Please use the form below to tell us about four IT incidents that might actually occur in your organization. Feel free to invent incidents or draw from previous experiences. We will use these scenarios during small group exercises. Samples are shown on the right.
Guidelines for writing the scenarios:
- Assume that each incident takes place in a virtual environment with a remote set of incident responders.
- Provide enough detail for the group to understand the situation, discuss possible steps toward resolution, and be able to report out about it.
- It is not necessary to include any after action information such as root cause identification or other post incident analysis.
Sample Security Scenario
Multi-institutional credential harvesting attack: At 8:10 am, multiple (approximate 200) Sky Mountain College’s end-users received 2 emails from Riverview College’s compromised accounts (2 in total) that has a link to Riverview College’s OneDrive with a message on the email that Sky Mountain’s President has shared a “College Evaluation Policy Document”. These emails bypassed the email filters (from Microsoft Advanced Threat Protection) as it saw these emails from legit senders and pass SPF, DKIM, DMARC and other threat policies checks. At 8:17 am, a few internal end-users reported these emails as phishing. Meanwhile, multiple end-users (total of 3) opened the shared OneDrive document from Riverview College, clicked on the link which redirected them to a malicious website that asked to enter their credentials and verify themselves to review the “College Evaluation Policy Document”. This led to the multiple account compromise on Sky Mountain College’s infrastructure which was then hijacked by the attacker to launch multiple internal/external Phishing (credential harvesting) attacks. At 8:25 am, multiple Sky Mountain end-users (internal) received the same email from Sky Mountain’s compromised account to review a policy hosted on Sky Mountain’s OneDrive. Similarly, other peer institutions of Sky Mountain College received the same Phishing emails from the compromised account on Sky Mountain’s tenancy.
Sample Operations Scenario
Unknown network issue: At 11:45 pm, monitoring tools reported that 7 hosts dropped from the pool. At 11:47 pm, the number of hosts dropped increased to 42. At 11:49pm, the number of hosts dropped increased to 215. Hosts are dropping across all data centers, in all regions. ISP links are running at 95% utilization and users are reporting slow response times from websites and applications.