Emergency Handling & DFIR

No security in place at all? Then call a friend — that advice is meant 100% seriously. You would not start an expedition to a mountain top from day one without preparation.

• Find out what your business depends on most — e.g. your website; without it there is no sale.
• The CIS Controls are a good place to start; learn to do a risk assessment (CIS-RAM) and follow their recommended controls.
• Look at the CREST procurement guide for dealing with cyber attacks — you need a basic plan whether your full plans are in place or not.

• Overall IT security plan + Acceptable Use Policy (what users may and may not do).
• Emergency management for crashes and security incidents — define when something is a security event.
• Documents with phone numbers and an escalation schedule, to minimise doubt.
• A war room and a clear list of who handles what.
• Involve the DPO early on personal-data loss; keep contact with the data protection authority.
• A secured room where all data is collected, accessible only to authorised personnel (insider-threat aware).
• Task distribution — including food, drink and logistics, which are easy to overlook but matter a lot during long incidents.

• Hardware: laptop, USB storage, hard drives.
• Software: virtualization, screenshots, OSINT tools for securing online data.
• A jump-bag (see the dedicated page).
• An analysis lab for malware, logs and network traffic.

To secure evidence correctly you must avoid writing to the disk you are securing — otherwise you contaminate the evidence. Write protection can be achieved in software or hardware.