Debrief

Biotech R&D Espionage

The Game is Over.

The Learning Starts Now.

Let the room settle. Pause. Don’t rush into the first question.

Meet Your Adversary

The correct response type: Patient and preservation-first.

Preserve evidence before eradicating – rushing to wipe destroys the forensic artifacts that attribution depends on.

Winnti

Sinicus Furtivus Winntiius (Asia-Pacific 2011)

Backdoor / Nation-State

⭐⭐⭐

🔥 ABILITIES

🔥

Supply Chain Delivery

Distributes through legitimate software update mechanisms -- granting initial access without triggering endpoint defences

⚡

Signed Kernel Rootkit

Stolen code-signing certificates install a kernel-mode driver that survives reboots and bypasses antivirus (+3 persistence & evasion)

🔮

Passive Dormancy

Completely silent until activated by a specific magic packet -- evades behavioural detection indefinitely

💎 WEAKNESS

💎

Certificate Revocation

Revoking the stolen signing certificate invalidates the kernel driver's trust chain (-3 evasion)

This slide connects the scenario to the M&M malmon mechanics. Every scenario is built around a real malware family modelled as a creature. The “correct response type” concept comes from the type-effectiveness system.

In game terms: Certificate Revocation is Winnti’s weakness. The stolen signing certificate is what gives the kernel driver its +3 evasion advantage – the OS trusts it because the certificate says it should. Teams that preserved the memory image and handed the artifact to CFCS were directly triggering that weakness. Teams that wiped the infected host first destroyed the only thing that could activate it.

Passive Dormancy is why this was hard to catch: the backdoor sat completely silent until activated by a specific magic network packet. No behavioural alerts, nothing for EDR to flag. The game rewarded teams who didn’t treat silence as absence.

Winnti is a real APT group (APT41) with documented campaigns against life sciences companies – the scenario is not hypothetical.

Round by Round

“Let’s reconstruct what just happened – facts first, no analysis yet.”

• Round 1: What was your first indicator something was wrong?
• Round 2: What changed your understanding of the incident?
• Rounds 3–4: What drove your final response decisions?

Phase 1: Event Recall – 5 minutes. Keep this factual. “What happened?” not “What went wrong?” You’re building a shared timeline before any evaluation begins. Teams often have different versions of events – reconciling them is part of the learning.

Your Role’s Perspective

1 minute silent: What did you see that other teams missed?

Then round-robin – 30–60 seconds each:

• Alpha: What evidence was most and least useful?
• Bravo: What containment step did you want that never happened?
• Charlie: What external pressure affected the technical response?
• IC: Where did you have enough to decide – and where did you hesitate?

Phase 2: Role Reflection – 5 minutes. Enforce speak-once-before-twice: everyone shares once before anyone speaks a second time. Surface feelings here before the analytical work in Gap Analysis. Unacknowledged frustration or embarrassment blocks cognitive learning.

Could This Happen Here?

“Could this happen to your organisation? What would be different – and what would be the same?”

5 minutes. The reality check opener. Forces the room to connect the game to their own environment. If they say “very realistic” – the follow-up questions hit harder. If they say “not realistic” – probe why. The assumptions usually reveal blind spots about their own defences. Every subsequent question builds on their answer here.

Credential Revoked. Path Closed?

“The credential was revoked. Was the attack path closed? What second action was needed?”

5 minutes. The two-step close: credential revocation + exception closure. Teams that only revoked svc-rdbridge-admin left COLLBRIDGE-EXCL-003 open – the attacker had harvested other credentials. Ask: “Who completed both steps? Who only did one? What made the difference?” Actionable: review your own exception closure procedures.

What If CFCS Hadn’t Called?

“CFCS tipped you off. What if they hadn’t called? Would your own monitoring have caught this?”

5 minutes. Three independent DLP failures let ~7 GB walk out disguised as Microsoft Graph traffic. Service account exclusions, SNI allowlist, missing batch read detection. Ask: “How long before your own systems would have detected this? What would the attacker have achieved in that time?” The honest answer for most orgs is “we might not have caught it at all.” Actionable: evaluate your detection coverage against this specific attack profile.

Vendor Notification

“CaliSync’s build pipeline is still compromised. Other organisations are still receiving infected updates. When did you notify the vendor? Who owned that decision?”

5 minutes. If nobody raised vendor notification during the game, say so – that’s the finding. Other customers are receiving compromised updates while BioGenix focuses internally. Ask: “Who has the authority to make that call? What’s the notification threshold?” Actionable: define vendor notification ownership and thresholds.

Legacy Infrastructure

“HANSEN-SAP-01: 18 months overdue for decommission. No patches. No monitoring. Cloud access through a never-reviewed exception. How many systems like this exist in your organisation right now?”

5 minutes. The mirror question. Every organisation has decommission backlogs. Every organisation has exceptions that were supposed to be temporary. Ask: “What process would surface this before an attacker does?” Actionable: audit legacy systems, review exception governance, close orphaned ITSM tickets. This question should be uncomfortable. Let it be.

Bridge to Your World

“Everything we discussed happened in the game. Now make it real.”

• How does your organisation’s actual IR process compare to what we just practiced?
• Which gaps from this scenario exist in your real environment right now?
• If you had to brief your CISO on one insight from this session, what would it be?

Phase 4: Real-World Transfer – 5-7 minutes. Steer toward systemic gaps, not individual blame. “We should have isolated the machine sooner” is an outcome. “We don’t have a clear escalation trigger for when to isolate” is a process gap – and it’s transferable to real incidents.

Who Owns Fixing This?

After each question: “Who owns fixing this?”

Not “the security team.” Not “IT.” A name. A person. A date.

If this wasn’t asked after each of the previous questions, ask it now as a catch-all. The point is accountability – not blame, not delegation, but a named person who will follow up. If the room can’t name someone, that’s the finding.

Your Commitment

Write it down. 2 minutes.

• STOP – one thing you’ll stop doing
• START – one thing you’ll start doing
• CONTINUE – one thing that worked and you’ll keep

Then complete this sentence aloud: “When [situation], I will [specific action].”

Phase 5: Commitment – 5 minutes. Don’t let anyone skip the written step. Go around the room: one “when/if… then I will” sentence each. Research: written implementation intentions produce d = 0.65 effect on follow-through vs verbal-only. Write the START items on the whiteboard – that becomes the session’s visible output.

Thank you for playing.

malwareandmonsters.com

Keep this up while people debrief informally. Don’t rush to pack up – the informal conversations after the structured debrief are often where the most honest reflections happen.