GaboonGrabber - RegionalBank Compliance Crisis

Banking Regulation Under Federal Examination Pressure

Malware & Monsters

2025-12-04

Welcome to Malware & Monsters!

What You’re About to Experience

You’re part of RegionalBank’s incident response team, racing against time during the most critical period of the year: federal banking examination preparation.

Your Mission

Investigate and contain a security incident while demonstrating security competence to federal regulators, protecting customer data under intense compliance pressure.

Quick Start for Incident Managers

New to facilitating Malware & Monsters? Start here:

IM Quick Start Guide - Everything you need to run this scenario in one concise document

The Hook

Tuesday Morning, 9:15 AM - Board Meeting Aftermath

Your CEO just finished the quarterly board meeting with one clear message: “The federal examination in 4 weeks must be perfect. Our regulatory standing depends on it.”

Within minutes of the meeting ending, your phone starts buzzing:

Initial Reports

• Help Desk: “We’re getting multiple calls about computer slowdowns—started this morning but people say it began last night”
• Compliance Department: “Everything’s running slow since we started the audit tool installations”
• Branch Operations: “Customer service terminals are freezing during peak hours”
• IT Director: “We approved several federal compliance audit tools yesterday to show security improvements for the examination”

Something is seriously wrong, and you’re now 27 days from the most important regulatory review of the year.

Organization Context

RegionalBank: Community Banking Under Federal Oversight

Organization Profile

• Type: Community bank serving three-county region
• Size: 350 employees across 12 branch locations
• Operations: Personal banking, small business lending, mortgage services
• Critical Services: 24/7 transaction processing, online banking, branch operations
• Technology: Core banking system, customer database, compliance monitoring tools

Current Business Context

Federal Banking Examination in 4 Weeks:

• Annual review by Office of the Comptroller of the Currency (OCC)
• Determines regulatory standing and operational freedom
• Board expects perfect examination outcome
• Compliance department working overtime on preparation
• Security controls will be heavily scrutinized

Why This Matters

You’re not just handling a security incident—you’re demonstrating security competence to federal regulators while protecting customer financial data and maintaining 24/7 transaction processing.

Your response becomes evidence of either effective security monitoring or regulatory deficiency.

Initial Symptoms

What You’re Seeing - Tuesday Morning

Performance Issues (Multiple Departments)

• Severity: 25% performance degradation across workstations
• Pattern: Started Monday evening, worsened overnight
• Affected Systems: Compliance workstations, branch terminals, customer service stations
• User Reports: “Computers slow since compliance audit tool installation”

Help Desk Reports

1. Unfamiliar Software: Multiple staff mention new “ComplianceMonitor” and “AuditTool” programs
2. Email Context: “Federal banking security audit” emails sent Monday evening
3. Installation Timing: During compliance preparation overtime (5-8 PM Monday)
4. User Behavior: Staff clicked readily—“supporting compliance efforts for examination”

Customer-Facing Impact

• Branch Terminals: Occasional freezing during peak transaction hours
• Online Banking: Minor performance degradation
• Customer Complaints: Some delays in transaction processing
• Business Risk: Service disruption during federal examination preparation

What IT Director Says

“We’ve been under intense pressure to demonstrate security improvements for the federal examination. When those ‘FFIEC compliance audit’ emails arrived Monday, I approved the installations quickly—we needed to show security responsiveness. But now I’m questioning that decision.”

NPCs: Your Key Contacts

People Who Need Your Help

Amanda Torres - Chief Compliance Officer

What They Care About: Perfect federal examination outcome, regulatory standing, demonstrating security improvements

Current State: Extremely anxious about examination timeline, demanding evidence of security competence

Helpful For: Banking regulations, examination process, compliance requirements, regulatory reporting obligations

Potential Barrier: May pressure for minimal incident reporting to avoid regulatory scrutiny

Robert Chen - IT Director

What They Care About: System reliability, security effectiveness, examination preparation support

Current State: Overwhelmed by compliance demands, regretting quick approval of “audit tools”

Helpful For: Technical investigation, system access, architecture details, approved software list

Potential Barrier: Defensive about Monday’s quick approval decisions

Maria Rodriguez - Branch Manager (Main Location)

What They Care About: Customer service quality, transaction processing continuity, staff productivity

Current State: Frustrated with security “requirements” affecting customer service, concerned about examination impacts

Helpful For: User behavior patterns, customer impact assessment, branch operations priorities

Potential Barrier: May resist response actions that disrupt customer service during examination prep

James Park - Federal Banking Examiner (OCC)

What They Care About: Regulatory compliance, customer data protection, security control effectiveness

Current State: Scheduled to arrive in 3 weeks for intensive examination, expects comprehensive security documentation

Helpful For: Regulatory expectations, breach notification requirements, examination standards

Potential Barrier: Represents regulatory authority—your response will be evaluated as evidence of security program effectiveness

NPC Hidden Agendas

Character Secrets & Development Arcs

Amanda Torres - Chief Compliance Officer

Hidden Agenda: Believes her job depends on perfect examination—will consider suppressing incident to avoid regulatory deficiency findings

Secret Fear: That security incident will be interpreted as compliance program failure

Character Arc:

• Initial: “We cannot report anything that jeopardizes the examination”
• Mid-Game: Realizes effective response demonstrates security competence
• Resolution: Understands transparency strengthens regulatory relationship

Roleplay Notes: Starts defensive and examination-focused, gradually recognizes incident response as opportunity to demonstrate security program effectiveness

Robert Chen - IT Director

Hidden Agenda: Approved “audit tools” without proper vetting to demonstrate compliance responsiveness—now fears professional consequences

Secret Doubt: Questioning whether compliance pressure caused him to compromise security judgment

Character Arc:

• Initial: Defensive about Monday decisions, focuses on examination pressure as justification
• Mid-Game: Provides technical cooperation, shares approval timeline honestly
• Resolution: Learns to balance compliance urgency with security rigor

Roleplay Notes: Transforms from defensive to collaborative as team demonstrates focus on solution rather than blame

Maria Rodriguez - Branch Manager

Hidden Agenda: Clicked on “audit” emails to demonstrate compliance cooperation—didn’t verify legitimacy because federal examination pressure made compliance seem urgent

Secret Worry: That her actions exposed customer data, threatening both customers and examination outcome

Character Arc:

• Initial: Frustrated with security requirements, focused on customer service disruption
• Mid-Game: Admits clicking on emails, helps identify affected systems
• Resolution: Understands security and service as integrated rather than competing priorities

Roleplay Notes: Use her to explore how compliance pressure creates exploitable urgency that bypasses normal skepticism

James Park - Federal Banking Examiner

Hidden Agenda: Actually expects security incidents—evaluates how bank detects, responds, and reports them

Secret Perspective: Effective incident response demonstrates security program maturity more than incident-free claims

Character Arc:

• Initial: Appears as external pressure/threat to team
• Mid-Game: If team communicates transparently, provides regulatory perspective supporting thorough response
• Resolution: Incident response becomes evidence of effective security monitoring

Roleplay Notes: Can become ally if team chooses regulatory transparency—use him to show that honest response strengthens rather than damages regulatory standing

The Complete Technical Picture

What’s Really Happening - GaboonGrabber Financial Attack

Attack Timeline

Monday, 5:30 PM: Phishing emails sent to 47 staff members with subject “URGENT: Federal Banking Security Audit - FFIEC Compliance Verification Required”

Monday, 5:45-8:15 PM: 23 staff members (including Amanda, Robert, Maria) clicked links and installed “ComplianceMonitor.exe” and “AuditTool.exe”

Monday, 8:30 PM: GaboonGrabber established persistence, began credential harvesting

Tuesday, 12:00 AM: Started process injection into banking software and compliance systems

Tuesday, 6:00 AM: Began systematic customer database reconnaissance

Tuesday, 9:00 AM (Current): 25% performance degradation visible, customer data being prepared for exfiltration

Technical Mechanisms

Initial Access:

• Phishing Vector: Spoofed domain “FFIEC-compliance.gov” (legitimate: FFIEC.gov)
• Social Engineering: Exploited federal examination pressure and compliance urgency
• Payload Delivery: Fake “audit tools” with legitimate-looking security software UI
• User Behavior: Staff clicked readily during compliance preparation overtime

Persistence & Execution:

• Registry modifications for auto-start
• Process injection into “CoreBankingSystem.exe” and “ComplianceManager.exe”
• DLL sideloading for stealth operation
• Behavioral camouflage as legitimate compliance monitoring

Credential Harvesting:

• Keylogging targeting banking system credentials
• Memory scraping of password manager contents
• Session token interception from customer database access
• Compliance portal credential theft

Data Access:

• Target: Customer financial database (account numbers, SSNs, addresses, transaction history)
• Method: Legitimate credential use post-harvest, avoiding direct database attack detection
• Status: 15% of customer records accessed (approximately 2,100 customers)
• Staging: Data compressed and encrypted in hidden directory, ready for exfiltration

Current Threat Status

Immediate Danger: Multi-Payload Deployment threshold approaching (24 hours post-initial infection = Tuesday 8:30 PM)

Data at Risk: Complete customer financial database, banking credentials, compliance documentation

Regulatory Implications: GLBA breach notification required if customer financial information compromised

Attack Objective: Financial data theft for fraud and identity theft operations

Investigation Progress Tracking

Session Worksheet - Mark Progress as Team Discovers

Round 1: Discovery Phase

Malmon Identification:

• Team recognizes unusual performance patterns
• Team investigates “compliance audit” email campaign
• Team identifies spoofed FFIEC domain
• Team discovers fake audit tools (ComplianceMonitor.exe, AuditTool.exe)
• Team recognizes GaboonGrabber behavioral signatures

Initial Containment Actions:

• Network traffic analysis initiated
• Process monitoring on affected systems
• Behavioral analysis of suspicious executables
• Isolation of confirmed infected workstations

Key Discovery: Federal examination pressure created exploitable compliance urgency

Round 2: Investigation Phase

Scope Assessment:

• Team confirms credential harvesting
• Team discovers customer database access attempts
• Team identifies 15% customer record exposure (2,100 customers)
• Team recognizes GLBA breach notification implications
• Team assesses 24-hour Multi-Payload Deployment risk

Stakeholder Management:

• Communication with Amanda about regulatory reporting requirements
• Coordination with Robert on technical remediation
• Assessment of customer impact with Maria
• Strategy for federal examiner communication (James Park)

Critical Decision Point: Team must decide between delaying examination vs enhanced monitoring with examination proceeding vs inadequate response risking regulatory and customer damage

Round 3: Response Phase

Remediation Actions Chosen:

• Complete system restoration vs surgical removal
• Network segmentation implementation
• Credential rotation scope and timing
• Customer notification approach
• Regulatory reporting decision (GLBA, OCC notification)

Response Effectiveness:

• Type-effective approaches used (Behavioral +3, Memory Forensics +3)
• Moderately effective approaches (Network segmentation +1, Compliance culture +1)
• Ineffective approaches avoided (Signatures -2, Simple firewall -1)

Outcome Assessment:

• GaboonGrabber completely removed
• Customer data exposure minimized
• Regulatory compliance maintained
• Federal examination positioned as demonstration of security competence

Debrief Discussion Points

Technical Learning:

• How did compliance pressure create security vulnerability?
• Why was behavioral analysis more effective than signatures?
• What GLBA requirements apply to customer financial data breaches?

Collaboration Insights:

• How did team balance compliance urgency with security rigor?
• What communication strategies worked for regulatory transparency?
• How did team integrate customer protection with business continuity?

Reflection Questions:

• “How does regulatory pressure change security decision-making?”
• “What would you design differently in compliance-security integration?”
• “How can incident response strengthen rather than damage regulatory standing?”

Type Effectiveness Matrix

GaboonGrabber (Trojan/Stealth) - Response Effectiveness

Highly Effective (+3 Bonus)

Behavioral Analysis:

• Detects process injection patterns
• Identifies unusual banking software behavior
• Reveals credential harvesting activity
• Why Effective: GaboonGrabber’s stealth requires runtime behavioral detection

Memory Forensics:

• Discovers in-memory credential storage
• Identifies injected DLL modules
• Reveals data staging locations
• Why Effective: Trojan persistence visible in memory artifacts

Moderately Effective (+2 Bonus)

Network Traffic Analysis:

• Identifies unusual customer database queries
• Detects exfiltration preparation traffic
• Reveals command-and-control patterns
• Why Effective: Data theft creates detectable network anomalies

Somewhat Effective (+1 Bonus)

Network Segmentation:

• Limits lateral movement potential
• Contains customer database access
• Protects uninfected branches
• Why Effective: Reduces attack surface but doesn’t remove existing infection

Compliance Culture Change (Long-term):

• Integrates security judgment with compliance urgency
• Builds regulatory transparency practices
• Establishes verification protocols for “urgent compliance” requests
• Why Effective: Addresses root vulnerability but doesn’t solve current incident

Neutral Effectiveness (No Bonus)

System Restoration:

• Removes infection but doesn’t address root cause
• Requires significant downtime during examination prep
• May lose forensic evidence needed for regulatory reporting
• Why Neutral: Effective removal but significant operational cost

Ineffective (-1 or -2 Penalty)

Signature-Based Detection (-2):

• GaboonGrabber uses polymorphic techniques
• Custom banking software targeting evades generic signatures
• Legitimate credential use post-harvest appears as normal activity
• Why Ineffective: Trojan specifically designed to evade signature detection

Simple Firewall Rules (-1):

• Attack uses legitimate protocols and credentials
• Banking software requires broad network access for operations
• Restricting traffic disrupts customer transaction processing
• Why Ineffective: Cannot distinguish malicious from legitimate banking activity

Facilitator Notes

If team is stuck:

• Amanda can provide compliance timeline creating urgency
• Robert can share details of Monday “audit tool” approvals
• Maria can describe staff behavior during compliance overtime
• James Park can clarify regulatory expectations for incident response

If team rushes to conclusions:

• Emphasize customer data protection requirements
• Highlight 24/7 transaction processing needs
• Introduce Board pressure about examination outcome
• Present GLBA breach notification thresholds

Common mistakes to address:

• Focusing only on malware removal without addressing compliance pressure vulnerability
• Delaying everything until post-examination (customer data at risk)
• Minimizing breach to avoid regulatory reporting (GLBA violations compound problem)
• Ignoring regulatory transparency as relationship-building opportunity

Round 1: Discovery Phase

Investigation & Initial Findings

Starting Information

What Team Knows:

• 25% performance degradation since Monday evening
• “Federal banking security audit” emails sent Monday
• Multiple “audit tools” installed by staff during compliance overtime
• Federal examination in 4 weeks creating intense pressure
• Help desk reports of unfamiliar “ComplianceMonitor” and “AuditTool” programs

Available Actions:

• Interview affected staff (Amanda, Robert, Maria)
• Analyze suspicious emails and attached files
• Investigate installed “audit tools” behavior
• Review system logs and network traffic
• Research FFIEC compliance requirements (to identify spoofing)

Investigation Challenges

Email Analysis (DC 12):

• Success: Identify spoofed domain “FFIEC-compliance.gov” vs legitimate “FFIEC.gov”
• Critical Success: Discover email metadata showing external origin, analyze social engineering techniques

Behavioral Analysis (DC 10):

• Success: Detect process injection into banking software
• Critical Success: Identify credential harvesting activity, discover data staging directories

Network Traffic Analysis (DC 15):

• Success: Identify unusual customer database queries
• Critical Success: Discover exfiltration preparation traffic, map affected systems

Key Discovery Moments

The Compliance Pressure Pattern:

When team investigates Monday timeline:

“The Board meeting Monday morning emphasized perfect examination outcome. By Monday evening, 23 staff members were working compliance preparation overtime when the ‘federal audit’ emails arrived. Everyone clicked—compliance seemed urgent, and the sender appeared to be FFIEC.”

The Technical Sophistication:

When team analyzes “audit tools”:

“ComplianceMonitor.exe and AuditTool.exe display legitimate-looking security software interfaces—but process monitoring reveals they’re injecting code into CoreBankingSystem.exe and harvesting credentials from memory.”

The Malmon Identity:

When team pieces together behavioral signatures:

“This is GaboonGrabber—a Trojan/Stealth malmon that exploits organizational pressure to gain initial access, then operates with extreme stealth using process injection and legitimate credential theft.”

Round 1 Conclusion

What Team Should Discover:

1. Attack Vector: Phishing exploiting federal examination pressure
2. Malmon Identity: GaboonGrabber (Trojan/Stealth)
3. Initial Access: 23 infected workstations from Monday evening
4. Current Activity: Credential harvesting and customer database reconnaissance
5. Urgency: 24-hour threshold approaching for Multi-Payload Deployment

Stakeholder Reactions:

• Amanda (Compliance Officer): Panicking about examination implications—“We cannot report a data breach 4 weeks before federal examination!”
• Robert (IT Director): Providing technical cooperation, admits pressure influenced Monday decisions
• Maria (Branch Manager): Concerned about customer service disruption from response actions
• James Park (Examiner): Calls to confirm examination schedule (team can use this to gauge regulatory transparency approach)

Transition to Round 2:

“You’ve identified GaboonGrabber and understand the initial infection scope—but as you dig deeper into customer database logs, you discover something alarming: 2,100 customer financial records have been accessed. The question now isn’t just ‘How do we remove this malware?’ but ‘How do we protect our customers, maintain regulatory compliance, and demonstrate security competence—all simultaneously?’”

Round 2: Investigation Phase

Scope Assessment & Critical Decisions

Expanded Investigation Findings

Customer Data Exposure Confirmed:

• Scope: 15% of customer database accessed (approximately 2,100 customers)
• Data Types: Account numbers, SSNs, addresses, transaction history, account balances
• Access Method: Legitimate credentials post-harvest (avoiding direct database attack detection)
• Current Status: Data staged in encrypted archive, exfiltration preparation underway

Regulatory Implications:

• GLBA Requirements: Breach notification required for financial information compromise
• Timeline: Must notify affected customers “as soon as possible”
• OCC Expectations: Federal examiner expects transparent security incident reporting
• Risk: Delayed notification compounds regulatory violations

Stakeholder Pressure Intensifies

Amanda Torres (Chief Compliance Officer):

“If we report a data breach now, the federal examiners will find a regulatory deficiency. That could impact our examination rating, restrict our operations, damage our reputation. Can’t we just fix this quietly and avoid the regulatory scrutiny?”

Present choice: Suppress incident vs transparent reporting

Robert Chen (IT Director):

“I can do surgical malware removal on each infected system—keeps banking operations running during examination prep. Or we can do complete system restoration, but that means 3-5 days of reduced capacity during our busiest preparation period.”

Present choice: Surgical removal vs complete restoration vs enhanced monitoring

Maria Rodriguez (Branch Manager):

“Customer service is already stressed with examination preparation. If we notify 2,100 customers about potential data exposure, we’ll be overwhelmed with calls and concerns. Can we delay notification until after the examination?”

Present choice: Immediate customer notification vs delayed notification vs minimal notification

James Park (Federal Examiner):

Calls to confirm examination schedule. If team engages transparently:

“Security incidents happen—what matters is how you detect, respond, and report them. Effective incident response actually demonstrates security program maturity. I’d rather see evidence of good monitoring and honest reporting than claims of being incident-free.”

Present opportunity: Regulatory transparency as relationship-building

The 24-Hour Threshold

Critical Timeline Update:

“It’s now Tuesday, 7:00 PM—approximately 24 hours since initial infection. Your behavioral analysis reveals secondary payload deployment beginning: GaboonGrabber is preparing to deploy ransomware that would encrypt customer transaction databases.”

Urgency Factors:

• Secondary payload deployment started
• Customer data exfiltration imminent
• GLBA notification timeline running
• Federal examination in 26 days
• Board expecting examination preparation progress update tomorrow

Investigation Challenges

Memory Forensics (DC 15):

• Success: Identify credential storage locations, discover staged data
• Critical Success: Find complete customer record access logs, determine exact exposure scope

Regulatory Research (DC 12):

• Success: Understand GLBA notification requirements
• Critical Success: Discover that transparent incident response strengthens regulatory standing

Stakeholder Communication (DC 18):

• Success: Gain Amanda’s cooperation for regulatory reporting
• Critical Success: Position incident response as demonstration of security competence to James Park

Round 2 Conclusion

What Team Must Decide:

1. Regulatory Reporting: Transparent vs suppressed vs delayed
2. Customer Notification: Immediate vs delayed vs minimal
3. Remediation Approach: Surgical vs complete vs enhanced monitoring
4. Federal Examiner Communication: Transparent vs defensive vs delayed

The Central Tension:

Compliance pressure created the vulnerability—now that same pressure tempts team to suppress incident, compounding regulatory violations and customer risk.

Transition to Round 3:

“You have all the technical information you need. The question now is: What kind of security program do you want to demonstrate to federal regulators? One that suppresses incidents to maintain appearance of perfection? Or one that detects, responds effectively, and reports honestly?”

Round 3: Response Phase

Critical Response Decision

The Situation

Technical Status:

• GaboonGrabber identified and located on 23 systems
• 2,100 customer financial records compromised
• Secondary payload (ransomware) deployment beginning
• Data exfiltration preparation underway

Stakeholder Positions:

• Amanda (Compliance): Wants incident suppression to protect examination outcome
• Robert (IT): Recommends surgical removal to maintain operations
• Maria (Branch Ops): Requests delayed customer notification to manage service load
• James Park (Examiner): Expects transparent security incident reporting

Timeline Pressure:

• Federal examination: 26 days
• Multi-Payload Deployment: In progress
• GLBA notification: Required “as soon as possible”
• Board update: Expected tomorrow morning

Response Option Paths

Path A: Comprehensive Response with Regulatory Transparency

Actions:

• Complete system restoration of all infected workstations
• Immediate GLBA-compliant customer notification (all 2,100 customers)
• Transparent reporting to James Park (OCC examiner)
• Enhanced monitoring implementation
• Credential rotation across all banking systems
• Compliance culture assessment and improvement plan

Consequences:

• 3-5 days reduced operational capacity during examination prep
• Customer service load increase from notification responses
• Federal examiner awareness of incident
• Outcome: GaboonGrabber removed, customer protection prioritized, regulatory standing strengthened by demonstrated security competence

Type Effectiveness: Behavioral Analysis +3, Memory Forensics +3, Compliance Culture Change +1 (long-term)

DC Requirements: Technical remediation (DC 18), Stakeholder management (DC 20), Customer communication (DC 15)

Path B: Balanced Response with Enhanced Monitoring

Actions:

• Surgical GaboonGrabber removal maintaining operational continuity
• Immediate customer notification (GLBA compliance)
• Proactive examiner briefing positioning incident as monitoring demonstration
• Network segmentation implementation
• Targeted credential rotation
• 30-day enhanced monitoring period

Consequences:

• Maintained operational capacity during examination prep
• Customer notification managed but timely
• Examiner sees effective detection and response
• Outcome: GaboonGrabber contained, compliance maintained, examination proceeds with incident as evidence of security program effectiveness

Type Effectiveness: Behavioral Analysis +3, Network Traffic Analysis +2, Network Segmentation +1

DC Requirements: Technical remediation (DC 15), Stakeholder management (DC 18), Customer communication (DC 15)

Path C: Minimal Response with Incident Suppression

Actions:

• Delayed remediation until post-examination
• Minimal customer notification (“potential security event”)
• No examiner reporting
• Basic malware removal without comprehensive investigation
• Continued operations as normal

Consequences:

• Ransomware deployment proceeds (customer transaction database encryption)
• GLBA violation for delayed notification (federal penalties)
• Customer fraud cases emerge from stolen financial data
• Federal examiner discovers suppressed incident during examination (regulatory deficiency finding)
• Outcome: Catastrophic failure—customer damage, regulatory violations, examination failure, potential bank closure

Type Effectiveness: Signature Detection -2, Simple Firewall -1 (ineffective approaches)

DC Requirements: All DCs increased by +5 due to compounded problems

Response Execution Challenges

Technical Remediation (DC varies by path):

• Success: GaboonGrabber removed from infected systems
• Failure: Secondary payload deploys, ransomware encrypts customer transaction database

Customer Notification (DC 15):

• Success: Clear communication builds customer trust despite breach
• Failure: Poor communication creates panic, reputation damage

Regulatory Management (DC 20 for transparency, DC 25 for suppression):

• Success (Transparency): Examiner views incident response as security program strength
• Success (Suppression): Temporary examination delay, but eventual discovery guaranteed
• Failure: Examiner discovers suppression, regulatory deficiency finding

Outcome Determination

Victory Conditions Met:

1. GaboonGrabber completely removed
2. Customer financial data protected (no ongoing theft)
3. GLBA compliance maintained
4. Federal examination demonstrates security competence

Partial Success:

• Malware removed but customer notification delayed (GLBA violation)
• Compliance maintained but operational disruption excessive
• Incident contained but examination relationship damaged

Failure:

• Ransomware deployment succeeds
• Customer data theft continues
• Regulatory violations compound
• Examination discovers suppressed incident

Round 3 Conclusion

Success Narrative Example (Path A or B):

“By Wednesday morning, your team has removed GaboonGrabber from all infected systems, notified affected customers with clear guidance, and briefed James Park on your detection and response. When he arrives for the examination in 3 weeks, your incident response documentation becomes the centerpiece of demonstrating security program effectiveness.

“Amanda learns that regulatory transparency strengthens rather than damages relationships. Robert implements verification protocols for ‘urgent compliance’ requests. Maria integrates security and service as unified customer protection.

“The federal examination finds RegionalBank has a mature security program that detects incidents, responds effectively, and reports honestly—exactly what banking regulators expect.”

Failure Narrative Example (Path C):

“By Wednesday evening, the ransomware payload encrypts your customer transaction database. By Thursday, customer fraud cases emerge from the stolen financial data. By Friday, James Park’s pre-examination inquiry discovers the suppressed incident.

“The OCC examination becomes a regulatory deficiency investigation. RegionalBank faces federal penalties for GLBA violations, customer lawsuits for negligent data protection, and Board crisis management about potential operational restrictions.

“Compliance pressure created the vulnerability—and the same pressure led to suppression that compounded every problem.”

Debrief Framework

Learning Consolidation & Reflection

Technical Debrief

What Just Happened (Technical Summary):

1. Attack Vector: Phishing exploiting federal examination compliance pressure
2. Malmon Behavior: GaboonGrabber used process injection, credential harvesting, and stealth operation
3. Data Exposure: 15% customer database accessed via legitimate credentials post-harvest
4. Detection Method: Behavioral analysis revealed process anomalies signatures missed
5. Response Challenge: Balancing thorough remediation with operational continuity during examination prep

Type Effectiveness Review:

• Why Behavioral Analysis +3? GaboonGrabber’s stealth requires runtime detection
• Why Memory Forensics +3? Credential storage and injection visible in memory
• Why Signatures -2? Polymorphic techniques and legitimate credential use evade signatures

Technical Learning Question:

“How would you design banking security that maintains both compliance responsiveness and security rigor without creating exploitable pressure windows?”

Collaboration Debrief

Stakeholder Management Review:

• Amanda (Compliance Officer): How did compliance pressure create vulnerability? What changed her perspective on regulatory transparency?
• Robert (IT Director): What role did examination urgency play in Monday’s quick approvals? How can compliance and security integrate better?
• Maria (Branch Manager): How did team balance customer service continuity with security response needs?
• James Park (Examiner): What did team learn about regulatory expectations for incident response?

Communication Strategies:

• What worked for gaining Amanda’s cooperation despite examination anxiety?
• How did team position incident response as demonstration of security competence?
• What customer communication approaches built trust despite data breach?

Collaboration Learning Question:

“How does organizational pressure (compliance, business, regulatory) change security decision-making? What structures would help teams resist pressure to suppress incidents?”

Reflection & Real-World Connection

Scenario Themes:

1. Compliance Pressure Exploitation: How regulatory urgency creates exploitable vulnerability
2. Transparency as Strength: How honest incident response strengthens regulatory standing
3. Integrated Security: How customer protection, compliance, and business continuity serve unified mission

Personal Reflection Questions:

• “What would you do differently if facing similar pressure in your organization?”
• “How can compliance and security support rather than conflict with each other?”
• “What surprised you about regulatory expectations for incident response?”

Real-World Context:

• Financial sector faces intense regulatory oversight (OCC, FDIC, FFIEC, GLBA)
• Compliance pressure can create security vulnerabilities when urgency overrides judgment
• Effective incident response demonstrates security program maturity to regulators
• Customer protection and regulatory compliance serve integrated mission in banking

Facilitator Self-Reflection

Session Assessment:

• Pacing: Did investigation flow naturally or feel rushed/dragged?
• NPC Development: Did characters evolve believably from initial to resolution positions?
• Challenge Balance: Were DCs appropriate for team experience level?
• Learning Moments: What technical/collaboration insights emerged organically?

Adaptation Notes for Next Time:

• Easier: Extend examination timeline, reduce customer data exposure, simplify GLBA requirements
• Harder: Add actual customer fraud cases, include media investigation, expand to multiple bank departments
• Industry variations: Healthcare (HIPAA audit), education (accreditation), government (agency oversight)

Victory Celebration

If Team Succeeded:

Acknowledge specific excellent decisions:

• “Your choice to use behavioral analysis instead of just signatures was exactly right—that’s what caught GaboonGrabber’s stealth operation.”
• “Positioning the incident response as demonstration of security competence to James Park was strategically brilliant.”
• “Balancing thorough remediation with operational continuity showed real understanding of banking context.”

What This Victory Means:

“You protected 2,100 customers from financial fraud, maintained regulatory compliance under intense pressure, and demonstrated that security programs strengthen through honest incident response. RegionalBank’s federal examination will showcase effective security monitoring—not because incidents don’t happen, but because you detect and respond to them professionally.”

Resource Links

Continue Your Learning

Scenario Resources

• Malmon Profile: Complete GaboonGrabber technical details and behavior patterns
• Scenario Card: Quick reference for this scenario variant
• Planning Guide: Detailed facilitation guidance and customization options

Facilitation Support

• Session Preparation: Template for preparing your next game session
• Facilitation Philosophy: Core principles for running Malware & Monsters
• Type Effectiveness Guide: Deep dive on Trojan type and strategic counters

Real-World Context

• GLBA Overview: Federal financial data protection requirements
• FFIEC Resources: Federal banking cybersecurity standards
• OCC Examination Process: Banking regulatory oversight

Thank You for Playing!

Continue the Adventure

Share Your Experience

• Feedback: How did this scenario work for your team? Share with us
• Customization: Adapted this scenario for your context? We’d love to hear about it!

Explore More Scenarios

• GaboonGrabber Healthcare: Medical implementation pressure and HIPAA compliance
• GaboonGrabber Education: Student data protection and FERPA requirements
• FakeBat Small Business: Resource constraints and operational pressure

Keep Learning

• Players Handbook: Deepen your understanding of Malware & Monsters
• IM Handbook: Advanced facilitation techniques and scenario design

May your incidents be learning opportunities and your responses demonstrate competence!