Type Effectiveness Reference
Complete Type Interaction Matrix
Understanding which security controls work best against different Malmon types is fundamental to effective incident response:
Trojan
Weak to: Detection
Resists: Training
Worm
Weak to: Isolation
Resists: Backup
Ransomware
Weak to: Backup
Resists: Encryption
Rootkit
Weak to: Forensics
Resists: Detection
APT
Weak to: Intelligence
Phishing
Weak to: Training
Botnet
Weak to: Coordination
Infostealer
Weak to: Encryption
Detailed Type Characteristics
Trojan-Type Malmons
Core Characteristics:
- Deception Specialists: Excel at appearing legitimate
- User Interaction Required: Depend on user execution or installation
- Process Hiding: Often inject into or masquerade as legitimate processes
- Payload Delivery: Frequently serve as first stage for other threats
Type Effectiveness Analysis:
Trojan Type Effectiveness
| Defense Type | Effectiveness | Game Modifier |
|---|---|---|
| Detection | Super Effective | +3 to defense rolls |
| Isolation | Normal | No modifier |
| Backup | Normal | No modifier |
| Forensics | Normal | No modifier |
| Intelligence | Normal | No modifier |
| Training | Not Very Effective | -2 to defense rolls |
| Coordination | Normal | No modifier |
| Encryption | Normal | No modifier |
Super Effective Against:
- Traditional signature-based detection systems
- Static security controls that rely on known bad indicators
- User awareness programs that focus on obvious threats
Common Examples: GaboonGrabber, FakeBat Evolution Path: Often evolve into APT-level threats with persistence and lateral movement
Worm-Type Malmons
Core Characteristics:
- Self-Propagating: Spread automatically without user interaction
- Network Exploitation: Use network vulnerabilities for rapid spread
- Infrastructure Impact: Can affect multiple systems simultaneously
- Speed Advantage: Rapid propagation can overwhelm response efforts
Type Effectiveness Analysis:
Worm Type Effectiveness
| Defense Type | Effectiveness | Game Modifier |
|---|---|---|
| Detection | Normal | No modifier |
| Isolation | Super Effective | +3 to defense rolls |
| Backup | Not Very Effective | -2 to defense rolls |
| Forensics | Normal | No modifier |
| Intelligence | Normal | No modifier |
| Training | Normal | No modifier |
| Coordination | Normal | No modifier |
| Encryption | Normal | No modifier |
Super Effective Against:
- Unpatched network infrastructure
- Poorly segmented networks
- Organizations with weak change management
Common Examples: WannaCry, Code Red, Raspberry Robin Evolution Path: May evolve into coordinated botnets or multi-vector attacks
Ransomware-Type Malmons
Core Characteristics:
- Data Encryption: Primary attack vector against organizational data
- Financial Motivation: Direct monetary demands and business disruption
- Time Pressure: Create urgency through deadline-driven demands
- Business Impact: Target critical business processes and data
Type Effectiveness Analysis:
Ransomware Type Effectiveness
| Defense Type | Effectiveness | Game Modifier |
|---|---|---|
| Detection | Normal | No modifier |
| Isolation | Normal | No modifier |
| Backup | Super Effective | +3 to defense rolls |
| Forensics | Normal | No modifier |
| Intelligence | Normal | No modifier |
| Training | Normal | No modifier |
| Coordination | Normal | No modifier |
| Encryption | Not Very Effective | -2 to defense rolls |
Super Effective Against:
- Organizations with poor backup strategies
- Critical data without redundancy
- Systems dependent on real-time data access
Common Examples: LockBit, WannaCry (hybrid type) Evolution Path: Often evolve to include data theft and double extortion
Rootkit-Type Malmons
Core Characteristics:
- Deep System Access: Operate at kernel or firmware level
- Stealth Operations: Designed to remain hidden from detection tools
- Persistence Focus: Maintain access through system changes and updates
- Detection Evasion: Actively hide from security tools and analysis
Type Effectiveness Analysis:
Rootkit Type Effectiveness
| Defense Type | Effectiveness | Game Modifier |
|---|---|---|
| Detection | Not Very Effective | -2 to defense rolls |
| Isolation | Normal | No modifier |
| Backup | Normal | No modifier |
| Forensics | Super Effective | +3 to defense rolls |
| Intelligence | Normal | No modifier |
| Training | Normal | No modifier |
| Coordination | Normal | No modifier |
| Encryption | Normal | No modifier |
Super Effective Against:
- Signature-based detection systems
- Standard malware scanning tools
- Network-based security controls
Common Examples: Advanced persistence mechanisms, kernel-level malware Evolution Path: Often part of sophisticated APT campaigns
APT-Type Malmons (Advanced Persistent Threat)
Core Characteristics:
- Long-Term Operations: Patient, methodical approach to objectives
- Sophisticated Techniques: Use advanced tools and zero-day exploits
- Intelligence Gathering: Focus on reconnaissance and data collection
- Adaptive Behavior: Modify tactics based on defensive responses
Type Effectiveness Analysis:
APT Type Effectiveness
| Defense Type | Effectiveness | Game Modifier |
|---|---|---|
| Detection | Normal | No modifier |
| Isolation | Normal | No modifier |
| Backup | Normal | No modifier |
| Forensics | Normal | No modifier |
| Intelligence | Super Effective | +3 to defense rolls |
| Training | Normal | No modifier |
| Coordination | Normal | No modifier |
| Encryption | Normal | No modifier |
Super Effective Against:
- Organizations with limited threat hunting capabilities
- Environments with weak monitoring and logging
- Targets with valuable long-term intelligence value
Common Examples: Stuxnet, Noodle RAT, Gh0st RAT Evolution Path: Continuously evolve tools and techniques based on defensive measures
Infostealer-Type Malmons
Core Characteristics:
- Data Collection Focus: Primary objective is information gathering
- Credential Harvesting: Target passwords, keys, and authentication data
- Silent Operation: Minimize detection while maximizing data collection
- Exfiltration Capability: Efficient methods for removing stolen data
Type Effectiveness Analysis:
Infostealer Type Effectiveness
| Defense Type | Effectiveness | Game Modifier |
|---|---|---|
| Detection | Normal | No modifier |
| Isolation | Normal | No modifier |
| Backup | Normal | No modifier |
| Forensics | Normal | No modifier |
| Intelligence | Normal | No modifier |
| Training | Normal | No modifier |
| Coordination | Normal | No modifier |
| Encryption | Super Effective | +3 to defense rolls |
Super Effective Against:
- Organizations with weak access controls
- Systems with unencrypted sensitive data
- Environments lacking data loss prevention
Common Examples: Noodle RAT, PoisonIvy
Evolution Path: Often evolve to include lateral movement and privilege escalation
Role-Based Type Effectiveness
Understanding how different incident response roles interact with Malmon types helps optimize team coordination:
Trojan
Weak to: Detection
Resists: Training
Worm
Weak to: Isolation
Resists: Backup
Ransomware
Weak to: Backup
Resists: Encryption
Rootkit
Weak to: Forensics
Resists: Detection
APT
Weak to: Intelligence
Phishing
Weak to: Training
Botnet
Weak to: Coordination
Infostealer
Weak to: Encryption
Detective Advantages by Type
Most Effective Against:
- Trojans: Excel at identifying deception and social engineering vectors
- Rootkits: Forensic skills reveal hidden artifacts and persistence mechanisms
- APTs: Pattern recognition helps identify long-term campaign indicators
Challenging Types:
- Worms: Fast-moving threats may outpace investigation efforts
- Ransomware: Time pressure limits thorough analysis opportunities
Protector Advantages by Type
Most Effective Against:
- Worms: Network isolation and segmentation prevent spread
- Ransomware: Backup systems and recovery procedures mitigate impact
- Trojans: Security controls and system hardening prevent execution
Challenging Types:
- Rootkits: Deep system access bypasses standard security controls
- APTs: Patient, sophisticated attacks adapt to defensive measures
Tracker Advantages by Type
Most Effective Against:
- Worms: Network propagation creates obvious traffic patterns
- Infostealers: Data exfiltration generates detectable network activity
- APTs: Long-term monitoring reveals communication patterns
Challenging Types:
- Rootkits: May operate below network visibility layer
- Trojans: Limited network activity during initial infection phase
Communicator Advantages by Type
Most Effective Against:
- Trojans: Social engineering aspects require user education response
- Ransomware: Business impact assessment and stakeholder management critical
- APTs: Long-term incidents require sustained stakeholder communication
Challenging Types:
- Worms: Technical response may be prioritized over communication
- Rootkits: Highly technical nature limits business stakeholder involvement
Crisis Manager Advantages by Type
Most Effective Against:
- Ransomware: Business continuity and crisis coordination essential
- APTs: Long-term, complex response requires strategic coordination
- Worms: Rapid spread requires immediate resource allocation and coordination
Challenging Types:
- Rootkits: Highly technical response may require specialized coordination
- Trojans: Initial response may be straightforward without complex coordination needs
Threat Hunter Advantages by Type
Most Effective Against:
- APTs: Proactive hunting essential for detecting patient, sophisticated threats
- Rootkits: Advanced techniques required to find hidden threats
- Infostealers: Proactive search reveals data collection activities
Challenging Types: - Worms: Reactive response may be more appropriate than proactive hunting - Ransomware: Time pressure may limit comprehensive hunting activities
Strategic Response Planning
Type-Based Response Strategies
Understanding type effectiveness helps prioritize response actions:
Trojan Response Priority
- Behavioral Analysis: Detect abnormal process behavior
- User Investigation: Understand social engineering vector
- Signature Detection: Block known variants
- System Hardening: Prevent future similar attacks
Worm Response Priority
- Network Isolation: Immediate containment of spread
- Signature Detection: Block at network perimeter
- Patch Management: Address underlying vulnerabilities
- Recovery Planning: Restore affected systems
Ransomware Response Priority
- Network Isolation: Prevent spread to additional systems
- Backup Systems: Initiate recovery from clean backups
- Business Continuity: Maintain critical operations
- Forensic Preservation: Preserve evidence for investigation
Rootkit Response Priority
- Forensic Analysis: Deep investigation to uncover presence
- Behavioral Analysis: Monitor for unusual system activity
- System Rebuild: Clean reinstallation of affected systems
- Enhanced Monitoring: Implement advanced detection capabilities
APT Response Priority
- Threat Intelligence: Understand campaign and attribution
- Behavioral Analysis: Detect subtle, long-term activities
- Forensic Analysis: Comprehensive investigation and timeline
- Strategic Hardening: Long-term improvements to prevent persistence
Infostealer Response Priority
- Behavioral Analysis: Detect unusual data access patterns
- Threat Intelligence: Understand data theft techniques and objectives
- Access Control Review: Implement enhanced authentication and authorization
- Data Protection: Encrypt and monitor sensitive information
Environment-Specific Considerations
Different organizational environments face varying type effectiveness challenges:
Healthcare Environment Type Effectiveness
- Trojans: High risk due to diverse, often unmanaged medical devices
- Ransomware: Critical impact on patient care and safety systems
- Infostealers: HIPAA compliance and patient privacy concerns
- APTs: Nation-state interest in healthcare data and research
Financial Services Type Effectiveness
- Infostealers: High value targets for financial and customer data
- APTs: Nation-state and organized crime interest
- Trojans: Banking trojans specifically designed for financial targeting
- Ransomware: Business disruption impacts market and customer confidence
Critical Infrastructure Type Effectiveness
- APTs: Nation-state targeting of critical systems
- Worms: Potential for cascading failures across infrastructure
- Rootkits: Deep system access threatens operational technology
- Ransomware: Service disruption affects public safety and economic stability
Educational Institution Type Effectiveness
- Trojans: High risk due to diverse user base and BYOD policies
- Infostealers: Research data and student information targets
- Worms: Large, diverse networks facilitate rapid spread
- APTs: Nation-state interest in research and intellectual property
Quick Decision Matrix
Time-Critical Type Assessment
For rapid initial assessment during incident response:
Rapid Spread Indicators → Likely Worm:
- Multiple simultaneous infections
- Network-based propagation patterns
- Exploit-based initial access
Stealth Operation Indicators → Likely APT/Rootkit:
- Subtle system changes
- Long-term persistence evidence
- Advanced evasion techniques
Business Disruption Indicators → Likely Ransomware:
- File encryption activities
- Ransom demands or payment instructions
- Critical system unavailability
Data Collection Indicators → Likely Infostealer:
- Unusual data access patterns
- Credential harvesting activities
- Systematic information gathering
Social Engineering Indicators → Likely Trojan:
- User-initiated execution
- Masquerading as legitimate software
- Email or web-based delivery
This matrix provides rapid initial type assessment. Use it for quick decisions during time-pressured incidents, then refine understanding through detailed investigation and team collaboration.
Use this matrix for rapid initial type assessment, then refine understanding through detailed investigation.