Malware & Monsters

Large Group Session

Malware & Monsters

A Collaborative Cybersecurity Exercise

Malware & Monsters is an open-source incident response training framework. You learn by doing – investigating a simulated cyberattack as a team, making decisions under pressure, and discovering what works and what doesn’t.

There are no trick questions. There are no wrong answers.

There are decisions, consequences, and a debrief where the real learning happens.

Keep this brief – 30 seconds. Most players don’t need a long introduction to the framework. They need to know: this is collaborative, there are no gotchas, and the debrief is where we connect it to real life.

If anyone asks about the “Monsters” part: each scenario is based on a real malware family represented as a creature. The creature mechanics help facilitators calibrate difficulty and response patterns. Players don’t need to know this – it’s behind the scenes.

Large Group vs. Standard Play

Today’s session is a large group format – three teams, incident commanders, printed evidence cards, and a facilitator running the room.

M&M also has a standard format you can run yourselves:

• 4-6 players around a table with one person as Incident Master
• Dozens of scenarios at different difficulty levels – all free and open-source
• No facilitator needed – the Incident Master guide walks you through everything
• 60-90 minutes per session – fits in a lunch break or team meeting

Everything is at malwareandmonsters.com

This slide matters. The large group format is a one-off event. The real value is if teams continue playing standard M&M sessions on their own afterwards.

Emphasise: anyone in this room can run a standard session. You don’t need special training. Pick a scenario, read the IM guide, and play. The scenarios are designed so that the person running the game learns as much as the players.

Something Has Gone Wrong

You Have Been Called In

Your organisation is under attack.

You do not have the full picture yet.

Your job is to get it.

This is the atmosphere-setter. Pause here. Let the room quiet down. Don’t rush.

Do NOT name the malmon or explain the scenario yet – that comes in the scenario slides. This slide is just to signal: we are starting, stakes are real, pay attention.

Three Teams. One Incident.

How This Session Works

You have been divided into three specialist teams.

Each team receives different evidence.

No team has the complete picture. That is deliberate.

Your Incident Commander synthesizes across all three teams.

The key insight for players: information asymmetry is the mechanic, not a bug. Teams are supposed to have incomplete pictures. The synthesis moment is where the learning happens.

If anyone asks “why can’t we share cards?” – explain it here: the exercise simulates real IR where different functions see different slices of an incident.

Your Teams

Three Lenses on the Same Incident

ALPHA Forensics

What happened on the systems. Processes, artifacts, evidence.

BRAVO Network & Infrastructure

How it moved through the network. Connections, access, traffic.

CHARLIE Threat Intel & Recovery

Who is behind it and how to respond. Attribution, scope, recovery.

Each team’s lens is genuinely different – not a difficulty tier. Alpha is not “harder” than Charlie. They are different angles on the same incident.

Charlie’s label is scenario-dependent. For Winnti (Biotech R&D Espionage), Charlie is “Threat Intel & Recovery.” For other scenarios, it might be “Business Impact.” Mention this if the group asks about the label on their table sign.

The Incident Commander

One Person. One Job.

The IC does not join a team.

The IC listens to all three teams, connects the threads, and makes decisions when the teams disagree.

The IC is not expected to know more than the teams.

The IC is expected to integrate what the teams know.

Brief the IC privately before this slide if you have not already done so.

Key message for the room: do not put the IC under pressure to have all the answers. Their job is synthesis, not omniscience.

If the group chose an IC who leads incidents in real life, this is your moment to reframe: “In this exercise, your job is different. You are the listener and the synthesizer, not the technical lead.”

Some scenarios use two ICs with a mid-session handover. If this session uses two ICs, mention it here: “We have two ICs today. IC #1 manages the first half, IC #2 takes over mid-session. IC #2 – you will leave the room shortly and return for the handover.”

How a Round Works

The Same Pattern, Every Round

1. Open your envelope – each team gets new evidence cards
2. Analyse as a team – 8-12 minutes at your table
3. Team Lead briefs the IC – 60-90 seconds each, other teams listen
4. IC synthesizes – connects the threads, updates the whiteboard
5. Next round – new envelopes, deeper evidence

If your team reaches a dead end or wants to go deeper: ask the facilitator. You may get more information, a referral to another team, or confirmation that nothing further exists. Always worth asking.

Walk through these steps slowly. Most players will not have done this format before.

Key points:

• The envelope is sealed. Open it only when the round starts.
• Analysis happens at the table. The IC does not join the table.
• The Team Lead brief is short – 60-90 seconds. Not a presentation.
• The IC synthesizes across all three briefs before the next round starts.
• Read the “ask the facilitator” line explicitly. Without it, players will not know they can ask, and you will have no natural opening to release supplemental information mid-round.

The Rules

Five Things That Make This Work

1. Your evidence stays at your table. Do not show cards to other teams.
2. When analysis time ends, the briefing starts. No extensions.
3. Team Leads brief the IC. Not the other way round. The IC listens first.
4. The IC’s call is the call. Voice disagreement once, then commit.
5. You will not have all the answers. That is fine. Neither does anyone else.

Read these aloud, slowly, one at a time.

Rule 5 is the most important for managing anxiety – especially with senior participants who are not used to working with incomplete information.

If anyone pushes back on Rule 4 (“but what if the IC is wrong?”) – that is a debrief question. In real IR, someone has to call it. Let the exercise create that tension.

Dice

Player-Driven Action Resolution

When the IC proposes a containment action:

1. Which team owns this? The IC assigns it to a team.
2. How hard is it? The team assesses difficulty.
3. What could go wrong? The facilitator names the risk – then rolls.

Helps your roll: All teams briefed (+2) · Written rationale (+1) · All teams agreed (roll twice, take higher)

Hurts your roll: Time pressure (-2) · IC called before all teams briefed (-1)

Only show this slide if you are using dice. Skip it entirely if not.

The key shift: players propose containment actions rather than waiting for pre-scripted roll points. The IC says “I want to isolate the compromised server” – the facilitator asks which team owns it, the team assesses difficulty, and the facilitator rolls. This makes the players active drivers of the response rather than passengers.

One pass through the columns is enough – players do not need to memorise modifiers, the facilitator applies them during the session.

The Objective

By the end of this session, your three teams and your IC should be able to answer three questions:

What is happening?

How did it get here?

What do we do about it?

Not all teams will answer all three questions. The IC is responsible for the final synthesis.

Keep this abstract. Do not name the malmon, do not hint at the attack vector.

These three questions are the universal objectives for any IR investigation. The scenario content will make them specific. This slide is just framing the cognitive goal.

Check In With Your Team

• Who is your Team Lead?
• Does everyone know which team they are on?
• Has the IC been briefed?

You have 2 minutes.

The scenario begins when the envelopes are distributed.

This is a breathing space before you hand out envelopes and launch the scenario.

Use this time to:

• Confirm the IC has been pulled aside and briefed (if not already done)
• Make sure the whiteboard is labelled ALPHA / BRAVO / CHARLIE
• Confirm your own notes are ready

When you are ready: switch to the scenario-specific slides and begin.

Ready.

This is the handoff slide. Full brand blue background, minimal text.

After this slide, switch to the scenario-specific slide deck and deliver the opening hook.

Do not describe the scenario here. Let the scenario slides carry the opening narrative.