Skip to content

Knowledge

Incident response Municipality 8 min read

The measures that saved Gran municipality

Tuesday 17 December started as an ordinary pre-Christmas day — until IT detected signs of activity in the network.

·

Talk to us Back to knowledge
The measures that saved Gran municipality

Tuesday 17 December is an ordinary pre-Christmas day at the town hall. Most people are preparing for the holidays, and the IT department is doing routine work as usual. Yet it was this seemingly quiet day that showed how critical preparedness and early detection can be.

< 45 min

From first alert to engaged incident team

12

Critical systems isolated without unnecessary downtime

0

Confirmed public data breach

A normal day that changed

At 09:14 the first alert arrived from the monitoring platform: unusual sign-in patterns against a legacy file server, followed by signs of lateral movement toward Active Directory. SOC analysts did not see a single anomaly — they saw a pattern similar to previous attacks on the public sector.

Abstract visualization of network monitoring and incident response
Monitoring and incident response worked together — without that, the anomaly would likely have been discovered too late.

Incident timeline

How the day unfolded

  1. 09:14

    First alert

    SOC detects unusual lateral movement and escalates to the Synja incident lead.

  2. 09:52

    Incident team activated

    Joint call with IT leadership and communications. Preparedness plan brought forward.

  3. 11:30

    Isolation and evidence

    Critical systems segmented. Memory images and logs preserved for further analysis.

  4. 16:45

    Situation stabilised

    Threat contained. The municipality can continue operations with controlled measures into the weekend.

We had exercised this scenario — but nothing fully prepares you for the pace when it happens for real. Having someone outside who could handle the technical work while we led the municipality was decisive.

Head of IT, Gran municipality Quote anonymised for this article

Coordinated response

Working closely with municipal IT leadership, critical systems were isolated, evidence was preserved, and communication with management followed the preparedness plan. Public communication was held back until there was clarity — a deliberate choice that avoided unnecessary concern.

What the incident team did

  • Established a shared incident room with clear roles between SOC, IT, and leadership
  • Mapped the attack vector and prioritised systems by impact on citizen services
  • Isolated compromised accounts and segmented the network without shutting down the whole municipality
  • Preserved logs and memory images for police reporting and further investigation
  • Delivered written status to the municipal council the same day

What other municipalities can learn

The incident underscores the value of preparedness, exercises, and a partner who can support when the pace is high. It is not about avoiding every attack, but detecting early, acting fast, and communicating in a controlled way.

  • Monitoring alone is not enough — someone must interpret alerts and escalate.
  • Exercise communication, not just technical isolation.
  • Have agreements in place before the incident — not when pressure is highest.