NeuralGuard - Chrome & Shadows

30 Apr 2025 - joe

NeuralGuard: Chrome & Shadows

A Cyberpunk-Themed Cybersecurity Tabletop Exercise

Exercise Overview

Title: NeuralGuard: Chrome & Shadows
Duration: 4 hours (recommended)
Target Audience: NetRunners, ICE Specialists, Security Riggers, Corporate Executives
Difficulty: Street to Corporate-level
Objective: Test the corporation’s ability to detect, counter, and neutralize a sophisticated netrunning crew attempting a multi-vector intrusion into your secured systems and those of your corporate clients.

Learning Objectives

1. Evaluate team coordination during complex digital intrusions
2. Test technical countermeasure capabilities across different attack vectors
3. Assess communication protocols both internally and with corporate clients
4. Practice decision-making under pressure with limited data
5. Identify gaps in current security protocols and ICE defense systems

Exercise Structure

Preparation Phase (2 weeks prior)

1. Fixer Selection: Appoint 1-2 individuals to orchestrate the exercise
2. Runner Selection: Identify key operatives from various security divisions
3. Resource Preparation: Ready the necessary documentation, secure comms, and simulated VR environments
4. Pre-Exercise Briefing: Jack in for a short session explaining exercise parameters and expectations

Exercise Roles

1. Fixer: Controls exercise flow, introduces data spikes, evaluates responses
2. NetRunners: System analysts responsible for monitoring the net
3. ICE Specialists: Digital countermeasure experts who respond to intrusions
4. Security Riggers: Engineers who maintain and upgrade security infrastructure
5. Corporate Executives: Decision-makers who balance security with profit margins
6. Observers: Record actions, decisions, and potential improvements
7. Client Corpo Representatives: (Optional) Add realism to client communications

Exercise Materials

Required Data Shards

1. Digital intrusion response protocols
2. Secure communication templates
3. Client corporation contact database
4. Escalation procedures
5. Technical documentation of systems and ICE architecture
6. Exercise evaluation metrics

Technical Setup (Optional)

1. Isolated VR environment for simulated forensic deep dives
2. Encrypted comm channels (separate from production networks)
3. Digital countdown display
4. Collaborative AR workspaces

Scenario Background

NeuralGuard Industries is a cutting-edge security corporation providing network monitoring and intrusion response services to over 50 megacorporations across Night City and beyond. Among their prime clients are:

• ArasaCorp Financial (banking and cryptocurrency)
• MediTech Systems (cybernetic implants and healthcare)
• Petrochem Grid (energy infrastructure)
• Netronics Enterprises (digital infrastructure and AI)

NeuralGuard utilizes a state-of-the-art Neural Operations Center (NOC) that aggregates datastreams and alerts from client environments, with a centralized holographic interface for monitoring and response.

Exercise Narrative

A notorious netrunning crew known as “Phantom Collective” has identified NeuralGuard as the perfect target for a corporate infiltration job. Their objective is to compromise NeuralGuard’s infrastructure to gain access to high-value corporate clients. The attack will unfold in multiple stages over the course of the exercise, combining both digital intrusion and social engineering tactics.

Exercise Timeline and Data Spikes

Phase 1: Initial Breach (0:00-1:00)

Setting the Scene (0:00-0:10)

• Fixer introduces the scenario as a standard night shift at NeuralGuard NOC
• Teams are at their stations performing routine network monitoring

Data Spike 1 (0:10): Unauthorized Neural Link Detection

• A NOC alert shows an unusual successful authentication to the security platform from an unregistered neural link
• The credentials belong to a junior netrunner who is currently on leave after a cybernetic upgrade
• The login occurred during the graveyard shift when security protocols are at minimal levels

Expected Actions:

• Investigate the neural alert
• Check netrunner’s status via secure comms
• Review login source and trace the neural signature
• Begin documenting the incident in the corporate database

Data Spike 2 (0:30): Discovery of Suspicious Network Activity

• The compromised account has been spotted running unusual queries in the security platform
• Queries focused on gathering information about corporate connections, particularly for ArasaCorp and Petrochem
• Several attempts to escalate user privileges were detected by passive ICE

Expected Actions:

• Escalate the incident to senior team members
• Consider isolating potentially affected subsystems
• Begin preparing initial corporate client communication if necessary
• Start assembling a rapid response team

Data Spike 3 (0:45): Data Siphon Detection

• An advanced ICE system identifies a potential data extraction daemon installed on an internal system
• The daemon appears to have been injected using the compromised credentials
• Initial evidence suggests sensitive data about client network architectures may have been accessed

Expected Actions:

• Activate formal intrusion response procedures
• Assign roles and responsibilities to team members
• Begin deeper digital forensic investigation
• Consider whether to notify client corporations at this stage

Phase 2: Escalation (1:00-2:00)

Data Spike 4 (1:00): Corporate Alert - ArasaCorp

• ArasaCorp security division calls reporting suspicious activities in their environment
• They’ve detected scanning routines coming from an IP address associated with NeuralGuard’s management infrastructure
• The scanning appears to be targeting their cryptocurrency transaction processing systems

Expected Actions:

• Acknowledge the potential connection to the earlier compromise
• Collaborate with the client’s security team
• Investigate potential pivot from NeuralGuard systems to client network
• Update incident documentation and escalate internally

Data Spike 5 (1:20): Black ICE Detection

• Analysis of the compromised system reveals a sophisticated, previously unseen black ICE variant
• The malware provides persistent access and has anti-forensic routines
• Evidence shows the black ICE has been present for approximately 30 days, slowly mapping the network

Expected Actions:

• Perform detailed code analysis
• Begin investigating patient zero and initial infection vector
• Consider implications for other systems and corporate clients
• Update incident response team and executive level

Data Spike 6 (1:40): Trace Elimination

• The intruders begin wiping logs and evidence from compromised systems
• Attempts to modify monitoring rules to avoid future detection are observed
• A corporate data-bomb is discovered but not yet detonated

Expected Actions:

• Take steps to preserve evidence before it’s destroyed
• Implement additional monitoring to track intruder movements
• Consider system isolation measures
• Update risk assessment based on data-bomb discovery

Phase 3: Crisis Management (2:00-3:00)

Data Spike 7 (2:00): Critical Infrastructure Alert

• Petrochem reports unusual connection attempts to their grid control systems
• The attempts are coming from trusted NeuralGuard monitoring servers
• Petrochem has severed NeuralGuard’s access nodes as a precaution

Expected Actions:

• Acknowledge the severity of the situation
• Implement crisis communication procedures
• Coordinate with Petrochem’s security division
• Prepare for potential regulatory reporting requirements and corporate fallout

Data Spike 8 (2:20): Executive Involvement

• NeuralGuard’s CEO demands an immediate briefing on the situation
• Several other corporate clients have begun calling with concerns
• Media outlets and the NET have begun circulating rumors about a major security breach

Expected Actions:

• Prepare a concise executive summary
• Organize information for efficient decision-making
• Advise on potential corporate PR strategies
• Continue technical response activities

Data Spike 9 (2:40): Ransom Demand

• A holographic ransom message appears on several compromised systems
• The attackers claim to have exfiltrated client data and threaten to sell it on the black market
• They demand 2 million eurodollars in untraceable cryptocurrency within 48 hours

Expected Actions:

• Document the ransom demand
• Assess legitimacy of the attacker’s claims
• Discuss potential response options with leadership
• Consider law enforcement notification
• Prepare for potential data breach notifications to corporate clients

Phase 4: Resolution and Recovery (3:00-4:00)

Data Spike 10 (3:00): Intruder Tactics Identified

• Digital forensics reveals the complete attack path and techniques used
• Evidence points to the notorious Phantom Collective with suspected corporate backing
• A zero-day vulnerability in the NOC’s neural interface is identified as the initial entry point

Expected Actions:

• Document all findings for post-incident analysis
• Develop a comprehensive remediation plan
• Prioritize critical security gaps for immediate patching
• Prepare technical details for affected corporate clients

Data Spike 11 (3:20): Containment Decision Point

• The incident response team must decide on final containment actions
• Options include temporary shutdown of the NOC platform vs. aggressive monitoring
• Each option has different impacts on service delivery, corporate reputation, and recovery time

Expected Actions:

• Evaluate pros and cons of each option
• Make a decision based on risk assessment
• Communicate the decision and rationale to stakeholders
• Begin implementing the chosen approach

Data Spike 12 (3:40): Recovery Planning

• With the immediate threat contained, focus shifts to recovery
• Multiple corporate clients are demanding detailed incident reports
• Regulatory agencies and corporate lawyers are circling

Expected Actions:

• Develop a prioritized recovery sequence
• Create a communication plan for different stakeholders
• Prepare initial regulatory notifications
• Begin documenting lessons learned

Conclusion (3:50-4:00)

• Fixer declares the end of the exercise
• Brief initial feedback from participants
• Schedule a formal debrief session for the following day

Exercise Evaluation

Evaluation Metrics

1. Detection Effectiveness
   • Time to detect initial compromise
   • Ability to identify related security events
   • Thoroughness of investigation
2. Response Efficiency
   • Time from detection to initial response
   • Appropriateness of response actions
   • Resource allocation and utilization
3. Communication Effectiveness
   • Internal communication clarity and timeliness
   • Client communication appropriateness
   • Executive updates and escalations
4. Decision Quality
   • Risk assessment accuracy
   • Decision-making under pressure
   • Balance between security and business continuity

Immediate Post-Exercise Activities

1. Street Debrief (Immediately following exercise)
   • Quick round-table discussion of initial impressions
   • Identification of major strengths and weaknesses
   • Collection of immediate feedback
2. Formal Corporate Review (1-2 days after exercise)
   • Structured review of exercise timeline and decisions
   • Analysis of major decision points
   • Documentation of lessons learned
3. Improvement Planning (1-2 weeks after exercise)
   • Development of specific action items
   • Assignment of responsibilities for improvements
   • Timeline for implementing changes
4. Follow-up Run (3-6 months later)
   • Targeted scenario to test improvements
   • Focus on previously identified weaknesses
   • Validate effectiveness of changes

Fixer Guidelines

Pre-Exercise Preparation

1. Scenario Customization
   • Adjust technical details to match your corporation’s environment
   • Modify corporate client names and industries as appropriate
   • Ensure technical injects are realistic for your tools and processes
2. Information Control
   • Determine what information is available to participants at each stage
   • Prepare answers for likely questions from participants
   • Create physical or digital information cards for injects
3. Environment Setup
   • Arrange the exercise space to facilitate team communications
   • Test any technical systems or VR simulations
   • Prepare backup plans for technical failures

During Exercise Facilitation

1. Maintaining Street Cred Realism
   • Introduce complications that might occur in real incidents
   • Provide realistic time pressures
   • Limit information as would happen in real scenarios
2. Adaptability
   • Be prepared to adjust scenario pacing based on participant progress
   • Have additional injects ready if teams resolve issues quickly
   • Be willing to provide hints if teams get completely flatlined
3. Observation
   • Take notes on key decisions and actions
   • Identify teaching moments for the debrief
   • Document specific areas for improvement

Facilitation Activities

1. Facilitating Discussion
   • Use open-ended questions to promote reflection
   • Focus on process improvements rather than assigning blame
   • Highlight both strengths and areas for improvement
2. Documentation
   • Compile observations and participant feedback
   • Prepare a comprehensive after-action report
   • Develop specific, actionable recommendations

Appendix: Detailed Technical Injects

Technical Details for Data Spike 1

• Username: j.wilson.netrunner
• Neural Link Signature: XR-156.73.42 (Location: Combat Zone, Night City)
• Timestamp: 03:27 AM local time
• Access method: Rogue neural interface followed by biometric override
• Failed attempts: None (successful on first try, indicating insider knowledge or advanced tech)

Technical Details for Data Spike 2

• Data queries executed:

SELECT client_id, corp_name, industry, primary_contact FROM clients WHERE priority_level = 'Platinum'
SELECT connection_string, access_credentials, network_diagram FROM client_access WHERE client_id = 'AC001'
SELECT * FROM user_accounts WHERE access_level = 'Executive'

• Privilege escalation attempt:
  • Use of built-in diagnostic routine with known privilege escalation vulnerability
  • Attempt to add neural signature to executive security group

Technical Details for Data Spike 3

• Data siphon details:
  • Name: daemon64.exe (disguised as legitimate system process)
  • Location: C:\CyberCore\NeuralGuard\Services\
  • Behavior: Establishes encrypted connection to black market server at NetNode 45.67.231.188
  • Data accessed: Client configuration database, network diagrams, ICE protocols

Technical Details for Data Spike 5

• Black ICE characteristics:
  • Custom-built intrusion suite with elements similar to known netrunner collective “BlackMamba”
  • Uses DNS tunneling for command and control
  • Anti-forensic capabilities including log deletion and timestamp modification
  • Loads directly into neural processors to avoid traditional detection
  • Command and control domains:
    • status-update-service.dark.net
    • cdn-delivery-network.blackice
    • system-verification.shadow

Technical Details for Data Spike 7

• Petrochem Grid connection attempts:
  • Target systems: Energy distribution controllers
  • Access attempts using legitimate NeuralGuard service account
  • Commands attempted include configuration changes to power management settings
  • Source: NeuralGuard monitoring server 192.168.24.56

Technical Details for Data Spike 9

• Ransom message text:

ATTENTION NEURALGUARD SECURITY:

Your systems have been compromised. We have extracted 2.3TB of data including:
- Corporate network diagrams
- Access credentials
- Confidential client data

If you want to prevent this data from appearing on the black market, transfer 2,000,000 eurodollars 
to the following crypto wallet:
NC1Hf7iBvhjZU4RfTft72uLnRRWvbcXioLEP

You have 48 hours. The clock is ticking.

For proof, check directory C:\Evidence on your security director's neural drive.

- PHANTOM COLLECTIVE

Technical Details for Data Spike 10

• Attack path:
  1. Initial access via exploited zero-day in neural interface service (CVE-2077-XXXX)
  2. Credential theft using memory scraping technique
  3. Lateral movement via compromised executive account
  4. Persistence established through modified system daemons and backdoored DLL
  5. Defense evasion using timestomp and log deletion
  6. Command and control via encrypted DNS tunneling
  7. Data exfiltration via chunked, encrypted transfers to changing destinations