The Containment System for Incident Response Training

From Capture to Containment

Traditional creature-collection games focus on capturing creatures for training and battle. Malware & Monsters flips this concept: instead of collecting threats for your team, you work to contain and neutralize them before they can cause damage to your organization.

The Containment System represents the tools, techniques, and strategies that cybersecurity professionals use to stop, analyze, and eliminate digital threats. Just as different creatures require different capture techniques, different Malmon types respond better to specific containment approaches.

Security Controls: Your Containment Arsenal

Understanding Security Controls

Security Controls are your primary tools for containing Malmons. Each control represents a category of cybersecurity defenses, from basic antivirus software to advanced behavioral analysis systems. The key to successful containment is matching the right controls to the specific Malmon type you’re facing.

Type Effectiveness Overview

Understanding which security controls work best against different Malmon types is fundamental to successful containment:

Trojan

Weak to: Detection

Resists: Training

Worm

Weak to: Isolation

Resists: Backup

Ransomware

Weak to: Backup

Resists: Encryption

Rootkit

Weak to: Forensics

Resists: Detection

APT

Weak to: Intelligence

Phishing

Weak to: Training

Botnet

Weak to: Coordination

Infostealer

Weak to: Encryption

Basic Security Controls

Signature Detection

What it does: Identifies known malware patterns and file signatures
Best against: Basic variants of known Malmon families
Effectiveness: High against unmodified threats, low against evolved forms
Team applications:

• Detective: “The file hash matches known GaboonGrabber samples”
• Protector: “Deploying signature updates across all endpoints”

Effectiveness Ratings: - Super Effective vs: Basic Trojans, known Worms - Normal vs: Most standard threats
- Not Effective vs: Zero-day variants, Polymorphic threats

Network Isolation

What it does: Separates infected systems from critical network resources
Best against: Worm-type Malmons attempting lateral movement
Effectiveness: Excellent for containing spread, prevents evolution

Team applications:

• Protector: “Moving infected workstations to quarantine VLAN”
• Tracker: “Monitoring quarantine network for continued threat activity”

Effectiveness Ratings: - Super Effective vs: Worms, Network-propagating threats - Normal vs: APTs, Infostealers - Not Effective vs: Air-gap jumping threats, USB-based Malmons

System Restoration

What it does: Returns compromised systems to known-good states
Best against: File-encrypting and system-modifying threats
Effectiveness: High for undoing damage, moderate for prevention

Team applications:

• Protector: “Initiating rollback to yesterday’s clean backup”
• Crisis Manager: “Coordinating restoration priorities across departments”

Effectiveness Ratings: - Super Effective vs: Ransomware, System modifiers - Normal vs: Most persistent threats - Not Effective vs: Data theft (damage already done)

Advanced Security Controls

Behavioral Analysis

What it does: Monitors system and network behavior for anomalous patterns
Best against: Evasive and sophisticated threats that avoid signatures
Effectiveness: Excellent against novel techniques, requires expertise

Team applications:

• Detective: “Process behavior shows signs of injection techniques”
• Threat Hunter: “Baseline deviation suggests hidden persistence mechanism”

Effectiveness Ratings: - Super Effective vs: Trojans, Rootkits, APTs - Normal vs: Straightforward attacks - Not Effective vs: Perfectly mimicked legitimate behavior

Threat Intelligence

What it does: Uses knowledge of attacker techniques and infrastructure
Best against: Organized threat actor campaigns and known attack patterns
Effectiveness: High when intelligence is current and relevant

Team applications:

• Threat Hunter: “This C2 infrastructure matches known Lazarus Group patterns”
• Communicator: “Intelligence suggests this is part of broader campaign”

Effectiveness Ratings: - Super Effective vs: APTs, Nation-state threats - Normal vs: Organized cybercrime - Not Effective vs: Novel or amateur threats

Zero Trust Architecture

What it does: Assumes breach and verifies every access request
Best against: Advanced persistent threats and lateral movement
Effectiveness: Excellent for containment, requires significant implementation

Team applications:

• Crisis Manager: “Implementing enhanced verification for all system access”
• Protector: “Zero trust controls are limiting threat movement effectively”

Effectiveness Ratings: - Super Effective vs: APTs, Lateral movement specialists - Normal vs: Most organized threats - Not Effective vs: Legitimate-access-based attacks

Containment Rate Mechanics

Factors Affecting Containment Success

Malmon-Specific Factors

• Threat Level: Higher-level Malmons are harder to contain
• Type Advantages: Using super-effective controls dramatically improves success rates
• Evolution State: Evolved Malmons resist containment attempts

Type Advantage Reference

Quick reference for optimal security control selection:

Trojan

Weak to: Detection

Resists: Training

Worm

Weak to: Isolation

Resists: Backup

Ransomware

Weak to: Backup

Resists: Encryption

Rootkit

Weak to: Forensics

Resists: Detection

APT

Weak to: Intelligence

Phishing

Weak to: Training

Botnet

Weak to: Coordination

Infostealer

Weak to: Encryption

• Environmental Factors: Network architecture and security posture affect difficulty

Team Coordination Factors

• Role Synergy: Different roles working together improve containment rates
• Communication Quality: Clear information sharing enhances effectiveness
• Response Speed: Faster response prevents Malmon evolution and spread
• Resource Allocation: Appropriate tools and personnel for the threat level

Containment Success Criteria

Containment success is measured by specific, observable criteria that both players and IMs can verify. Each level requires meeting ALL listed criteria within that category.

Complete Containment (Optimal Success)

All criteria must be met:

Technical Neutralization:

• Malmon Activity Stopped: No further malicious processes, network connections, or file modifications observed
• Persistence Eliminated: All startup entries, scheduled tasks, registry modifications, or other persistence mechanisms removed
• Communication Blocked: Command & control channels identified and successfully blocked
• Spread Prevention: No evidence of lateral movement to additional systems after containment began

System Recovery:

• Clean State Verified: Affected systems restored to verified clean state or rebuilt from known-good backups
• Data Integrity Confirmed: Critical data verified as uncorrupted and accessible
• Services Restored: All business-critical services returned to normal operation
• User Access Restored: Authorized users can access their resources normally

Response Quality:

• Team Coordination: All 6 roles (or available roles) contributed meaningfully to containment
• Appropriate Controls: Security controls selected matched Malmon type weaknesses
• Documentation Complete: Incident timeline, actions taken, and lessons learned documented
• Intelligence Generated: Actionable threat intelligence created for future defense

Stakeholder Management:

• Communications Clear: All relevant stakeholders properly notified with accurate information
• Compliance Met: Regulatory requirements addressed appropriately
• Business Continuity: Minimal disruption to normal business operations

Effective Containment (Successful with Minor Issues)

All criteria must be met:

Technical Neutralization:

• Malmon Activity Stopped: No further malicious activity observed after containment
• Primary Persistence Removed: Main persistence mechanisms eliminated (minor artifacts may remain)
• Communication Disrupted: Primary C2 channels blocked (backup channels may exist)
• Spread Controlled: Limited to initially infected systems plus 1-2 additional systems

System Recovery:

• Core Systems Restored: Business-critical systems returned to operation
• Data Mostly Intact: No significant data loss, minor corruption possible
• Key Services Running: Essential services restored, non-critical services may be degraded
• User Productivity Resumed: Users can perform essential job functions

Response Quality:

• Role Participation: At least 4 roles contributed to containment (if available)
• Controls Effective: Security controls used were generally appropriate for threat type
• Basic Documentation: Key incidents and actions recorded
• Some Intelligence: Limited threat intelligence developed

Stakeholder Management:

• Key Communications Sent: Critical stakeholders notified appropriately
• Major Compliance Addressed: Primary regulatory requirements met
• Business Impact Managed: Disruption communicated and managed effectively

Partial Containment (Learning Experience)

Criteria indicate significant learning opportunity:

Technical Issues:

• Activity Eventually Stopped: Malmon neutralized but after achieving some objectives
• Persistence Partially Addressed: Some persistence mechanisms remain undiscovered
• Communication Partially Blocked: Some C2 channels still active
• Spread Occurred: Affected 3-5 additional systems before containment

System Impact:

• Some Systems Recovered: Critical systems restored but recovery incomplete
• Data Partially Compromised: Some data loss or corruption occurred
• Services Degraded: Reduced functionality across multiple systems
• User Impact Significant: Noticeable disruption to user productivity

Response Gaps:

• Limited Role Coordination: 2-3 roles contributed effectively
• Suboptimal Controls: Some inappropriate control selections made
• Incomplete Documentation: Basic incident facts recorded
• Minimal Intelligence: Little actionable intelligence developed

Containment Failure (Major Learning Experience)

Criteria indicate need for significant improvement:

Technical Failure:

• Objectives Achieved: Malmon completed primary objectives (data theft, encryption, etc.)
• Persistence Remains: Multiple persistence mechanisms still active
• Communication Active: C2 channels remain functional
• Widespread Spread: Affected 6+ systems or critical infrastructure

System Compromise:

• Systems Heavily Damaged: Major systems offline or corrupted
• Significant Data Loss: Important data stolen, corrupted, or encrypted
• Services Down: Critical business services offline
• User Operations Halted: Users cannot perform essential functions

Response Breakdown:

• Poor Coordination: Roles worked independently without coordination
• Ineffective Controls: Control selections inappropriate for threat type
• No Documentation: Minimal or no incident documentation
• No Intelligence: No useful threat intelligence developed

Validation Process for Success Levels

For Players: Self-assess your team’s performance against these criteria during the session wrap-up.

For IMs: Use these criteria to provide specific feedback and determine session outcomes:

1. Count completed criteria in each category
2. Identify specific achievements and areas for improvement
   
3. Provide concrete examples of what was done well or could be improved
4. Focus on learning rather than “winning” or “losing”

Example IM Feedback: “You achieved Effective Containment - you stopped the malmon activity and restored core systems, plus all roles participated well. The area for improvement was intelligence generation - you focused on containment but didn’t capture much information about the attacker’s techniques for future defense.”

This criteria-based approach ensures that “successful containment” has clear, measurable meaning that players can work toward and IMs can objectively assess.

Advanced Containment Techniques

Coordinated Multi-Control Deployment

The Layered Defense Approach

Rather than relying on single controls, advanced containment uses multiple complementary techniques:

Example: Containing a Worm/Ransomware Hybrid

1. Immediate Isolation (Protector) - Prevent spread
2. Behavioral Analysis (Detective) - Understand attack progression
   
3. Backup Validation (Protector) - Ensure recovery capabilities
4. Communication Blocking (Tracker) - Disrupt command and control
5. User Coordination (Communicator) - Prevent user actions that aid the attack

Team-Based Control Synergies

Detective + Threat Hunter Synergy:

• Detective provides forensic evidence of Malmon behavior
• Threat Hunter uses evidence to search for related threats
• Combined intelligence improves containment targeting

Protector + Crisis Manager Synergy:

• Protector implements technical containment measures
• Crisis Manager coordinates resource allocation and priorities
• Combined approach ensures comprehensive coverage

Tracker + Communicator Synergy:

• Tracker identifies affected systems and data flows
• Communicator assesses business impact and stakeholder needs
• Combined perspective balances technical and business requirements

Environmental Containment Factors

Network Architecture Advantages

• Micro-segmentation: Limits Worm-type spread
• Air-gapped Critical Systems: Protects against most threats
• Monitoring Coverage: Improves detection and containment speed
• Backup Diversity: Enhances recovery capabilities

Organizational Readiness Multipliers

• Incident Response Team Training: Improves coordination effectiveness
• Updated Security Tools: Provides better containment capabilities
• Clear Communication Protocols: Reduces response time
• Management Support: Enables resource deployment

Containment Planning and Execution

Pre-Incident Preparation

Control Inventory Assessment

Before facing real threats, teams should understand their available controls:

Questions for Team Discussion:

• What signature detection capabilities do we have?
• How quickly can we isolate infected systems?
• What backup and recovery options are available?
• Do we have behavioral analysis tools and expertise?
• What threat intelligence sources can we access?

Role-Specific Containment Responsibilities

Detective Containment Focus:

• Evidence preservation during containment actions
• Identification of containment success indicators
• Analysis of Malmon resistance to specific controls
• Documentation of containment effectiveness

Protector Containment Focus:

• Technical implementation of containment measures
• System isolation and restoration procedures
• Security control deployment and configuration
• Damage assessment and recovery planning

Tracker Containment Focus:

• Network traffic monitoring during containment
• Validation of communication blocking effectiveness
• Monitoring for continued threat activity
• Network-based containment implementation

Communicator Containment Focus:

• Stakeholder notification during containment efforts
• Business impact assessment of containment measures
• User coordination to support containment activities
• External communication about incident status

Crisis Manager Containment Focus:

• Overall containment strategy coordination
• Resource allocation for containment efforts
• Timeline management and priority setting
• Integration of all team containment activities

Threat Hunter Containment Focus:

• Proactive search for additional threats during containment
• Assessment of containment effectiveness
• Investigation of potential threat evolution or adaptation
• Intelligence gathering for improved future containment

During-Incident Containment Execution

The Containment Decision Process

Step 1: Threat Assessment

• What type of Malmon are we facing?
• What are its primary capabilities and objectives?
• How has it already impacted our environment?
• What are the likely evolution triggers?

Step 2: Control Selection

• Which controls are most effective against this Malmon type?
• What controls do we have immediately available?
• How can we combine controls for maximum effectiveness?
• What are the risks of each containment approach?

Step 3: Coordinated Implementation

• Who implements each control?
• What is the sequence and timing of implementation?
• How do we monitor containment effectiveness?
• What are our backup plans if initial containment fails?

Step 4: Validation and Adjustment

• Is the Malmon contained or still active?
• Are there signs of evolution or adaptation?
• Do we need additional or different controls?
• What can we improve about our containment approach?

Containment Failure and Recovery

When Containment Doesn’t Work

Common Containment Failure Modes

• Type Mismatch: Using controls ineffective against the specific Malmon type
• Timing Issues: Attempting containment after evolution or spread
• Coordination Problems: Team members working at cross purposes
• Resource Limitations: Insufficient tools or expertise for the threat level
• Environmental Gaps: Network or system vulnerabilities that enable evasion

Learning from Containment Failures

Failed containment attempts provide valuable learning opportunities:

Questions for Team Reflection:

• What did we misunderstand about the Malmon’s capabilities?
• Which controls worked better or worse than expected?
• How could we have coordinated more effectively?
• What environmental factors contributed to containment difficulty?
• What would we do differently in a similar situation?

Recovery and Resilience

Post-Containment Activities

Even after successful containment, important work remains:

System Recovery:

• Restoration of affected systems and data
• Validation of system integrity and security
• Implementation of additional protections
• User access restoration and validation

Intelligence Development:

• Documentation of Malmon characteristics and behavior
• Sharing of containment techniques with community
• Development of improved detection signatures
• Enhancement of organizational defenses

Team Development:

• Review of containment coordination and effectiveness
• Identification of skill gaps and training needs
• Refinement of roles and responsibilities
• Preparation for future, more advanced threats

Building Containment Expertise

Individual Skill Development

For Each Role

Detective: Develop expertise in forensic analysis, evidence preservation, and containment validation techniques.

Protector: Build proficiency with security tools, system recovery procedures, and technical containment implementation.

Tracker: Master network monitoring, traffic analysis, and network-based containment approaches.

Communicator: Learn business impact assessment, stakeholder management during crises, and coordination techniques.

Crisis Manager: Develop project management skills, resource allocation strategies, and team coordination capabilities.

Threat Hunter: Build intelligence analysis skills, proactive investigation techniques, and advanced threat detection capabilities.

Team Skill Development

Collaborative Containment Exercises

• Scenario-based practice with different Malmon types
• Cross-training to understand other roles’ containment responsibilities
• Communication drills for coordinating containment activities
• Tool familiarization across different security control categories

Community Learning

• Sharing containment experiences with other teams and organizations
• Learning from community failures and successes
• Contributing to containment technique development
• Participating in collaborative threat intelligence efforts

Remember: Containment is Collaborative

No single role or control can contain all Malmons effectively. The most successful containment efforts combine different controls, leverage each role’s expertise, and adapt to the specific characteristics of the threat being faced.

In the next chapter, we’ll explore the Training and Progression system - how you develop expertise, earn recognition for your growing skills, and advance through increasingly challenging cybersecurity scenarios.