Cybersecurity Tabletop Scenarios
Some notes about this scenario pack: they are ambiguous for a reason, complexity is the enemy! When an impactful incident is discovered we never seem to have enough information to start anyway, so practice like you play. Low specificity also encourages the participants to deliver solutions for their every-day environments.
If you’re building your own scenario cards and you’re willing to share them with the world, I would love to include them!
—–
Users are complaining that the Internet is extremely slow. You discover that the addresses 2.16.224.53 and 23.57.160.143 are sending massive quantities of data at your primary Internet gateway.
The person next to you says, “hey, does this look weird to you?” and shows you something in Notepad. The first line of the text file reads, “your network has been penetrated,” the last line reads, “ryuk no system is safe”
You unexpectedly discovered that half of the computers in your company do not have functioning antivirus/antimalware/EDR. The application “culturesource.exe” is interfering with your attempts to repair all of them.
A senior executive in your company who is known to be lousy with computers, was using Google again. He walked over to your desk to show you a picture he took with his phone: it’s a picture of his laptop screen, showing what appears to be the company’s payroll database on Pastebin.
Mary is a brilliant accountant, and a personal friend of the CEO. She has been with the company for 20 years, is a top participant in every charity fundraisers, and is always enthusiastic on Cake Day! You’re cleaning up a file share that’s been messy for a while, and discover that Mary has also been performing accounting services on the side, for the local criminal biker gang responsible for several recent murders.
It’s Four O’Clock on a Sunday afternoon, you receive a phone call from the CEO – this is odd. She says she’s at the office and “can’t get an email to send”. You happen to be nearby so you pop into the office, and eventually discover your core routers are missing. Nothing else appears to be gone, just the routers responsible for all of your web traffic. A post-it is beside the empty hole, it simply says, “Jerk.”
Every computer in your business is suddenly exhibiting the same behaviour: every time anyone types your company name into a Microsoft product, autocorrect changes it to “Turd Ferguson”.
While reviewing internet logs, you discover that your financial database server is sending large quantities of data, in intermittent squirts, to 175.45.176.77
You finally received the ability to push patches to all your mobile phones, hurray! After successful tests with a small group, you pushed updates to all corporate devices. Your phone starts ringing and six people are standing by your desk. Everyone is asking, “why is my phone all of a sudden warning me about some app called Pegasus?”
A group of 15 very enthusiastic co-workers returned this morning from an industry conference. They all received incredibly cute USB sticks as swag, branded with the conference sponsor’s logo and a penguin. Two people have already plugged them into their Windows computers – both systems displayed Chinese characters on the screen for about 5 seconds, before crashing and powering off.
While looking through your DHCP service, you discover some strange IP leases that you can’t recall seeing before. Investigating, you open one of the unexpected addresses in a web browser, and discover it is an IP camera located in the women’s washroom.
The CFO has been on vacation for two weeks, and has returned to work today. She was cleaning up some files, and noticed that her keyboard is now plugged into a separate device which in turn connects to the computer, instead of directly into the USB port like she remembers it.
It’s 4:15 PM on the Friday before a long-weekend. Everyone is gone from the building except for you and a finance team member. She asks you to look at something, it’s printed evidence that the CFO is embezzling funds from the company.
While helping a coworker with a problem on his computer, you discover an Excel spreadsheet on his desktop containing 45 usernames and passwords to various websites, her personal bank, and your company’s applications.
You discovered that your sales team has been maintaining an Excel spreadsheet, containing various customer names, addresses, credit card numbers, and CVV numbers, for ten years.
You hear a cataclysmic crash in your building. You discover that a plane wheel has fallen from the sky, and landed in your server closet. Destruction is significant.
You just read on the news that your largest vendor has been arrested for computer-based fraud.
Every point-of-sale device in your company mysteriously powered off at the same time and won’t turn back on.
A recent Windows update is causing all of your computers to hit 100% CPU usage, including yours, and every Windows Server.
A water pipe has burst and is currently flowing over your server rack.
An exceptional amount of SMTP traffic is being generated on all of your company’s workstations and sending it out to the Internet.
You discover an unexpected 6” cube, plastic box, plugged into an open port in your main boardroom. There are no identifying marks, only an ethernet port, a power port, and an antenna.
You enter your server room, a very large and scary looking man wearing a balaclava, that you’ve never met before, is standing at an unlocked server console and is typing commands.
You decided to do some intel gathering on your external IP’s using Shodan.io and discover several systems connected to your network open to the Internet, with no passwords, including some security cameras and the heating system.
In your news feed this morning as you’re brushing your teeth: another data breach from some poor schmuck. It’s a dump of several usernames, passwords, financial data, etc. Oh wait: it’s your company’s data.
An unexpected WIFI network appears in your building: it’s your company name, but spelled almost imperceptibly different from what you know is legitimate. It has no security required to connect to it.
You just received the basic and obviously fake, “Hi it’s the CEO, I need you to facilitate an urgent wire transfer for me,” email in your mailbox. But something seems off, there’s no [External] tag on the email, and the return address is actually the CEO’s.
The receptionist calls you, she says that two uniformed Police Officers and some lady claiming to be from CSIS are at reception and have asked for you by name. The receptionist suggests that they don’t look happy, and that they muttered something about, “friggin’ hacker scum.”
It’s 11:00 AM, the helpdesk phone lines have lit up like a Christmas tree.. Everyone in the entire company is complaining that their monitor image has unexpectedly turned upside-down.
Every phone in your company is ringing. Every. Phone. When you pick up the handset, it still rings. When you try to dial the phone isn’t responding, it just rings. You tried unplugging it and plugging it back in, it just rings. Ring. Ring. Ring.
You receive a phone call from one of your largest customers, she is very angry that her company is receiving an incredible amount of “Male Enhancement” spam from your internet domain.
During a routine dance around your file structure, you discover 198 Gb of movie, music, and pornography, files. The file owner is your direct supervisor.