Session Types and Scenarios

Understanding Different Session Approaches

Malware & Monsters sessions come in several different formats, each designed for specific learning goals and group needs. Understanding what to expect from each type helps you prepare mentally and contributes more effectively to your team’s success.

Session Format Overview

Standard Contemporary Sessions

What to Expect: Modern cybersecurity incidents using current technology and contemporary threats

  • Duration: 90-120 minutes
  • Focus: Current incident response techniques and modern threats
  • Technology Context: Cloud platforms, modern networks, current security tools
  • Learning Goals: Practical skills for today’s cybersecurity challenges
  • Preparation: Review current cybersecurity practices and tools

Typical Experience: You’ll respond to incidents involving malmons like GaboonGrabber or WannaCry in modern organizational contexts with current technology and business requirements.

Legacy Malmon Sessions

What They Are: Sessions featuring historically significant threats (Code Red, Stuxnet, Gh0st RAT, Poison Ivy) with two possible approaches:

Historical Foundation Approach: - Duration: 2+ hours for full exploration - Focus: Understanding cybersecurity history and threat evolution - Technology Context: Authentic period technology (2001-2010) - Learning Goals: How threats and defenses have evolved over time - Preparation: Open mind about historical technology limitations

Contemporary Approach:

  • Duration: 90-120 minutes
  • Focus: Modern versions of historical threats
  • Technology Context: Current technology with evolved attack techniques
  • Learning Goals: How classic attack patterns manifest in modern environments
  • Preparation: Understanding both historical significance and current applications

Session Structure Variations

Standard Session Flow

Opening Phase (15 minutes)

  • Team introductions and expertise discovery
  • Role assignments based on backgrounds and preferences
  • Initial incident briefing and context setting
  • Questions about organizational environment

Your Focus: Listen to teammates’ backgrounds, think about your preferred role, ask clarifying questions about the incident context.

Investigation Phase (30-45 minutes)

  • Initial symptoms analysis and hypothesis development
  • Evidence gathering through role-specific actions
  • Collaborative discovery of threat characteristics
  • Progressive revelation of attack complexity

Your Focus: Use your role’s perspective to investigate specific aspects, share findings with teammates, build on others’ discoveries.

Response Phase (30-45 minutes)

  • Coordinated containment and mitigation actions
  • Adaptation to evolving threat circumstances
  • Business continuity and communication management
  • Success measurement and impact assessment

Your Focus: Execute role-specific response actions, coordinate with teammates, adapt plans based on changing conditions.

Debrief Phase (15 minutes)

  • Team reflection on what worked well
  • Lessons learned and improvement opportunities
  • Real-world application discussion
  • Connection to broader cybersecurity principles

Your Focus: Share honest reflections, learn from teammates’ perspectives, think about workplace applications.

Historical Foundation Session Flow

Historical Context Setting (15 minutes)

  • Period technology and security landscape introduction
  • Historical organizational environment explanation
  • Era-appropriate assumptions and limitations
  • Setting expectations for collaborative learning

Your Focus: Absorb historical context, ask questions about unfamiliar technology, prepare to think within period constraints.

Authentic Historical Investigation (45 minutes)

  • Respond using only period-available tools and knowledge
  • Work within historical technology limitations
  • Experience security assumptions that proved incorrect
  • Understand response challenges of the era

Your Focus: Think like someone from that time period, work with teammates to understand historical challenges, avoid using modern knowledge.

Collaborative Modernization (30 minutes)

  • Discuss how the attack would work with current technology
  • Explore evolution of attack techniques and defensive capabilities
  • Connect historical lessons to modern cybersecurity challenges
  • Identify persistent patterns across time periods

Your Focus: Contribute perspectives on how threats have evolved, learn from teammates’ insights about historical progression.

Learning Synthesis (15 minutes)

  • Reflect on patterns in threat evolution
  • Discuss lessons applicable to current work
  • Consider future threat development trends
  • Connect individual expertise to historical learning

Your Focus: Share insights about threat evolution, connect learning to your current work, think about future implications.

Scenario Card Variations

What Are Scenario Cards?

Each malmon can be encountered in multiple scenario cards - different organizational contexts that change the business environment, stakeholder priorities, and response constraints while keeping the core threat behavior consistent.

Example Scenario Card: Healthcare Crisis

MedTech Solutions - Regional Healthcare Network
Contemporary Healthcare • GaboonGrabber
STAKES
Patient safety, HIPAA compliance, medical device security
HOOK
Critical hospital system launch scheduled for Monday morning with patient lives depending on successful deployment
PRESSURE
72-hour deadline for $2M implementation, regulatory scrutiny, medical staff resistance to delays
FRONT • 90-120 minutes • Intermediate
MedTech Solutions - Regional Healthcare Network
Contemporary Healthcare • GaboonGrabber
NPCs
  • Dr. Sarah Chen (stressed Medical Director), Marcus Rivera (overwhelmed IT Director), Jennifer Walsh (demanding Hospital CIO), Lisa Thompson (concerned Compliance Officer)
SECRETS
  • Security shortcuts taken under project pressure, medical devices on same network as business systems, staff using personal devices for patient data

Organizational Context Examples

Healthcare Scenarios:

  • Regulatory compliance pressures (HIPAA, patient safety)
  • Critical patient care system dependencies
  • Medical device security considerations
  • Public health and safety implications

Financial Services Scenarios:

  • Regulatory oversight (SOX, PCI DSS, banking regulations)
  • Real-time transaction processing requirements
  • Customer financial data protection
  • Market confidence and reputation managementOrganizational

Government/Critical Infrastructure Scenarios:

  • National security implications
  • Public service continuity requirements
  • Interagency coordination needsOrganizational
  • Public safety and crisis communication

Small Business Scenarios:

  • Limited technical resources and expertise
  • Budget constraints for response actions
  • Personal relationships with customers
  • Survival-level business impact decisions

Why Different Scenarios Matter

Real-World Relevance

The same technical threat affects organizations very differently based on: - Industry regulations and compliance requirements - Business model and revenue dependencies
- Stakeholder expectations and communication needs - Available resources and technical capabilities

Role Perspective Development

Different scenarios help you understand how your incident response role adapts to: - Varying organizational priorities and constraints - Different stakeholder communication requirements - Industry-specific regulatory and legal considerations - Diverse technical environments and resource levels

What to Expect as a Player

Collaborative Learning Environment

Your Expertise Matters

  • Sessions build on what you already know
  • Questions are more valuable than immediate answers
  • Different perspectives enhance team understanding
  • Learning happens through shared discovery

No “Gotcha” Moments

  • IMs guide discovery rather than test knowledge
  • Mistakes become learning opportunities for everyone
  • Teams succeed through collaboration, not individual brilliance
  • Real-world complexity is acknowledged and supported

Realistic Complexity

  • Incidents evolve based on team actions and discoveries
  • Information emerges gradually through investigation
  • Multiple valid approaches exist for most challenges
  • Business and technical considerations both matter

Session Preparation Tips

For Any Session Type

  • Review your professional experience for relevant insights
  • Think about your preferred incident response role
  • Prepare to listen to and build on teammates’ ideas
  • Bring curiosity about cybersecurity challenges

For Historical Foundation Sessions

  • Prepare for technology contexts different from current experience
  • Approach with curiosity about cybersecurity evolution
  • Be ready for collaborative discovery and learning
  • Expect to gain new perspectives on current threats

For Contemporary Sessions

  • Consider current cybersecurity challenges in your industry
  • Think about modern tool capabilities and limitations
  • Prepare to apply contemporary best practices
  • Connect session learning to current work context

Common Player Questions

“What if I don’t know the answer?”

Perfect! Sessions are designed for collaborative discovery. Your questions and perspective help the entire team learn together.

“What if I’m not technical enough?”

Every role contributes unique value. Incident response requires business understanding, communication skills, and strategic thinking alongside technical expertise.

“What if I disagree with a teammate’s approach?”

Discuss it! Real incident response involves evaluating different approaches and finding the best path forward through team collaboration.

“What if the scenario is outside my industry experience?”

Great learning opportunity! Understanding how cybersecurity challenges vary across industries enhances your overall professional perspective.

Maximizing Your Learning Experience

Active Participation Strategies

Ask Questions

  • Clarify unfamiliar concepts or terminology
  • Explore the reasoning behind teammates’ suggestions
  • Understand the business context and stakeholder concerns
  • Connect session events to real-world experience

Share Insights

  • Contribute relevant professional experience
  • Offer alternative perspectives on problems
  • Suggest approaches from your industry or role background
  • Connect technical solutions to business implications

Build on Others’ Ideas

  • Expand on teammates’ suggestions with additional details
  • Combine different perspectives into comprehensive solutions
  • Help quiet team members contribute their expertise
  • Synthesize technical and business considerations

Cross-Session Learning

Pattern Recognition

Over multiple sessions, you’ll begin recognizing:

  • Common attack patterns across different malmons
  • Effective team collaboration techniques
  • Industry-specific cybersecurity challenges
  • Evolution patterns in threats and defenses

Skill Development

Regular participation develops:

  • Incident response coordination and communication
  • Technical problem-solving under pressure
  • Business risk assessment and decision-making
  • Cross-functional team collaboration abilities

Professional Application

Session experiences translate to workplace improvements in:

  • Incident response plan development and testing
  • Cross-team collaboration during security events
  • Risk communication with non-technical stakeholders
  • Strategic thinking about cybersecurity investments

Understanding these different session types and approaches helps you contribute more effectively to your team’s success while maximizing your own learning from each Malware & Monsters experience.

In the next chapter, we’ll explore specific techniques for effective participation regardless of which session type you encounter.