Incident Response & DFIR in Abu Dhabi · Energy & Gov

When an Abu Dhabi entity is breached, the response has to satisfy more than one clock at once, and none of them is India’s CERT-In six-hour rule. UAE notification obligations stack: aeCERT / TDRA expects prompt incident notification, NESA / UAE IAS sets the incident-handling controls a critical-infrastructure operator is measured against, the PDPL (Federal Decree-Law 45/2021) requires breach notification to the UAE Data Office and affected individuals without undue delay, and the sector regulator adds its own — FSRA for ADGM entities, ADHICS for DoH-licensed healthcare, ADDA for government entities. Macksofy’s DFIR practice runs the response so each of those obligations is met from one coordinated incident, with a UAE-resident responder onsite and senior forensic support flying Mumbai BKC → AUH within hours.

The first hours decide the engagement, and our triage runs in parallel rather than in sequence: one responder scopes blast radius and preserves volatile evidence, a second opens the regulator-notification workstream (aeCERT/TDRA, PDPL Data Office, and the sector regulator), and a third agrees the containment plan with the client SOC. Acquisition is forensically sound from the first image — memory, disk and cloud-snapshot captures with cryptographic hashes and a documented chain of custody — because in an Abu Dhabi energy, sovereign or government incident the same artefacts will be examined by an internal-audit function, the federal regulator and potentially a court. Containment is calibrated to keep safety- and money-critical systems stable without destroying the evidence that explains the intrusion.

Abu Dhabi incidents cluster into patterns we scope to directly. Energy and utilities incidents demand OT-aware forensics: an IT-side compromise that reached or threatened the process-network boundary needs the historian, engineering-workstation and jump-host timeline reconstructed without disturbing a running process, and the analysis must answer the operator’s real question — did the attacker cross into OT, and is the plant safe. Human-operated ransomware and pre-ransomware intrusions demand AD-forest forensics (Kerberoasting and ADCS-abuse traces, golden/silver-ticket detection, lateral-movement timelines). ADGM-fintech and BFSI incidents demand settlement- and customer-data-flow forensics. Government incidents demand identity, session and access-log reconstruction across the ADDA-governed estate. Each gets a documented timeline, a root-cause narrative and an indicator set the SOC can hunt across the rest of the estate.

Eradication and recovery are part of the engagement, not a hand-off. We verify the attacker is fully evicted before rebuild — no half-cleaned forest, no surviving backdoor, no rogue trust, and for energy scope, explicit confirmation that no OT-side persistence remains — and we pair recovery with hardening so the same path cannot be re-walked: identity tightening, ADCS template fixes, IT/OT segmentation, and detection-engineering so this incident’s indicators become permanent SOC coverage. For retainer clients we run a post-incident tabletop and feed the lessons into the IR playbook.

The output is built for the people who will read it under pressure. The technical report carries the timeline, the forensic findings with evidence references, the malware and TTP analysis mapped to MITRE ATT&CK (and ATT&CK for ICS where OT is involved), and the root cause. The regulator-facing pack assembles the aeCERT/TDRA notification record, the NESA / UAE IAS incident evidence, the PDPL breach-notification trail to the UAE Data Office and affected individuals, and the sector overlay — FSRA, ADHICS or ADDA — in the format the Abu Dhabi reviewer reads. The board pack carries the one-page narrative, the exposure, and the remediation commitments the audit committee will track, in Arabic alongside English where the recipient requires it.

Retainer is the right posture for Abu Dhabi’s critical-infrastructure and regulated entities, and we structure it that way: guaranteed response SLAs, pre-agreed rules of engagement and data-handling, named responders who already know the environment, a UAE-resident lead, and a banked block of hours that turns an emergency procurement scramble into a phone call. Remote forensic acquisition starts within the hour while senior support travels; billing is in AED with the 5% VAT line; and for sensitive government and energy scope the onsite-only-handling and log-residency constraints are agreed before any incident, not negotiated mid-crisis.