• Triage: the aim of this step is to identify the source(s) and affected devices and/or systems, set priorities based on these and determine the plan of approach for further research. At the same time, data is safeguarded in a forensic way for possible further investigation.
• Containment:this process involves restoring affected devices and/or systems and verifying security so normal operations can resume.
• Post incident activities: When the incident is resolved, a forensic investigation report is prepared. The report proposes solutions to prevent a similar event from occurring in the future. NFIR can also support and/or advise in the communication towards the Data Protection Authority, attorney at law and other parties involved.

CERT stands for Computer Emergency Response Team. The attribute is awarded by Carnagie Mellon University to companies and teams involved in digital security incidents. In the Netherlands, there are a number of official CERTs of large organisations involved in combating cyber incidents, such as the NCSC, the IBD, the Ministry of Defence, telecom organisations and banks.

The aim of the incident response team is to minimise the impact of the cyber incident as quickly as possible so that the continuity of your organisation is no longer at stake.

The Incident Response team is always provided with the right digital forensic equipment to serve the clients directly on location. NFIR continuously invests in fast, reliable and leading equipment and tooling that allows multiple Incident Response teams to operate simultaneously.

1. Contact NFIR’s Computer Emergency Response Team (088-133 0700).
2. The CERT takes action. All necessary equipment is packed and within 3 hours the CERT is on site
3. On site, the intake is conducted with all stakeholders to gather all available information about the incident.
4. After granting the order, triage on the affected systems will be started.
5. As soon as it is clear which systems have been affected or need further investigation, data will be secured according to a digital forensic procedure.
6. In the containment phase, the affected systems are restored and security is verified to prevent a recurrence of the incident
7. In the post-incident phase, the secured data is further digitally forensically examined. As many answers as possible are given to the research questions and the subject matter of the research. All findings and recommendations will be included in a report that will be delivered at the conclusion of the incident. This report can be used for internal and external purposes (such as supervisors and for legal proceedings).

This is not necessary in all cases, but often the client wants to know the extent of the incident and supervisors ask questions that can be answered by conducting an investigation. In all cases, NFIR is obliged to provide a report.

Companies mainly benefit from good preventive measures and direct help from security professionals in the event of a cyber security incident. NFIR offers a Cyber Security Support Contract that meets this exact need. For a small amount per year, without excess, we offer a very valuable package of preventive and reactive services and your organization is assured of the very best help!

Companies benefit from good preventive measures and direct assistance from security professionals in the event of a Cyber Security incident. NFIR meets exactly this need with its Security Contracts.