Incident Response & DFIR in Dubai · DIFC, DESC & Gov

When a Dubai entity is breached, the response has to satisfy Dubai-specific and federal obligations at once. Dubai-government and Dubai-government-adjacent entities sit under the DESC (Dubai Electronic Security Centre) Information Security Regulation, which carries its own incident-reporting and handling expectations; on top of that the federal layer applies — aeCERT / TDRA expects prompt notification, NESA / UAE IAS sets the incident-handling controls, and the PDPL (Federal Decree-Law 45/2021) requires breach notification to the UAE Data Office and affected individuals without undue delay. DIFC-regulated entities add the DFSA Technology Risk expectations and the DIFC Data Protection Law breach-notification regime, distinct from the federal PDPL. Macksofy runs the response so every applicable obligation is met from one coordinated incident, with a UAE-resident responder onsite and senior forensic support flying Mumbai BKC → AUH within hours.

The first hours decide the engagement, and our triage runs in parallel: one responder scopes blast radius and preserves volatile evidence, a second opens the notification workstreams (DESC where applicable, aeCERT/TDRA, the PDPL or DIFC DP regulator, and the sector regulator), and a third agrees containment with the client SOC. Acquisition is forensically sound from the first image — memory, disk and cloud-snapshot captures with cryptographic hashes and chain of custody — because a Dubai DIFC, government or aviation incident will be examined by internal audit, the DFSA or DESC, and potentially a court. Containment is calibrated to keep money-movement and operational systems stable without destroying the evidence that explains the intrusion.

Dubai incidents cluster into patterns we scope to. DIFC BFSI and free-zone fintech incidents demand money-movement and settlement-flow forensics, account-takeover and BEC reconstruction, and — for the LAPSUS$-style IdP-token-theft pattern that hit regional banks in 2024–25 — Azure AD / Okta / PingFederate and ADCS-abuse forensics. Human-operated ransomware demands AD-forest forensics: Kerberoasting and ADCS-abuse traces, golden/silver-ticket detection, lateral-movement timelines. Smart Dubai and government incidents demand identity, session and citizen-services access-log reconstruction with the DESC handling discipline. Aviation incidents at the Emirates Group and Dubai Airports estates demand passenger-systems, cargo and ground-operations forensics handled inside Annex 17 operational-safety constraints. Each gets a documented timeline, a root-cause narrative and an indicator set the SOC can hunt across the estate.

Eradication and recovery are part of the engagement, not a hand-off. We verify the attacker is fully evicted before rebuild — no half-cleaned forest, no surviving backdoor, no rogue trust — and pair recovery with hardening so the same path can’t be re-walked: identity tightening, ADCS template fixes, segmentation, and detection-engineering so this incident’s indicators become permanent SOC coverage. For retainer clients we run a post-incident tabletop and feed the lessons into the IR playbook. For DESC-regulated entities the adversary-action and response audit trail is retained in tamper-evident storage to the disposition DESC expects.

The output is built for the people who will read it under pressure. The technical report carries the timeline, the forensic findings with evidence references, the malware and TTP analysis mapped to MITRE ATT&CK, and the root cause. The regulator-facing pack assembles the DESC ISR notification record (where applicable), the aeCERT/TDRA notification, the NESA / UAE IAS incident evidence, the DFSA Technology Risk supervisor note for DIFC entities, and the PDPL or DIFC Data Protection breach-notification trail — in the format the Dubai reviewer reads. The board pack carries the one-page narrative, the exposure, and the remediation commitments the audit committee will track, in Arabic alongside English where the recipient requires it.

Retainer is the right posture for Dubai’s regulated and government-adjacent entities, and we structure it that way: guaranteed response SLAs, pre-agreed rules of engagement and data-handling, a UAE-resident lead, named responders who already know the environment, and a banked block of hours that turns an emergency procurement scramble into a phone call. Remote forensic acquisition starts within the hour while senior support travels; onsite is same-day across DIFC, Business Bay, Internet City and the wider emirate; billing is in AED with the 5% VAT line; and for DESC-regulated and DIFC scope the data-handling and retention constraints are agreed before any incident, not negotiated mid-crisis.