition
  • Jennifer Park (COO) demands explanation for why “IT problems” might delay major implementation
  • Sarah reveals additional pressure: IT department agreed to disable certain security controls temporarily to “streamline” implementation
  • Hospital administrators inquire about data security given implementation team’s network access

Crisis Manager Coordination Discoveries:

  • Containment decision needed immediately: isolate systems vs maintain hospital connectivity
  • Resource constraint: weekend availability limits comprehensive forensic analysis
  • Business decision point: delay go-live for thorough cleanup vs proceed with risk mitigation
  • Stakeholder management: simultaneous demands from David Kim, Jennifer Park, Mike Rodriguez require coordinated response

Threat Hunter Proactive Findings:

  • Intelligence analysis reveals GaboonGrabber’s Multi-Payload Deployment typically occurs 24-30 hours post-infection
  • Proactive threat hunting identifies 2 additional workstations with early-stage infection indicators
  • Attribution research shows threat actor has previously compromised healthcare implementations for data theft and ransomware deployment
  • Vulnerability analysis reveals social engineering exploitation of project deadline pressure and cultural security deprioritization

Round 3: Response Phase

Situation Update:

“It’s late Friday night. You’ve identified GaboonGrabber and understand the threat, but now you face critical decisions. David Kim just sent an email with the hospital’s legal team CC’d, referencing contract penalty clauses for delayed go-live. Sarah Chen has offered complete cooperation but warns that taking systems offline will make Monday’s deadline impossible. Jennifer Park wants a business decision within the hour. And your threat intelligence confirms you’re 2 hours away from the 24-hour threshold where GaboonGrabber will deploy secondary payloads—potentially including ransomware. What’s your response strategy?”

Automatic Reveals:

  • 2 hours remaining before likely secondary payload deployment
  • Legal team involvement escalates business pressure
  • Complete technical picture now available for response decision

Evidence emerging during response attempts:

  • Network isolation testing confirms complete cleanup requires 36-48 hours (exceeds Monday deadline)
  • Risk assessment shows proceeding without full cleanup creates HIPAA exposure for hospital
  • Alternative approaches: Partial isolation, enhanced monitoring, contractual risk acknowledgment with hospital
  • Behavioral analysis confirms type-effective approaches (runtime monitoring, network segmentation) can contain threat even if complete eradication delayed

Success and Failure Branches:

If team chooses thorough cleanup (delay go-live): - David Kim initially threatens contract cancellation - Transparent communication about threat severity and patient data protection convinces hospital leadership - Monday go-live delayed but security incident demonstrates MedTech’s commitment to healthcare data protection - Relationship actually strengthens due to honest handling of security incident

If team chooses partial response (maintain go-live): - Enhanced monitoring and network segmentation contain immediate threat - Go-live proceeds with increased security vigilance and transparent risk communication - Hospital appreciates business continuity balanced with security consciousness - Post-go-live cleanup scheduled as phase 2 with hospital security team collaboration

If team chooses inadequate response: - Secondary payload deploys causing wider compromise - Hospital systems potentially affected leading to patient data exposure - Contract relationship severely damaged by security incident affecting client - Learning moment: Security shortcuts during high-pressure projects create serious consequences

6. Response Options

Type-Effective Approaches

Most Effective (Trojan Strengths - Behavioral Analysis):

  • Runtime behavioral monitoring (+3 effectiveness): Deploy advanced EDR tools that detect abnormal process behavior patterns even without malware signatures. Expected DC: 12 (Easy) for detection, 15 (Moderate) for containment
  • Memory forensics and process analysis (+3 effectiveness): Use memory dump analysis to identify injected code and reconstruct attack chain. Expected success: High for teams with forensics capability
  • Network traffic behavioral analysis (+2 effectiveness): Monitor for unusual communication patterns and C2 traffic rather than relying on signature matching. Expected DC: 15 (Moderate)

Moderately Effective:

  • Network segmentation and isolation (+1 effectiveness): Isolate infected systems while maintaining critical hospital connectivity through carefully designed network boundaries. Expected DC: 18 (Hard) to balance isolation with business continuity
  • System restoration from clean images (0 modifier): Complete re-image of infected workstations guarantees removal but time-consuming. Trade-off: Security certainty vs timeline impact
  • Enhanced user education and cultural change (+1 long-term): Address root cause of social engineering vulnerability through security awareness training. Won’t resolve immediate incident but prevents recurrence

Least Effective (Trojan Resistances):

  • Signature-based antivirus scanning (-2 effectiveness): GaboonGrabber’s fileless deployment and memory-resident operation evades traditional signature detection. Expected DC: 25 (Very Hard) with high failure probability
  • Firewall rules blocking known C2 domains (-1 effectiveness): Attacker can change C2 infrastructure faster than blocklists update. Partially effective but insufficient alone
  • Relying solely on user reporting (0 effectiveness): Social engineering success means users unlikely to recognize and report sophisticated attacks

Creative Response Guidance

Encourage player innovation in these areas:

  • Hybrid isolation approaches: Create microsegments that isolate infected systems while maintaining specific hospital connectivity through monitored channels
  • Transparent risk communication: Develop stakeholder messaging that honestly assesses threat while demonstrating security competence
  • Phased remediation strategies: Design multi-stage response that addresses immediate threat (contain secondary payloads) while scheduling thorough cleanup post-go-live
  • Collaborative hospital security integration: Engage Riverside General’s security team as partners in response, turning incident into relationship-strengthening collaboration

Common creative solutions players develop:

  • “Honeypot” monitoring: Some teams create isolated network segments with enhanced monitoring where hospital connectivity appears normal but all traffic is logged and analyzed (adjudicate as clever approach with DC reduction)
  • Contract amendment approach: Negotiate temporary security addendum to contract that acknowledges incident, outlines response plan, and demonstrates transparency (adjudicate as excellent stakeholder management)
  • Split-team response: Divide team into containment group and go-live support group enabling parallel work streams (adjudicate positively if coordination planned)
  • Third-party incident response assistance: Engage external IR firm for weekend surge capacity (adjudicate as resource-smart if team acknowledges knowledge limits)

7. Round-by-Round Facilitation Guide

Round 1: Discovery

Opening Narration:

“It’s Friday afternoon at MedTech Solutions. The implementation team has been working nonstop for weeks, and the Riverside General Hospital EMR go-live is just 72 hours away. The energy should be celebratory—this $2M contract represents the biggest success in company history. But instead, there’s tension in the air.

Sarah Chen, the IT Director, has just called an emergency meeting. Multiple team members are reporting computer issues: slowdowns, unexpected pop-ups, applications taking longer to start. Yesterday evening, during the final implementation push, several IT staff received what appeared to be critical security updates from trusted software vendors. Everyone was working late, clicking through warnings to maintain momentum toward Monday’s deadline.

Now Sarah needs answers. And as she explains the situation, her phone rings—it’s David Kim, the CIO of Riverside General Hospital, calling for his daily status update. She lets it go to voicemail. You can see the stress in her face as she says, ‘We need to figure out what’s going on without derailing Monday’s go-live. This contract is everything.’

What do you do?”

IM Questions to Ask:

  • “What would be your first concern hearing these symptoms—computers slowing down after staff clicked security updates during a critical project deadline?”
  • “How might you investigate what happened yesterday evening without alarming the client or disrupting the implementation timeline?”
  • “What would make experienced IT staff click on security update emails during a high-pressure project? What does that tell you about the attack?”
  • “Which of your roles would approach this investigation differently, and how do those perspectives complement each other?”

Expected Player Actions:

  • Detective examining email logs: Reveal sophisticated spoofing, fake security vendor domains, attachment analysis showing executables masquerading as updates. Ask: “What patterns do you notice in the timing and targeting of these emails?”
  • Protector analyzing running processes: Show process injection into legitimate Windows processes, memory-resident operation, network connections to suspicious IPs. Ask: “What does it mean when malware hides inside trusted system processes?”
  • Tracker investigating network traffic: Display C2 communication patterns, recently registered domains, encrypted command channels. Ask: “How do these connection patterns help you understand attacker infrastructure?”
  • Communicator interviewing staff: Sarah admits bypassing approval processes, reveals management pressure to prioritize speed over security. Ask: “What organizational factors made this attack successful beyond the technical vulnerabilities?”
  • Crisis Manager assessing scope: 12 infected workstations, 48 hours to go-live, hospital test environment exposure. Ask: “What’s your priority: understanding everything perfectly or making decisions with incomplete information?”

Malmon Identification Moment:

Guide the team through evidence synthesis: “You’ve found process injection, memory-resident operation, sophisticated social engineering, and C2 infrastructure. The behavioral patterns—especially hiding within legitimate processes and using convincing fake software updates—point to a specific type of threat. What kind of Malmon combines stealth, social engineering mastery, and fileless techniques?”

When team identifies Trojan characteristics, introduce GaboonGrabber specifically: “Your threat intelligence matches this to GaboonGrabber, a Trojan-type Malmon known for Perfect Mimicry and Fileless Deployment. But there’s something in your research that’s concerning—GaboonGrabber has a hidden ability called Multi-Payload Deployment that activates after 24 hours. You’re approaching that threshold.”

Round Conclusion:

“As Round 1 ends, you’ve identified GaboonGrabber and understand the basic attack. But Sarah’s phone is ringing again—it’s David Kim calling for the third time today. In the background, you hear Jennifer Park, the COO, talking loudly about quarterly earnings and client retention. And your timeline analysis shows you’re 2 hours away from the 24-hour mark where GaboonGrabber typically deploys secondary payloads.

You understand what happened. Now you need to understand how bad this could get—and fast.”

Round 2: Investigation

Situation Update:

“It’s Friday evening, several hours into your investigation. The office is mostly empty except for your incident response team, Sarah Chen nervously checking her phone, and the sound of Jennifer Park on a conference call in the next room discussing ‘the IT situation.’

Your deeper investigation has revealed troubling details: Three of the infected workstations had active VPN connections to Riverside General’s test environment when the malware was installed. Your behavioral analysis confirms this is GaboonGrabber, and you’re now 90 minutes away from the 24-hour threshold.

Sarah just got off the phone with David Kim. His exact words: ‘I have the hospital board expecting a Monday go-live announcement. I have alternative vendors ready if MedTech can’t deliver. I need a yes or no by morning: Is Monday’s go-live happening or not?’

The question now is: How bad is this, and what are we going to do about it?”

IM Questions to Ask:

  • “Now that you’ve confirmed hospital test environment exposure from infected machines, what are the realistic worst-case scenarios?”
  • “GaboonGrabber’s Multi-Payload Deployment ability is about to activate. What kinds of secondary payloads would worry you most in this scenario?”
  • “How do you balance the need for thorough investigation against the business pressure of a Monday deadline and a $2M contract at risk?”
  • “What information do you need to make an informed recommendation about whether Monday’s go-live can safely proceed?”

Pressure Points to Introduce:

  • Time pressure (Hour 1): Sarah reveals that IT department temporarily disabled certain security controls to “streamline” implementation. How does this change your assessment?
  • Stakeholder pressure (Hour 2): Mike Rodriguez calls from the hospital: “Our nursing staff completed EMR training last week. They’re prepared for Monday. If we delay, we have to reschedule training for 200 nurses. How does that affect patient care continuity?”
  • Business pressure (Hour 3): Jennifer Park demands explanation: “I have a quarterly earnings call next week. I need to announce this major contract success. Why are IT problems preventing us from meeting client commitments?”
  • Technical complication (Hour 4): Your monitoring detects GaboonGrabber attempting to download secondary payloads—you’re seeing the beginning of Multi-Payload Deployment. The threat is evolving in real-time.

Round Conclusion:

“Your investigation has painted a clear picture—and it’s worse than you initially thought. GaboonGrabber has hospital network exposure, is preparing to deploy secondary payloads (your analysis shows signs of Snake Keylogger, AgentTesla, and possibly Redline staging), and you’ve discovered the infection is more widespread than initial reports suggested.

But you’ve also discovered something important: This happened because of organizational culture and deadline pressure, not just technical vulnerabilities. The IT team bypassed security controls, management prioritized speed over safety, and everyone was conditioned to click through warnings during implementation crunch time.

David Kim’s email just arrived. The hospital’s legal team is CC’d. The subject line: ‘Re: Contract Penalty Clauses for Delayed Implementation.’

It’s time to make decisions. What’s your response strategy?”

Round 3: Response

Critical Decision Point:

“It’s late Friday night. You’ve got all the information you’re going to get before decisions must be made. The technical picture is clear: GaboonGrabber is confirmed, secondary payload deployment is imminent, hospital network exposure is real, and thorough cleanup will take 36-48 hours minimum—well past Monday’s deadline.

The business picture is equally clear: $2M contract with penalty clauses, client relationship at breaking point, company reputation in healthcare market at stake, quarterly earnings announcement depending on this success.

Sarah Chen looks exhausted but determined: ‘Tell me what you need. I’ll support whatever decision protects our client and makes this right, even if it costs me my job.’

David Kim’s assistant just called to schedule a 7am Saturday morning call with hospital executives.

Jennifer Park sent a one-line email: ‘Decision needed within 1 hour: Are we go for Monday launch?’

What do you do?”

IM Questions to Ask:

  • “Given this is a Trojan-type threat, what approaches give you the best chance of successful containment even if complete eradication takes time?”
  • “How do you explain the security risks to David Kim and hospital executives in a way that demonstrates competence rather than failure?”
  • “What’s your strategy for balancing speed with thoroughness? Can you design a response that addresses immediate threat while scheduling complete cleanup?”
  • “How does your team coordinate between technical response, stakeholder communication, and business continuity? What needs to happen simultaneously?”

Success and Failure Branches:

If team chooses comprehensive cleanup (delay go-live):

“You make the difficult call: Thorough cleanup is necessary, Monday go-live must be delayed. Sarah supports your decision and personally calls David Kim to explain.

The conversation is tense. David’s initial reaction: ‘This is exactly what I was afraid of. I have vendors who could have this system live by Monday. Why should I wait for MedTech?’

But then Sarah does something important. She doesn’t make excuses. She explains exactly what happened, what the team discovered, why patient data protection requires thorough response, and how quickly MedTech identified and is containing a sophisticated threat that many organizations wouldn’t even detect.

David is silent for a long moment. Then: ‘Let me call you back.’

Thirty minutes later, he does. ‘I talked to our CISO. He said most vendors would have tried to hide this or rush through cleanup. He convinced the board that your transparency and security competence is exactly what we want in a healthcare technology partner. We’re delaying go-live to Wednesday. Get this done right.’”

If team chooses balanced approach (enhanced monitoring + phased remediation):

“You propose a hybrid strategy: Immediate containment of infected systems, enhanced behavioral monitoring to prevent secondary payload deployment, network microsegmentation to isolate hospital connectivity through monitored channels, and Monday go-live proceeds with increased security vigilance and post-implementation complete cleanup scheduled.

Sarah presents this to David Kim with transparent risk communication: ‘Here’s what we know, here’s the immediate threat we’re containing, here’s the long-term cleanup plan, here’s how we’re protecting patient data throughout.’

David asks hard questions. Mike Rodriguez asks about patient safety. Your team answers honestly, demonstrating both technical competence and business understanding.

The decision: Go-live proceeds Monday with security team on-site throughout, enhanced monitoring active, and contractual agreement for phase 2 cleanup the following week. The incident actually strengthens the relationship—Riverside General’s security team becomes partners in the response.”

If team chooses inadequate response (minimize incident, proceed normally):

“You decide to downplay the incident and proceed with Monday go-live without significant remediation. ‘We’ve removed the malware, everything’s fine,’ Sarah tells David Kim.

Monday morning, during go-live, your enhanced monitoring (which you did implement, at least) detects a catastrophic event: GaboonGrabber’s secondary payload deploys ransomware across the hospital’s test environment, which isn’t as isolated from production as anyone thought.

Patient care isn’t directly affected, but the incident makes regional news. HIPAA breach notifications are required. David Kim’s email is brief: ‘Contract terminated effective immediately. Legal team will be in touch regarding penalties and damages.’

The lesson is painful but clear: Security shortcuts during high-pressure projects don’t just create technical debt—they destroy business relationships and reputations.”

Resolution Narration (Adapt based on team approach):

“[Based on their response strategy, narrate the outcome, emphasizing how their decisions played out and what they learned about balancing security, business needs, and stakeholder management.]

As the incident winds down and you prepare for Monday—whether that’s go-live day or cleanup continuation—Sarah Chen pulls the team aside. ‘I learned something important,’ she says. ‘We created a culture where deadline pressure made clicking through security warnings normal. That culture made us vulnerable. This incident happened because of how we work, not just because of technical factors. We’re changing that.’

And David Kim sends one final email: ‘[Adapt message based on outcome - either praising transparency and competence, or expressing disappointment in the handling.]’

The Riverside General implementation will proceed—your decisions determined whether it happens as a partnership strengthened by security cooperation, or as a lesson learned through painful consequences.”

Round 4+ (Advanced Challenge Only)

For Advanced Challenge Format:

Add complications after initial response:

  • Complication 1: Legitimate EMR system bugs create confusion—is it malware or software issues?
  • Complication 2: Hospital board member calls directly, bypassing normal channels, demanding personal assurance
  • Complication 3: Evidence of potential insider threat—one employee’s actions seem too convenient for the attacker
  • Complication 4: Media picks up hints of “security problems at healthcare implementation company”
  • Complication 5: GaboonGrabber’s Multi-Payload Deployment reveals attribution clues linking to larger healthcare sector campaign

Facilitate Round 4 as adaptation to complications while executing chosen response strategy. Require innovative solutions under pressure with incomplete information.

8. Pacing & Timing Notes

Time Management Strategies

If Running Long:

  • Skip detailed technical walkthroughs of forensic analysis—summarize findings instead: “Your forensic analysis reveals…” rather than role-playing each investigation step
  • Condense NPC interactions: Brief summaries of stakeholder positions rather than extended conversations
  • Fast-forward through routine containment steps: “Over the next two hours, your team successfully isolates the affected systems…”
  • Reduce rounds: For time-constrained sessions, combine Investigation and Response into single extended round

If Running Short:

  • Expand NPC interactions: Have David Kim call multiple times with escalating pressure, add hospital board member appearance
  • Introduce subplot: Alex Martinez (Security Analyst) creates internal conflict about security warnings that were ignored
  • Add forensic depth: Detail the behavioral analysis process for identifying GaboonGrabber’s process injection techniques
  • Extend debrief: Deeper exploration of organizational culture and social engineering vulnerabilities beyond quick reflection

If Team is Stuck:

  • Discovery phase stuck: Have Sarah volunteer information: “I should probably mention that we had VPN connections to the hospital test environment running on some of these machines…”
  • Investigation phase stuck: NPC intervention from Mike Rodriguez: “I’m hearing from hospital IT that they detected unusual network traffic from your team’s VPN connections. What’s that about?”
  • Response planning stuck: Offer framework: “Let’s think about this in three parts: immediate containment, business continuity, and long-term remediation. What’s your approach to each?”
  • Reframe if overwhelmed: “I know there’s a lot of complexity here. In real incidents, you make decisions with incomplete information. What’s your gut instinct about the priority?”

Engagement Indicators

Positive Signs:

  • Team debating trade-offs between security thoroughness and business timeline (indicates engagement with core dilemma)
  • Players roleplay conversations with NPCs, developing stakeholder communication strategies
  • Discussion about organizational culture and social engineering beyond purely technical analysis
  • Team members supporting and building on each other’s ideas
  • Questions like “What would really happen if…” showing connection to real-world application

Warning Signs:

  • Excessive focus on technical minutiae without connecting to decisions or strategy
  • One player dominating while others disengage
  • Frustration with business pressure (“Why won’t they just let us do our jobs?”) without exploring realistic constraints
  • Silence or minimal responses to IM questions
  • Requests to skip stakeholder interactions in favor of “just solving the technical problem”

Interventions for Warning Signs:

  • Refocus on decisions: “This analysis is great—what decision does it help you make?”
  • Redistribute engagement: “Detective, you’ve done excellent work identifying the malware. Communicator, how would you explain these findings to the hospital CIO?”
  • Validate frustration while maintaining realism: “You’re right, the business pressure is frustrating. That’s also how real incidents feel. How do cybersecurity professionals navigate these conflicting demands?”
  • Energy injection: Introduce urgent development like David Kim calling with legal team or Mike Rodriguez raising patient safety concerns

9. Debrief Discussion Points

Critical Learning Objectives

Technical Concepts:

  • Behavioral analysis vs signature detection: GaboonGrabber’s fileless deployment and process injection demonstrate why runtime behavioral monitoring is critical for modern threats. Signature-based antivirus would miss this attack.
  • Process injection techniques: Understanding how malware hides within legitimate Windows processes (svchost.exe, explorer.exe) and why this requires memory forensics for detection
  • Multi-stage attack progression: Recognition that initial compromise is often just the beginning—GaboonGrabber’s Multi-Payload Deployment shows how threats evolve and escalate over time
  • Social engineering sophistication: Analysis of how Perfect Mimicry combined with organizational culture exploitation (deadline pressure, security control bypass) creates successful attacks

Collaboration Skills:

  • Stakeholder management under pressure: How to communicate technical security issues to non-technical decision-makers (David Kim, Mike Rodriguez) in ways that enable informed business decisions
  • Balancing competing priorities: Experience navigating security thoroughness vs business continuity vs timeline constraints vs client relationship management
  • Role-based investigation coordination: How different cybersecurity roles (Detective, Protector, Tracker, Communicator, Crisis Manager, Threat Hunter) contribute unique perspectives that create comprehensive understanding
  • Team decision-making under uncertainty: Practice making critical decisions with incomplete information and time pressure—realistic incident response simulation

Reflection Questions

Scenario-Specific:

  • “What surprised you most about how this attack succeeded? Was it the technical sophistication or the organizational vulnerability?”
  • “If you could change one thing about MedTech’s culture or processes to prevent similar incidents, what would it be?”
  • “How did the business pressure (client relationship, contract penalties, revenue at stake) affect your decision-making? Is that realistic in your experience?”
  • “Which NPC interaction was most challenging for you, and what did it teach you about stakeholder management in cybersecurity?”

Real-World Connections:

  • “Have you experienced deadline pressure overriding security controls in your own organizations? How do you navigate that tension?”
  • “GaboonGrabber specifically targets organizations during high-stress project periods. What does that tell you about threat actor intelligence and targeting strategies?”
  • “In real-world incident response, how do you balance the need for thorough investigation with business demands for quick resolution?”
  • “How would you apply the lessons from this scenario—both technical and organizational—to improve security at your workplace?”

MalDex Documentation Prompts

Encourage teams to document:

  • Investigation technique: “How did behavioral analysis help you identify GaboonGrabber when signature detection would have failed? What specific indicators were most valuable?”
  • Response innovation: “What creative solution did your team develop for balancing immediate containment with business continuity? Could other teams use this approach?”
  • Organizational insight: “What did this scenario teach you about how deadline pressure and organizational culture create security vulnerabilities? How would you address this systemically?”
  • Stakeholder communication: “How did you explain technical security decisions to business stakeholders in ways that built trust rather than creating conflict? What phrases or approaches worked well?”

Sample MalDex Entry Format:

Malmon: GaboonGrabber

Context: Healthcare technology implementation during critical client go-live deadline

Key Discovery: Behavioral analysis of process injection patterns enabled identification despite fileless deployment evading traditional AV

Effective Response: Hybrid approach using network microsegmentation + enhanced monitoring allowed Monday go-live while containing threat and scheduling thorough cleanup

Team Innovation: Transparent risk communication with hospital CIO turned potential contract failure into partnership—security competence demonstration actually strengthened client relationship

Lesson Learned: Organizational culture that prioritizes deadline pressure over security controls creates exploitable vulnerabilities. Technical solutions must address cultural root causes, not just immediate threats.

10. Facilitator Quick Reference

Type Effectiveness Chart

GaboonGrabber (Trojan/Stealth) Type Strengths:

  • Resists: Signature Detection (-2), Static Analysis (-2), Firewall Rules (-1)
  • Weak Against: Behavioral Analysis (+3), Runtime Monitoring (+3), Memory Forensics (+2), User Education (+2)
  • Special Considerations: Fileless Deployment ability provides +2 bonus against disk-based detection methods

Quick Reference for Adjudication:

  • Player proposes behavioral monitoring/EDR deployment → DC 12-15 (Easy to Moderate), high success probability
  • Player proposes signature-based scanning → DC 25+ (Very Hard), emphasize why this struggles
  • Player proposes network segmentation → DC 15-18 (Moderate to Hard), effective for containment if not eradication
  • Player proposes complete re-image → Automatic success but time trade-off (discuss timeline impact)
  • Player proposes user education/culture change → Long-term prevention, won’t solve immediate incident but address root cause

Common Facilitation Challenges

Challenge 1: Team focuses excessively on technical details, ignoring business context

IM Response: “That’s excellent malware analysis. While you’re conducting this forensic investigation, David Kim just called again—he has the hospital board on speakerphone asking if Monday’s go-live is happening. How do you explain your findings to them in a way that helps them make an informed business decision?”

Challenge 2: Team wants to ignore deadline pressure and “just do security right”

IM Response: “I understand the frustration with business pressure overriding security concerns. That’s also a realistic dilemma in many organizations. In this scenario, the $2M contract and 200-person hospital nursing staff are real stakes. How do cybersecurity professionals navigate situations where ‘ideal security’ conflicts with legitimate business needs?”

Challenge 3: One role (usually Detective or Threat Hunter) dominates investigation

IM Response: “Detective, your forensic analysis has been excellent and you’ve identified critical evidence. Communicator, how would you present these technical findings to Sarah Chen and the hospital stakeholders? What questions would Mike Rodriguez ask from a patient care perspective? Protector, what containment concerns do these findings raise?”

Challenge 4: Team gets stuck debating perfect response strategy

IM Response: “You’re right that there’s no perfect solution here—there are trade-offs with every approach. Real incident response often means choosing the best available option under time pressure with incomplete information. Based on what you know now, what’s your decision? You can always adapt if new information emerges.”

Challenge 5: Players minimize social engineering, focus only on technical vulnerability

IM Response: “The technical vulnerability is real, but think about what made this attack succeed. Experienced IT professionals clicked on these emails. What organizational factors—the deadline pressure, the culture of bypassing security for speed, the management messaging about client satisfaction over controls—made them vulnerable? How do you address that?”

Challenge 6: Team proposes response that ignores Malmon type characteristics

IM Response: “Interesting approach. Remember that GaboonGrabber is a Trojan-type Malmon particularly effective at social engineering and evasion. How does your signature-based detection strategy account for its Fileless Deployment ability? What type-effective approaches might work better against Trojan characteristics?”

Dice/Success Mechanics Guidelines

For this scenario, use these DC ranges:

Investigation Actions:

  • Basic log analysis or symptom recognition: DC 10-12 (Easy)
  • Behavioral analysis or memory forensics: DC 15 (Moderate)
  • Attribution or advanced threat intelligence: DC 18-20 (Hard)

Containment Actions:

  • Network isolation/segmentation: DC 15-18 (Moderate to Hard)
  • Behavioral monitoring deployment: DC 12-15 (Easy to Moderate)
  • Complete system re-imaging: Automatic success (but discuss time cost)
  • Signature-based detection: DC 25+ (Very Hard, likely to fail)

Stakeholder Communication:

  • Clear technical explanation to David Kim: DC 15 (Moderate)
  • Persuasive risk communication under pressure: DC 18 (Hard)
  • Managing conflicting stakeholder demands simultaneously: DC 20 (Hard)

Modifiers:

  • Type-effective approach (behavioral analysis): -3 to DC (easier)
  • Type-ineffective approach (signature detection): +5 to DC (much harder)
  • Team coordination bonus: -2 to DC if multiple roles collaborate effectively
  • Time pressure penalty: +2 to DC if attempting under extreme deadline pressure
  • Stakeholder trust bonus: -2 to DC for communication if team has been transparent and competent

Automatic Success Conditions:

  • Good teamwork with logical, type-appropriate approach
  • Creative solution that respects Malmon characteristics and addresses business needs
  • Transparent stakeholder communication that demonstrates security competence

Automatic Failure Conditions:

  • Ignoring Malmon type characteristics (trying signature detection against Trojan with Fileless Deployment)
  • Dishonest communication with stakeholders (hiding incident severity, making promises team can’t keep)
  • Solving technical problem while ignoring business reality (perfect security that destroys client relationship)

11. Scenario Customization Notes

Difficulty Adjustments

Make Easier (For Novice Teams):

  • Remove hospital test environment exposure complexity—simplify to internal-only incident
  • Provide more explicit guidance about type effectiveness: “Remember, Trojan-type Malmons are weak against behavioral analysis…”
  • Reduce stakeholder pressure: Fewer NPC calls, more collaborative tone from David Kim
  • Extend timeline: Push go-live deadline to Wednesday giving more response time
  • Simplify technical details: Present evidence more directly without requiring deep forensic interpretation
  • Use Quick Demo or Lunch & Learn format with pre-defined response options

Make Harder (For Expert Teams):

  • Add red herrings: Legitimate EMR software bugs creating confusion about malware vs normal issues
  • Introduce potential insider threat angle: Evidence suggesting someone facilitated the attack
  • Expand Multi-Payload Deployment: Actually deploy secondary payloads if team too slow
  • Add media pressure: Local news picks up story about “security problems at healthcare company”
  • Require innovation: Remove reference materials, test knowledge recall and creative problem-solving
  • Use Advanced Challenge format with subtle evidence and ambiguous containment success

Industry Adaptations

For Healthcare Context (Primary):

  • Emphasize HIPAA compliance requirements and patient data protection
  • Include patient safety implications (EMR system downtime affects clinical operations)
  • Highlight healthcare vendor security expectations and regulatory environment
  • Reference federal breach notification requirements and timeline
  • Incorporate clinical stakeholder perspectives (nursing staff, physicians)

For Financial Context:

  • Adapt to banking implementation (core system upgrade, transaction processing)
  • Replace HIPAA with Gramm-Leach-Bliley Act and banking regulations
  • Change NPCs to bank executives, federal banking examiner, branch managers
  • Emphasize 24/7 transaction processing requirements and customer impact
  • Include PCI-DSS compliance and financial regulatory reporting

For Education Context:

  • Adapt to university financial aid system (maintained healthcare hook)
  • Replace HIPAA with FERPA (student data protection)
  • Change NPCs to university administrators, financial aid director, students
  • Emphasize academic calendar pressure (financial aid disbursement deadlines)
  • Include student success and enrollment impact considerations

For Government Context:

  • Adapt to government agency system implementation (constituent services platform)
  • Replace HIPAA with relevant agency compliance requirements
  • Change NPCs to agency executives, elected officials, IT leadership
  • Emphasize public trust, transparency requirements, and bureaucratic constraints
  • Include constituent impact and political pressure

Experience Level Adaptations

For Novice Teams:

  • Provide explicit type effectiveness coaching: “Trojan-type Malmons like GaboonGrabber are particularly vulnerable to behavioral analysis because…”
  • Guide investigation with structured questions: “What would you check in the email headers? What processes would you examine?”
  • Simplify stakeholder dynamics: Reduce conflicting demands, make NPCs more collaborative
  • Focus on core concepts: Social engineering awareness, behavioral vs signature detection, incident response basics
  • Use automatic successes for good ideas to maintain momentum and confidence

For Mixed Experience Groups:

  • Leverage experienced players as mentors: “Experienced team members, how would you approach this?”
  • Create moments for peer teaching: “Can someone explain what process injection means and why it matters?”
  • Balance complexity: Core scenario accessible to novices, optional depth for experts
  • Encourage collaboration: “How might the experienced Detective work with the newer Protector to analyze this evidence together?”

For Expert Teams:

  • Minimize guidance, maximize complexity: Multi-threaded investigation, subtle evidence, red herrings
  • Require innovation: “The standard playbook won’t work here—what creative approach would you try?”
  • Add sophistication: Attribution complexity, advanced evasion techniques, supply chain implications
  • Challenge assumptions: “What if your initial assessment is wrong? How would you validate?”
  • Focus on strategic thinking: Organizational culture change, long-term security posture, industry-wide implications

12. Cross-References

Related Handbook Content

Additional Resources

Real-World Incident References:

  • Real GaboonGrabber campaigns have targeted healthcare and technology sectors during high-pressure project periods
  • Pattern of exploiting organizational stress (implementations, compliance deadlines, crisis periods) is well-documented across malware families
  • Healthcare sector particularly vulnerable due to patient care pressure overriding security controls

MITRE ATT&CK Techniques Demonstrated:

  • T1566.001 (Spearphishing Attachment) - Social engineering delivery
  • T1204.002 (Malicious File) - User execution
  • T1547.001 (Registry Run Keys) - Persistence
  • T1027 (Obfuscated Files) - Defense evasion
  • T1055 (Process Injection) - Defense evasion and privilege escalation
  • T1041 (Exfiltration Over C2 Channel) - Data theft

Professional Development Connection:

  • SOC analyst skills: Behavioral analysis, alert investigation, pattern recognition
  • Incident response coordination: Multi-stakeholder management, timeline pressure, resource allocation
  • Security awareness training: Understanding and addressing social engineering vulnerabilities
  • Organizational security culture: Balancing security with business needs, culture change initiatives

Community Contributions

  • Share variations of this scenario adapted for different industries or experience levels
  • Document innovative response strategies discovered during sessions
  • Contribute facilitator insights about what worked well or challenges encountered
  • Add to MalDex: Effective investigation techniques, stakeholder communication approaches, organizational vulnerability insights

Notes for IM Customization

Space for IMs to add their own notes, modifications, or insights from running this scenario

What worked well:

[Your facilitation successes and effective moments]

What to modify next time:

[Adjustments needed based on experience]

Creative player solutions to remember:

[Innovations to share with community]

Timing adjustments needed:

[Pacing observations and refinements]

Industry-specific customizations tried:

[Adaptations for different organizational contexts]

Stakeholder communication insights:

[Effective NPC portrayal techniques and dialogue]

End of Planning Document

This comprehensive planning document provides complete guidance for facilitating the GaboonGrabber Healthcare Implementation Crisis scenario. Adapt sections based on your session format, team experience level, and available time. The goal is confident facilitation that creates engaging collaborative learning experiences.