Sign In
In this section

The Defender's Operational Profile

6-8 hours · Module 1 · Free
What you already know

You've learned the offensive lifecycle (Section 1.1), objectives (1.2), constraints (1.3), risk tolerance (1.4), reconnaissance (1.5-1.6), the decision matrix (1.7), timing (1.8), team structures (1.9), and documented campaign patterns (1.10-1.11). This section combines everything into a four-step methodology you apply during the first hour of every investigation to produce a structured adversary classification that directs the response.

Scenario

An incident is 45 minutes old. You have: a phishing email, a compromised credential, and one lateral movement event. Your CISO needs a brief in 15 minutes. The Operational Profile framework gives you a structured output: adversary class (ransomware affiliate), objective (financial), capability (commodity), timeline (48-72 hours to deployment), recommended response (isolate laterally, protect backups, invoke IR retainer). The framework works because the partial evidence is sufficient to classify and predict.

Step 1: Observe

THE OPERATIONAL PROFILE — FOUR STEPS IN THE FIRST HOUR 1. OBSERVE Systems accessed Tools used Speed + noise level 2. CLASSIFY Objective type Budget + capability Timeline + risk tolerance 3. PREDICT Next target Expected pace Exit strategy 4. ACT Containment priorities Evidence focus Leadership brief T+0 to T+15min T+15 to T+30min T+30 to T+45min T+45 to T+60min Partial evidence is sufficient — two constraint dimensions assessed with confidence drive the response

The four-step Operational Profile. Each step takes roughly 15 minutes. By T+60 minutes, the analyst has a structured adversary classification and a response strategy.

Gather available evidence without interpreting it yet. Four factual questions.

What systems has the attacker accessed? Every system, account, and data store the evidence shows. The target list reveals the objective (Section 1.2). Executive mailboxes indicate intelligence. Backup infrastructure indicates financial. Build pipelines indicate access.

What tools has the attacker used? Every tool, technique, and artifact. Commodity or custom? Known malware families or novel implants? The tooling reveals budget and capability (Section 1.3). Check VirusTotal for the file hash. If the hash is unknown, the tool is likely custom. If it matches a known family with thousands of detections, it is commodity.

How fast are they moving? Time between observed events. Minutes between phases means a short timeline. Days between events means a long timeline. The tempo reveals the timeline constraint (Sections 1.3, 1.8).

How noisy are they? Known-detectable tools with default configurations? Bulk operations across many systems? Or carefully blending with legitimate activity using LOLBins during business hours? The noise level reveals risk tolerance (Section 1.4).

Resist the urge to interpret during the Observe step. The interpretation happens in Step 2. The discipline of separating observation from classification prevents confirmation bias: seeing one ransomware indicator and immediately classifying the entire incident as ransomware before considering the full evidence.

Step 2: Classify

Map observations to four constraint dimensions.

Objective. Financial (targeting backups, payment systems, exfiltration for extortion), intelligence (executive communications, strategic documents, intellectual property), disruption (critical systems, damage potential), or access (trust relationships, build pipelines, vendor tools).

Budget. Low (commodity tools, shared infrastructure), medium (some customization, dedicated infrastructure), or high (custom tooling, zero-day capability, CDN-fronted C2).

Timeline. Hours (ransomware sprint), days-to-weeks (targeted financial or access), or months-to-years (espionage or supply chain).

Risk tolerance. High (noisy, fast, accepts detection), medium (somewhat careful but uses recognizable tools), or low (deliberate stealth, minimal telemetry, business-hours only).

The dimensions combine into a constraint profile that maps to an adversary class: opportunistic criminal, ransomware affiliate, professional criminal group, access broker, state-sponsored operator, or insider. Two dimensions assessed with confidence typically constrain the classification enough to make useful predictions, as covered in Section 1.7.

Step 3: Predict

Run the decision matrix forward from the classification.

Next target. Financial objective predicts movement toward backup systems and domain controllers. The attacker needs domain admin credentials to deploy ransomware via GPO, so credential access systems (LSASS, Active Directory, Kerberos infrastructure) are the immediate next target. Intelligence objective predicts access to additional executive mailboxes and strategic document repositories. Access objective predicts lateral movement toward trust relationships, federation infrastructure, and build pipelines.

Pace. If the observed tempo has been hours, the next phase is imminent. You may have minutes to prepare containment. If days, you have time to scope before acting. If weeks, the operation is ongoing and the urgency is accurate scoping, not immediate containment. The pace prediction directly determines whether your response is measured in minutes (contain now) or hours (scope first).

Techniques. Commodity tools suggest known techniques with documented detection that your existing rules should catch. The attacker is likely following a playbook. Custom tools suggest novel approaches that require active threat hunting because your signature-based rules will not detect them. The technique prediction determines whether your response is rule-based (check existing alerts) or hunt-based (search for behavioral anomalies).

Exit strategy. High risk tolerance means the attacker will push through detection and try to achieve their objective before containment completes. They will not go quiet when they see your response because their timeline is shorter than your response time. Low risk tolerance means they will go quiet or withdraw to protect their access and tools. They may wait days or weeks before resuming operations. The exit strategy prediction determines whether containment is a race (financial) or a chess game (intelligence).

Step 4: Act

The classification and prediction produce actionable response decisions.

Containment priorities. The objective determines what to protect first. Financial: isolate backup systems and domain controllers before the attacker reaches them. Intelligence: revoke OAuth tokens, audit consent grants, check forwarding rules. Disruption: protect critical infrastructure and verify operational technology network segmentation. Access: audit trust relationships and supply chain connections to downstream customers.

Containment approach. The risk tolerance classification determines how you contain. High risk tolerance (ransomware) demands immediate, aggressive containment because the attacker will push through detection and try to complete their objective before you respond. Low risk tolerance (espionage) demands covert scoping first because aggressive containment tips off the attacker and they activate backup persistence mechanisms you haven't found. The response speed is inversely proportional to the adversary's patience.

Evidence collection focus. Short-timeline, commodity-tool attackers leave dense, recent evidence on endpoints. Process creation logs, authentication events, and network connections from the past 48 hours will reconstruct the campaign. Long-timeline, custom-tool attackers leave sparse evidence across cloud logs over weeks. You need 30-60 day lookback windows across sign-in logs, unified audit logs, and OAuth consent events. Match your search window to the predicted timeline.

Scope assessment. Single-actor with commodity tools means contained scope, likely limited to the systems the attacker has touched. Supply-chain model (handoff signature from Section 1.9) means the IAB's access method may be active against other accounts in your organization, and the broker may have sold access to other organizations. State-sponsored with unified tradecraft means assume re-compromise after eviction and build monitoring for the collection pattern, not the tooling.

Leadership brief. The classification produces a one-paragraph brief answering five questions: who (adversary class), what (objective), how serious (capability assessment and predicted timeline), what you are doing (response priorities and approach), and what decision you need from leadership (IR retainer activation, business continuity decisions, regulatory notification). The brief translates the technical Operational Profile into language that enables executive decision-making.

The profile in practice

At Northgate Engineering, the SOC received three alerts at 14:30 on a Tuesday. Here is what the analyst produced using the Operational Profile at the one-hour mark.

CLI Output
OPERATIONAL PROFILE — NE Incident #IR-2026-071
OBSERVE (14:30-15:00):
  Systems: DESKTOP-NGE042 (t.ashworth workstation)
  Tools: rundll32.exe loading unsigned DLL from AppData\Local\Temp\
  Network: outbound HTTPS to 185.220.101.42 (residential proxy)
  Tempo: 3 minutes from DLL load to outbound connection
  Noise: one endpoint, one connection, no bulk operations — quiet
CLASSIFY (15:00-15:15):
  Objective: uncertain — one endpoint, no lateral movement yet
  Budget: MEDIUM-HIGH — custom unsigned DLL, unknown on VT
  Timeline: uncertain — only 3 minutes observed
  Risk tolerance: LOW — quiet, custom tooling, no rapid enumeration
  Profile: custom + quiet → long timeline, intelligence or access
  Assessment: NOT RANSOMWARE. Affiliate would have run discovery
  commands within minutes of landing.
PREDICT (15:15-15:20):
  Next: persistence first (OAuth grant, scheduled task, registry key)
  Pace: hours or days before next action
  Techniques: cloud API access, mailbox/OneDrive collection
  Exit: will go quiet if detected, protect access and tools
  Look for: OAuth consent grants, scheduled tasks, forwarding rules
ACT (15:20-15:30):
  Containment: DO NOT isolate endpoint (tips off patient adversary)
  Instead: silent audit of OAuth grants + forwarding rules
  Monitor: outbound C2 traffic from DLL process
  Expand: 30-day lookback (initial access may be weeks old)
  Evidence: sign-in history, OAuth grants, UAL, Sysmon Event 22

The profile produces two outputs: an internal investigation direction (what to look for, what to protect, what not to do) and an external leadership brief.

Analyst Decision

Espionage profile brief: "We've detected a likely targeted compromise of one user account using custom malware. The attacker is operating quietly with non-commodity tooling, consistent with a targeted intelligence or access operation, not ransomware. We're conducting covert scoping to determine the full extent before containment. No evidence of lateral movement or data exfiltration at this time. The investigation scope is expanding to 30 days of account activity. We'll provide an update within 4 hours."

Compare with ransomware profile brief: "We're responding to a likely ransomware affiliate who gained access through compromised VPN credentials purchased from an access broker. The attacker is using commodity tools and moving rapidly, consistent with a 48-72 hour timeline to encryption. They've reached the credential access phase and are targeting domain admin accounts. Our immediate priorities are isolating backup systems, containing lateral movement, and closing the initial access vector. The IR retainer has been activated."

What the brief contains: Adversary class, access method, capability assessment, current phase, response priorities, timeline, and escalation status. A non-technical executive can read either brief and make resource allocation decisions. The Operational Profile translates technical classification into business language within the first hour of an investigation.

The contrast between the two briefs demonstrates why classification drives response. The espionage brief recommends covert scoping and a 4-hour update window. The ransomware brief recommends immediate containment and IR retainer activation. Applying the wrong response to the wrong adversary class either lets the attacker complete their objective (too slow for ransomware) or burns your detection advantage and alerts the attacker (too aggressive for espionage).

Treating every incident as ransomware until proven otherwise

A SOC has a default playbook for all incidents: isolate the endpoint, disable the account, reset the password. When applied to a quiet espionage operator who has been collecting data for three months via OAuth consent grants, the aggressive containment tips off the attacker. They activate a secondary persistence mechanism the investigation never found (a forwarding rule on a different executive's mailbox), re-establish access through a different identity, and resume collection. The SOC thought they contained the incident in 45 minutes. The espionage operation continued for another two months. The Operational Profile would have classified this as a patient adversary requiring covert scoping, not immediate containment.

Offensive Operations Principle

The Operational Profile is the deliverable that connects offensive understanding to defensive action. Observe, classify, predict, act. The profile translates partial investigation evidence into a structured adversary classification within the first hour. The classification drives the response: immediate containment for financial operations, covert scoping for intelligence operations. Apply the framework from Module 1 at the start of every investigation.

Next
Module Summary. A recap of what Module 1 established: the offensive lifecycle, objective classification, constraint profiling, the decision matrix, timing strategies, team structures, campaign patterns, and the Operational Profile methodology. Then Module 2, where you build offensive infrastructure hands-on.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
Unlock the Full Course See Full Course Agenda
← Previous Next →