Offense Response

“Winning is about getting your enemy to respond as expected” – Toba Beta


A large part of the growth in our society is due to new digital opportunities. As we become more adept at using technology, exposure to IT crime increases accordingly. It is therefore a necessity, that we think more holistic and do not treat all attacks alike.

An attack can have many facets, the methods may be different, and the performance may vary in complexity and professionalism. Before an attack, it may be very good to have thought about the types of attacks that can cause the greatest damage to your organization and what your preparedness should be.

To uncover the threats, it would be advisable to use a model that identifies risks for various types of attacks. The following model shows that the probability and consistency of an attack constitute the criticality of the company.



Classification of attacks

To find out what level of criticism an attack has, consider the following considerations:

  • What method is used (e.g. ransomware, CEO Fraud or Advanced Persistant Threat)
  • How many clients are under attack
  • How many servers are under attack
  • Is attacked targeted, semi-targeted or targeted against our organization

Response time

Once you have assessed the above factors, you can better assess the impact of possible attack to your business. This allows you to have a process description that describes how quickly you should respond to the event your business is exposed to. It could, for example, be a following model:

The above is not a complete model with all types of attacks, but depending on the company’s risk profile we will compile the complete model.

It is possible, that these goals for certain companies are too ambitious, while others must be more ambitious. It will always be up to a concrete assessment for each company, how quickly it should be responded. A contingency plan must, however, be in place in accordance with the GDPR, and there is also a requirement that within 72 hours, the authorities and affected persons should be informed if one’s business or organization delivers personal data.


Some manufacturers, such as Anti-virus will claim that they automatically remove the threats. Unfortunately, there are too many examples that only a part of the malware is removed or that the malware is mutated and therefore no longer detected.

There are also many examples, when an attack starts as a thing and evolves into something else. For example, it is a scattering attack that has come within a company that has potential for more – then, criminals will either resell the access to other criminal organizations that work targeted or even work targeted towards this business.

Therefore, there are some companies that reinstall the computer as a fixed procedure. If we compare this to a murder investigation, it will correspond to the fact that the police, as the first, send a cleaning team to the murder site. In the IT world, it means that the criminal may have moved deeper into the systems, and as the evidence has been deleted, finding the criminal can be very difficult and a deeper analysis will be very expensive.

Therefore, it is always our recommendation that there is proof of proof. This is done via a forensic analysis, where the goal is to answer the following:

  • What happened?
  • When did it happen?
  • How did it happen?

When you have these answers, the conclusion may be that you need to reinstall the computer. You may also have to wait so that the criminal does not become aware that you have discovered the burglary. Instead, you can follow the criminal’s journey on one’s network before you are sure, that you have found all the back doors and have full control of what is installed where and how to close all the doors once . This may be done in cooperation with the police or a private IT security company.

Ultimately, you may need to call an “Incident Response Team” that will physically have access to your business.

Once we have made a risk assessment of the threats, defined the reaction time and the mitigating processes, we ensure that even if your business is hit, we are in control and can significantly reduce the time when the criminals are on your network.