Haunted Network

30 Apr 2025 - joe

Haunted Network: Digital Nightmares

A Horror-Themed Cybersecurity Tabletop Exercise

Exercise Overview

Title: Haunted Network: Digital Nightmares
Duration: 4 hours (recommended)
Target Audience: Security Analysts, Incident Responders, IT Support, Management
Difficulty: Novice to Expert
Objective: Test your organization’s ability to respond to a series of increasingly disturbing and unexplainable technical anomalies that defy conventional security explanations, challenging teams to think creatively while maintaining operational stability.

Learning Objectives

1. Evaluate team resilience and problem-solving when facing unconventional threats
2. Test response capabilities for incidents that escalate in unpredictable ways
3. Assess communication clarity during high-stress, ambiguous scenarios
4. Practice decision-making when facing incomplete information and strange phenomena
5. Identify gaps in incident response protocols for edge-case scenarios

Exercise Structure

Preparation Phase (2 weeks prior)

1. Master of Ceremonies: Appoint 1-2 individuals to coordinate the exercise
2. Participant Selection: Identify key personnel from various technical and management teams
3. Resource Preparation: Ready the necessary monitoring tools, communication channels, and simulated environments
4. Pre-Exercise Briefing: Conduct a short orientation without revealing the supernatural elements

Exercise Roles

1. Master of Ceremonies: Controls exercise flow, introduces increasingly disturbing scenarios
2. Security Analysts: Personnel responsible for monitoring and detecting anomalies
3. Incident Responders: Technical specialists who investigate and contain threats
4. IT Support Team: Frontline staff handling user reports and system issues
5. Management Team: Decision-makers who must maintain business operations despite chaos
6. Observers: Record actions, decisions, and psychological responses to stress

Exercise Materials

Required Documentation

1. Incident response playbooks
2. System architecture diagrams
3. Emergency communication templates
4. Business continuity procedures
5. Post-incident psychological support information
6. Exercise evaluation metrics

Technical Setup (Optional)

1. Isolated test environment for simulated anomalies
2. Pre-recorded “found footage” style technical glitches
3. Atmospheric elements (reduced lighting, unsettling ambient sounds)
4. Emergency communications system

Scenario Background

Darkwood Technologies is a mid-sized software development company that recently moved into a renovated historic building with a disturbing past. Shortly after the move, technical staff begin reporting strange system behaviors that defy conventional explanation. What begins as minor anomalies quickly escalates into a full-scale incident that blurs the line between technical issues and something more sinister.

Exercise Narrative

The exercise simulates a workday that begins with minor technical oddities and gradually descends into a full-scale crisis as systems begin exhibiting behaviors that cannot be explained through normal troubleshooting. The incident response team must maintain their composure while addressing escalating anomalies that suggest something beyond a conventional cyber attack.

Exercise Timeline and Scenarios

Phase 1: Initial Disturbances (0:00-1:00)

Setting the Scene (0:00-0:10)

• Master of Ceremonies describes a normal morning at Darkwood Technologies
• Teams are at their workstations beginning routine operations
• Building history is briefly mentioned as having been a former research hospital

Scenario 1 (0:10): Strange System Logs

• Security monitoring flags unusual entries in system logs
• Timestamps show events occurring at exactly 3:33 AM across multiple systems
• Log contents include strings of apparently meaningless characters that form patterns when viewed together

Expected Actions:

• Begin investigating log anomalies
• Check for potential system time synchronization issues
• Review recent system changes or updates
• Document findings in incident tracking system

Scenario 2 (0:30): Employee Reports

• IT support receives multiple calls from employees reporting strange computer behavior
• Reports include monitors briefly displaying inverted colors
• Some users report hearing faint, unexplainable sounds through headphones when no audio is playing
• All affected employees sit in the same area of the building (the former hospital’s psychiatric ward)

Expected Actions:

• Create incident tickets for the reports
• Dispatch IT support to affected workstations
• Check for environmental factors (power issues, electromagnetic interference)
• Consider malware scanning of affected systems

Scenario 3 (0:45): Network Anomalies

• Network monitoring detects data packets being routed through unused portions of the building network
• Traffic analysis shows periodic spikes at 3-minute intervals
• The pattern resembles a heartbeat when graphed
• No explanation can be found in network configuration

Expected Actions:

• Activate initial incident response procedures
• Begin investigating network configuration
• Consider isolation of affected network segments
• Begin preparing initial management briefing

Phase 2: Escalation (1:00-2:00)

Scenario 4 (1:00): Disturbing Email Incident

• Employees receive emails from a non-existent internal account
• The sender address contains the name of a doctor who worked in the building decades ago
• Email content includes fragments of old patient records interspersed with binary code
• Attachments are corrupt files that create strange visual artifacts when opened

Expected Actions:

• Implement email filtering rules to block similar messages
• Preserve copies of the emails for forensic analysis
• Check email servers for compromise
• Research the historical reference to assess if this is a targeted attack

Scenario 5 (1:20): System Compromise

• Security tools detect unauthorized access to the company’s database
• The access uses valid credentials from an employee who has called in sick
• Access patterns show systematic exploration of personnel records
• The database queries focus on employees with specific medical conditions

Expected Actions:

• Lock out the compromised account
• Begin forensic analysis of the database access
• Consider additional controls on sensitive data
• Inform management about potential data breach

Scenario 6 (1:40): Physical Security Anomalies

• Building security systems show doors opening and closing with no one present
• CCTV footage contains brief frames showing shadowy figures not visible to the naked eye
• Badge access logs show entries using badges of former employees
• Temperature drops significantly in specific areas of the building

Expected Actions:

• Escalate to building security
• Review physical security protocols
• Consider evacuation of affected areas
• Begin correlation of physical and digital anomalies

Phase 3: Crisis (2:00-3:00)

Scenario 7 (2:00): System Takeover

• Multiple critical systems begin executing unplanned operations
• Screens display fragmented medical imagery and patient records from decades ago
• Audio systems in conference rooms emit sounds resembling human moaning
• Attempts to shut down affected systems fail as they restart automatically

Expected Actions:

• Implement emergency system isolation procedures
• Consider complete power-down of affected systems
• Activate business continuity plans
• Prepare crisis communication for employees

Scenario 8 (2:20): Executive Briefing

• Management demands explanation for increasingly disturbing events
• Technical teams struggle to provide conventional explanations
• Business operations are increasingly affected
• Decision needed on full building evacuation

Expected Actions:

• Present available facts without speculation
• Recommend clear action items based on established protocols
• Maintain professional demeanor despite bizarre circumstances
• Focus on employee safety and business protection

Scenario 9 (2:40): Peak Phenomena

• Building-wide technical systems go haywire simultaneously
• Phones call emergency contacts and play distorted audio
• Printers output hundreds of pages with fragments of old medical procedures
• Lights flicker in patterns that match patient treatment schedules from the building’s past
• Digital displays show images that appear to be faces looking out

Expected Actions:

• Execute emergency shutdown procedures
• Implement full building evacuation
• Activate emergency response team
• Document all phenomena for later analysis

Phase 4: Resolution and Recovery (3:00-4:00)

Scenario 10 (3:00): Pattern Recognition

• Analysis reveals a pattern to the disturbances
• All anomalies connect to specific medical experiments conducted in the building
• Technical manifestations follow the timing and procedures of historical events
• A clear epicenter is identified in the server room (formerly an operating theater)

Expected Actions:

• Document comprehensive timeline and pattern analysis
• Develop containment strategy based on identified patterns
• Prepare technical approach that addresses root cause
• Brief executive team on findings and approach

Scenario 11 (3:20): Containment Decision Point

• Team must decide on final containment strategy
• Options include complete infrastructure replacement, relocation, or specialized cleansing protocol
• Each option balances technical, business, and psychological factors
• Decision requires weighing rational and irrational elements

Expected Actions:

• Evaluate containment options against established criteria
• Make recommendations based on available evidence
• Implement immediate containment measures
• Prepare long-term remediation strategy

Scenario 12 (3:40): Recovery Planning

• With immediate containment achieved, focus shifts to recovery
• Team must design new technical infrastructure resistant to similar incidents
• Business operations need restoration in temporary location
• Employee psychological support becomes priority

Expected Actions:

• Develop phased recovery plan
• Create communication strategy for various stakeholders
• Design enhanced monitoring systems for early detection
• Begin formal incident documentation

Conclusion (3:50-4:00)

• Master of Ceremonies declares the end of the exercise
• Brief initial feedback from participants
• Schedule formal debrief session for the following day
• Provide psychological decompression opportunity

Exercise Evaluation

Evaluation Metrics

1. Response Effectiveness
   • Adaptability to unconventional scenarios
   • Ability to maintain rational investigation processes
   • Thoroughness of documentation despite strange circumstances
2. Decision Quality
   • Clarity of thinking during high-stress situations
   • Appropriate escalation decision points
   • Balance between technical and business considerations
3. Communication Effectiveness
   • Clarity when describing unexplainable phenomena
   • Management of speculation and rumors
   • Appropriate tone in crisis communications
4. Team Cohesion
   • Maintenance of professional behavior under stress
   • Support between team members during bizarre incidents
   • Resistance to panic or irrational responses

Post-Exercise Activities

1. Immediate Debrief (Following exercise)
   • Quick discussion of initial reactions
   • Acknowledgment of psychological impact
   • Return to normal, rational context
2. Formal Review (1-2 days after exercise)
   • Structured review of decision points and responses
   • Analysis of how conventional procedures applied to unconventional scenarios
   • Documentation of lessons learned
3. Improvement Planning (1-2 weeks after exercise)
   • Development of edge-case response protocols
   • Assignment of research tasks for identified gaps
   • Timeline for implementing enhancements

Appendix: Scenario Details

Technical Anomaly Examples

1. System Log Entries

03:33:00 SYS-27491: _THE_PATIENTS_ARE_WAITING_
03:33:00 SYS-31042: _PROCEDURE_MUST_CONTINUE_
03:33:00 SYS-19187: _DOCTOR_MONROE_REQUIRES_ASSISTANCE_

1. Network Traffic Pattern
   • Oscillating bandwidth usage
   • Heartbeat-like pattern with 72 beats per minute
   • Data packets containing fragments of medical terminology
   • Routing through physically impossible network paths
2. Email Content Example

From: dr.monroe@darkwood.local
Subject: Patient Records Require Attention

Patient #4173 shows remarkable progress with the new procedure.
Brain activity normalizing after 01100101 01111000 01110000 01100101 01110010 01101001 01101101 
01100101 01101110 01110100
Recommend continued 01110100 01110010 01100101 01100001 01110100 01101101 01100101 01101110 
01110100

The subjects in ward C need additional monitoring.

I remain, as always, in service to science.
- Monroe (Chief of Experimental Procedures, 1931-1954)

1. Physical Anomalies
   • Temperature drops of 15-20 degrees in specific rooms
   • Electromagnetic field fluctuations matching historical treatment schedules
   • Audio recordings containing EVP-like phenomena when amplified
   • Motion sensors activating in patterns that trace historical ward rounds

Historical Context (Revealed Gradually)

• Building was Ravenwood Psychiatric Hospital from 1920-1965
• Dr. Monroe conducted experimental treatments on patients with various conditions
• Third floor (now IT department) was the experimental treatment ward
• Server room was originally the electroshock therapy room
• Records indicate unusual incidents during the hospital’s operation
• Hospital was closed after a major incident in 1965 involving multiple patient deaths
• Building remained vacant for decades before renovation