Multi-vector attack (live injection, advanced)¶

• Target audience: Mature SIRT and SOC teams

• Duration: Full day (6-8 hours)

• Complexity: Very High

• Format: Chained scenario with multiple parallel threads

Overview¶

This advanced simulation runs multiple attack vectors simultaneously, forcing teams to prioritise, coordinate, and manage complex incident response under sustained pressure.

Attack vectors (running in parallel)¶

Vector 1: Phishing campaign

• Staff receive realistic phishing emails

• Some click through (actors on simulation team)

• Credentials potentially compromised

• Need response and user communication

Vector 2: DDoS attack

• Services degraded

• Customer impact immediate

• Requires network operations response

Vector 3: Suspicious internal activity

• Possible insider threat or compromised account

• Requires investigation without disrupting operations

Vector 4: Vulnerability exploitation attempt

• Automated scanning detected

• Exploitation attempts on known vulnerability

• Patch management urgency

Vector 5: Data leak allegation

• Anonymous report of data on dark web

• Requires investigation and verification

• Potential regulatory implications

Team challenges¶

Resource constraints:

• Not enough people to handle everything

• Must prioritise and delegate

• Some issues escalate if ignored

Communication chaos:

• Multiple channels active simultaneously

• Information overload

• Conflicting priorities from stakeholders

Decision fatigue:

• Rapid successive decisions required

• Incomplete information

• Trade-offs between speed and thoroughness

External pressure:

• Simulated media inquiries

• Executive demands for updates

• Customer complaints

• Regulatory body requests

Facilitator team¶

Requires multiple facilitators:

• Red team coordinator (orchestrates attacks)

• Business stakeholder actors

• Media/external actors

• Observer/timekeeper

• Technical inject coordinator

Phases (2 hours each)¶

Phase 1: Initial chaos All vectors activate within 30 minutes. Teams struggle to triage and organise response.

Phase 2: Sustained pressure New complications injected. Some vectors escalate, others seem to resolve. Fatigue sets in.

Phase 3: Crisis peak Multiple vectors culminate. Major decisions required. Public attention intensifies.

Phase 4: Recovery begins Attacks taper off. Focus shifts to recovery, communication, and learning. Documentation catch-up.

Success criteria¶

Not about “winning” but about:

• Effective prioritisation under pressure

• Clear communication despite chaos

• Appropriate escalation and delegation

• Evidence preservation during crisis

• Maintaining operational security

• Team resilience and adaptation

Debrief (2 hours)¶

Immediate hot wash (30 minutes):

• How do you feel?

• What was hardest?

• What surprised you?

Structured retrospective (60 minutes):

• Timeline reconstruction

• Decision analysis

• Communication review

• Coordination assessment

Improvement planning (30 minutes):

• Priority fixes

• Playbook updates

• Training needs

• Tool gaps