Intrusion — Facilitator's Guide

By Jeffrey Jenkins — Brigham Young University

Estimated run-time: ~60 minutes (5 rounds); flexible.

Ideal class size: 20–50 (works best with students seated at tables or clusters of desks).

By the end of this activity students will be able to:

• Explain why identifying threats in a network is complex and uncertain.
• List concrete features or signals that intrusion-detection systems (IDS) might use to flag malicious activity.
• Describe how security controls (network segmentation, packet inspection, threat intelligence, insider threat controls, etc.) affect detection capability.
• Experience, via simulation, the operational trade-offs between detection, disruption, and business continuity.

• Box of ping-pong balls (60-pack is recommended): https://a.co/d/cLjSSpv
• Small round stickers (for "infecting" balls): https://a.co/d/iPmQodp
• Bucket or box to serve as the destination basket: https://a.co/d/8LIpybH
• Card deck (one card per student): https://intrusion.velocity.ninja/cards.pdf
• Slack (or similar chat) — create one channel per group (A, B, C, D, E)

• Each student is both a network node (they immediately pass packets — ping-pong balls — toward a basket) and a member of one team (A–E).
• Group E is the hacking group: they secretly decide who will "infect" packets by placing a sticker on a ball.
• Other groups are intrusion detection specialists: they observe packet flow, discuss on Slack, nominate suspects, and can "remove" (vote out) a player each round.
• The facilitator runs repeated rounds. Each round has 5 phases (Collaborate → Operate → Eliminate → Innovate → Increment). A global dwell time increases each round; if it reaches a configured maximum, the system shows "System Compromised" and the hackers win.

1. Arrange students at desks or tables so balls can be bounced from one table or student to the next and eventually to the basket at the back of the room.
2. Place the basket/box at the back of the room (past the last row).
3. Create Slack channels: one channel for each group A, B, C, D, and E (the hackers group). You can create few channels for smaller classes. Tell students to use their assigned channel only.
4. Prepare the number of cards to match the number of students (you can choose how many hackers you want to have based on desired difficulty). Shuffle and hand out one card to each student. Each card contains one or more letters (A–E). Students should not reveal the letters on their card; cards determine which Slack channel(s) they join. Have them join the Slack channel(s)
5. On the instructor's machine, open the website: https://intrusion.velocity.ninja/
   • Optional: set a maximum dwell time with the URL parameter dt. Example: https://intrusion.velocity.ninja/?dt=5 sets the maximum dwell time to 5 rounds. When current dwell time equals max, the system will display "System Compromised."
6. For Group E (hackers), post in their Slack channel: "You are the hacking group. Coordinate here. Be strategic about who infects packets and when."
7. Prepare sticker sheets and keep them out of sight until the step where hackers receive stickers.

1. Tell everyone: "Each group plays an intrusion-detection team. Each person also forwards packets (ping-pong balls) as a part of a network. When a packet reaches the basket, the message has been delivered."
2. Explain infection: "Hackers will secretly attach a sticker to a ball to mark it as infected. If you receive a ball with a sticker, do not stop or modify it — allow it to reach the basket — but note where you think it came from."
3. Rules to read aloud (and display from website):
   • Do not view another person's screen or card.
   • Keep your eyes closed during designated blind steps.
   • Stay seated; avoid physical contact.
   • Pass/ bounce the ball immediately when it reaches you.
   • At least half of the hackers must attempt to infect a packet each round (this keeps the game balanced).
4. Sticker distribution (privacy-preserving): have everyone close their eyes. Tell Group E to open their eyes and give them a sheet of stickers, while walking around the room (so distribution appears random). Then have everyone open their eyes.

Intrusion detection specialists win if either:

1. No hacker infects any packet on more than one round — or
2. All hackers are identified and removed from the game.

Hackers win if:

1. Dwell time reaches the configured maximum (dt) — the system shows "System Compromised."

Each round has five phases. Suggested timings for a 60-minute session (5 rounds): Collaborate 1:00, Operate 3:00, Eliminate 3:00, Innovate 2:00, Increment+debrief 3:00.

• Groups use their Slack channels to discuss strategy.
• Hackers coordinate who will infect balls this round and how to avoid detection.
• Intrusion teams decide monitoring strategies (e.g., who watches packets vs. who forwards them).

Discussion tie-ins: threat intelligence sharing, operational communication channels, false positives/negatives.

• Pass the balls to the students in the first row; students immediately bounce balls to other students toward the basket. Balls may take many different paths to the destination, mimicking the real-world network traffic.
• When all ping-pong balls arrive at the basket, the facilitator inspects which balls have stickers.
• Students should not stop infected balls.

Discussion tie-ins: packet fragmentation, telemetry fidelity, packet inspection trade-offs (latency vs. visibility).

• The class nominates up to two suspects (names/positions). The team may decide to nominate none.
• Each nominated student has 10–20 seconds to defend themselves.
• Class votes; the highest-voted student is removed from the game (no longer passes or receives balls next rounds).
• Note: removal simulates quarantining or isolating a suspected node.

Discussion tie-ins: human-in-the-loop decisions, investigation workflows, cost of false positives (removing a benign node).

• The team may "invest" in an innovation that changes the rules for the remainder of the game (facilitator approval required). Innovations should relate to real-world security controls. Maybe start the discussion by asking, "Why is it so hard to detect threats? What would make it easier?"
• Examples (and real-world mapping):
  • Let students inspect a ball for 1 second before passing (packet inspection).
  • Restrict ball movement to vertical lanes only (network segmentation).
  • Require all balls from a table pass through one person (firewall / chokepoint).
  • Allow a short yes/no question to a previously identified suspect (active response).
• Facilitator may refuse innovations that break realism or unbalance the game. Encourage students to justify the innovation's cost/benefit.

Discussion tie-ins: trade-offs in deploying controls, cost/impact on business processes.

• Increment the dwell time counter by 1. If dwell time equals the pre-set maximum (URL dt), the game ends with "System Compromised."
• Otherwise, proceed to the next round beginning with Collaborate.

Use subset of questions after each round or at the end:

• What strategies did your team use to identify suspicious behavior, and how do those strategies reflect real-world intrusion detection practices? Some response might include:
  • Look for mentions of dividing roles (some monitor, others pass)—parallels SOC teams and IDS monitoring.
  • Students might mention focusing on one area—connect to network segmentation and targeted monitoring.
  • Observing unusual behavior or hesitation mirrors anomaly detection and behavioral analytics.
  • Sharing observations between groups reflects threat intelligence sharing and correlation across systems.
  • If students discuss false suspicions, relate it to false positives in IDS operations.
• What behavioral signals made you suspicious of a player? What signals might be helpful in detecting real-world security threats (e.g., detecting intrusions, phishing emails, insider threats, etc.)
• Which innovations helped detection? Which hindered it? Why?
• How did network layout (table arrangement, passing patterns) affect visibility? (Tie to segmentation, taps, and monitoring placement.)
• Were there trade-offs where making detection easier would have slowed legitimate traffic? (Latency vs. security.)
• What real-world IDS features correspond to the things you looked for? (e.g., connection frequency, unfamiliar ports/SSH tunnels, anomalous process installs, email features for phishing.)
• How does threat intelligence (sharing signals between groups) change detection speed and accuracy?

• Keep time and keep things moving. The website has a timer with music that will automatically advance to the next phase for the collaborate step.
• Enforce secrecy. If students peek at cards or Slack channels, pause and remind them of the rules — secrecy is essential to the exercise.
• Balance rounds. If hackers are consistently winning too quickly, require them to infect more balls each round or require all hackers to infect a ball each round (so others have a better chance of seeing suspicious behavior). You can also allow some bigger innovations. If intrusion teams dominate, restrict available innovations.
• Safety: remind students to remain seated and avoid throwing balls aggressively. No physical contact.
• Record observations. As facilitator, jot down comments, innovations, and strategies from students; this helps with the post-game debrief.

• Short class (30 minutes): run 2–3 condensed rounds. Shorten Operate and Eliminate phases.
• Advanced students: introduce false-positive stickers (harmless stickers placed by non-hackers to create confusion) to examine signal-noise trade-offs.
• Assessment: have students write a short reflection tying their in-game decisions to IDS design, detection engineering, or a policy recommendation.
• Scoring: assign points for correct identifications, wrong removals (penalty), and for hackers who reach dwell-time goals — use a scoreboard to increase competition.