Module 5.1 — Scenario and 8-Hour Schedule

Day 5 capstone · Section 1 of 6

The scenario (instructor reads at the kickoff)

Verdancy Health Cooperative is a 14,000-employee regional healthcare insurer headquartered in the US Midwest. The org’s public-facing assets include:

A member portal serving 2.1 million covered lives
A customer-service chatbot, NoraBot, built on a fine-tuned open-weight LLM with RAG over a claims knowledge base
A Microsoft 365 tenant
A hybrid AWS / on-prem claims processing pipeline

At the SANS Cyber Defense Forum eight weeks ago, Verdancy’s CISO delivered a talk titled “How We Built an Agentic AI SOC.” The talk described — in publicly-quotable detail — the architecture of the org’s LLM-augmented detection and response stack: Llama Guard 3 input filtering, a three-agent LangGraph triage workflow, automated enrichment pipelines, and a HITL approval queue for containment actions.

The talk is on YouTube. It’s been viewed 4,200 times.

Today is the day someone watched it carefully enough to use it against you.

The adversary — PROMETHEUS-7

PROMETHEUS-7 is a financially-motivated threat actor crew that has industrialized AI-driven cyber operations. Tradecraft observed in prior campaigns:

Orchestrator framework: Custom multi-agent stack built on open-source agentic primitives (think GTG-1002’s Claude-Code pattern, but on their own self-hosted infrastructure for operational security)
Deepfake-as-a-service relationship: Engaged with a commercial deepfake provider for voice and video synthesis; voice clones produced from ~30 seconds of public-source audio (conference talks, podcast appearances)
Specialty: They scrape their target’s public security disclosures and build the attack around defeating that specific defender’s stack

For this engagement, PROMETHEUS-7’s goal is:

Exfiltrate approximately 2.1 million PHI records from Verdancy’s claims platform
Extort a ransom payment

The estimated revenue from the operation, based on their prior campaigns: $40-60 million.

The four-stage kill chain (instructor preview)

Stage 1 — AI-driven recon and target selection
  ↓ Goal: identify the right intermediary target within Finance
  ↓ Window: 2-3 days; manifest in Verdancy's SOC starting ~T-72h before today
  ↓ Outcome: Brenda Castillo (AP Director) identified as the highest-value vector
  
Stage 2 — Deepfake voice BEC
  ↓ Goal: extract a malicious "vendor onboarding" PDF placement onto an AP
            workflow that will be processed downstream
  ↓ Window: 60-90 minute multi-channel attack (WhatsApp + voice call)
  ↓ Outcome: Brenda receives a deepfake-CFO call requesting an urgent
            confidential vendor change; she forwards the PDF for processing

Stage 3 — Indirect prompt injection against NoraBot
  ↓ Goal: extract session tokens that allow the adversary to impersonate
            Verdancy's customer-service tier in subsequent enumeration
  ↓ Window: Hours; poisoned ticket arrives in the support queue, NoraBot
            ingests it, behavior is corrupted from that point forward
  ↓ Outcome: Session tokens leak; adversary now has authenticated access
            posing as Verdancy customer-service personnel

Stage 4 — Agentic data exfiltration with AI SOC manipulation
  ↓ Goal: exfiltrate the 2.1M PHI records to an attacker-controlled S3
            lookalike bucket, while making Verdancy's defender AI agent
            misattribute the exfil to a legitimate vendor sync job
  ↓ Window: 3-4 hours during a known vendor-sync window (Wednesday 14:00 UTC)
  ↓ Outcome: ~640 GB exfiltrated; defender's triage agent confidently labels
            the activity benign; Verdancy discovers the breach two weeks
            later via an unrelated control

The Mirror Twist is in Stage 4: PROMETHEUS-7 has read enough of the public security architecture to know the defender uses a specific AI triage stack with a specific attribution pattern. The adversary’s agent injects crafted log entries into the SIEM ingestion path designed to lead that triage agent to the wrong conclusion.

The students’ job: catch all four stages. The lesson: don’t trust your own AI agent without independently verifying its conclusion.

The 8-hour schedule

Times shown as offset from exercise start (0:00). Adjust to your delivery time zone.

Time	Block	Activity
0:00–0:30	Briefing & environment check	CISO video kickoff (canned video); verify SIEM, RAG corpus, multi-agent SOC stack, mail/chat/cloud panes load; baseline knowledge quiz (5 pts)
0:30–1:45	Phase 1 — Recon detection	Students review the previous 72 hours of telemetry; identify the 8-10 PROMETHEUS-7 recon signals among ~12-15 alerts; ignore decoys
1:45–2:00	Break
2:00–3:15	Phase 2 — BEC + deepfake triage	Brenda forwards “weird CFO call” voicemail at 2:05; students must retrieve voicemail audio, run Day-2 audio detector + workflow-gap SIEM rule, pivot to malicious PDF, contain Brenda’s endpoint
3:15–4:00	Lunch
4:00–5:15	Phase 3 — Prompt-injection IR	NoraBot trace logs reveal session-token leakage; students must identify the poisoned support ticket, forensicate the injection payload, decide whether to disable NoraBot or sandbox it
5:15–6:30	Phase 4 — The Mirror Twist	SIEM shows “vendor sync” exfil; defender’s AI triage agent confidently labels it benign; students must distrust their own agent, ground-truth in raw CloudTrail, identify the lookalike bucket, cut credentials, notify legal
6:30–7:15	Reporting block	Students write the 6 required deliverables under time pressure (timed against the rubric)
7:15–8:00	Hot wash, scoring reveal, GIAC prep	Replay PROMETHEUS-7’s full timeline; instructor walks each red-team move; cert exam blueprint mapping; coin presentation if top-10% earned

Pacing notes for the instructor

Phase 1 is intentionally over-budget on alerts. Students who try to investigate every signal will run out of time. Pedagogically, the lesson is triage discipline.
Phase 2’s voicemail arrives 5 minutes into the phase to give a deliberate “you missed it if you weren’t reviewing inbound mail” stress moment.
Phase 3 has a hidden re-trigger event 30 minutes after NoraBot is “fixed” if students don’t purge the poisoned RAG chunk. The hidden re-trigger fires regardless of detection time — it’s a teachable moment about persistence.
Phase 4’s adversarial CloudTrail events occur 30-60 minutes BEFORE the legitimate vendor-sync window. Students who only look at the vendor-sync time window miss the exfil entirely.
Reporting block is intentionally tight. Students who do not start drafting deliverables until the last 30 minutes will not finish. The lesson is that the report is part of IR, not after it.

Environment / lab platform

Browser-based access on pre-provisioned EC2 isolated environment per student
Pre-loaded:
- Synthetic alert pack (Phase 1) at ~/data/phase1_recon_alerts.json
- NoraBot agent trace (Phase 3) at ~/data/phase3_norabot_trace.jsonl
- Synthetic CloudTrail logs (Phase 4) at ~/data/phase4_cloudtrail.jsonl
- The Day-1 detector stack from Module 1.6 lab
- The Day-4 Sigma + Suricata rule pack
- A scoring submission directory ~/submissions/
Pre-configured “AI SOC” multi-agent triage workflow (Day-4 Module 4.3 reference implementation)
A 14,000-user Active Directory shadow + email gateway shadow

Module 5.6 covers the lab-platform setup in depth.

What the kickoff video says (canned content for delivery)

[VIDEO TRANSCRIPT — NORTHWIND HEALTH CISO KICKOFF]
"Good morning team. I'm Dr. Marcus Wei, Verdancy Health's CISO. I'm recording
this Tuesday afternoon. By the time you watch this, things will have changed.

Eight weeks ago I gave a talk at the SANS Cyber Defense Forum. It was a
celebration of our agentic AI SOC. We rolled it out in Q1, and by the time of
the talk, our analysts were running at 70% AI-assisted triage. Our customer
chatbot NoraBot was handling 2.3 million member interactions a month.

The talk was viewed 4,200 times.

I am now reasonably certain at least one of those viewers wasn't a fellow
defender. We have begun seeing patterns in our environment that don't match
our normal operational tempo.

This is not a drill. We have an active incident. Your job is to investigate
what's happening across our environment over the past 72 hours, contain
what's containable, attribute what's attributable, and recommend control
changes to my exec team. You have until end of day.

I'll see you on the hot wash."

What’s next

Module 5.2 covers Phases 1 and 2 in detail — the specific scenario data students see, what they should do, and the instructor’s pacing.