When digital burns: the parallel between firefighting and incident response

In this article, we propose a parallel exploration between firefighting and the SANS incident management cycle. The aim is to highlight common best practices and transferable lessons learned between these two demanding disciplines.

The 6 stages of the SANS cycle in incident management

1. Prepare

Even before a disaster strikes, firefighters invest heavily in preparedness , drawing on several complementary levers:

• documentation of technical installations (building plans, extinguishing systems, water sources) in the area.

• regular reconnaissance of sensitive, critical or complex sites, to anticipate difficulties and adapt procedures.

• taking account of roadworks and temporary developments, so as to plan routes and guarantee rapid intervention.

• regular drills in specific locations, to put teams through their paces and test coordination in realistic scenarios.

In Digital Forensics Incident Response (DFIR), this phase is just as crucial: it involves defining procedures, training teams, deploying tools (EDR, SIEM, playbooks), and establishing clear governance. Without this preparation, precious time will be lost discovering the environment in which the response will take place.

At Approach Cyber, you can subscribe to a DFIR service in which our experts will help you prepare for the worst. By subscribing to this service in advance, our teams will be better prepared to deal with any incident.

2. Identification

When an alarm sounds, the incident commander goes to the site to assess the situation:

• procedures to clear up doubts and confirm that it is indeed a fire or other real disaster before mobilizing more resources
• The incident commander, who goes directly to the scene with his own vehicle, plays a central role in this stage. He must assess the initial situation: risk of spreading, severity of the disaster, possible need for reinforcements, etc.
• on the basis of this analysis, he determines his main operational priorities in order to guide and coordinate the actions of the teams as soon as they arrive

In DFIR, this is the moment when abnormal behavior is detected: alerts are analyzed, and the incident is qualified (intrusion, malware, etc.). Rapid, precise identification enables the response to be calibrated and errors to be avoided. Here too, procedures call for the appointment of an “incident handler” to monitor the incident. As with the fire department, it is important not to take the initiative, and to ensure that there is one and only one person in charge of coordination.

3. Containment

Before extinguishing the fire, firefighters must contain the disaster. The firefighter’s permanent mission:

• Securing: making the work area safe and protecting workers
• Rescue: evacuating and assisting people and animals in danger
• Hold: contain the evolution of the disaster to prevent it from getting out of control
• Protect: preserve what is still intact and limit collateral damage
• Control: finally, attack the source directly to extinguish the fire.

It’s clear that, even before putting out the fire, firefighters must first save what can be saved, hold the disaster in check to prevent it from getting any worse, and protect what is still healthy. Only then do we move on to the fire control phase.

In cybersecurity, DFIR operators must also ensure that their intervention remains proportionate. They must avoid unnecessarily destroying evidence (by deleting a file, for example), and not hindering the work of the investigators who will intervene later.

So, whether faced with a fire or a cyber attack, containment is a balancing act: act quickly to stabilize, but with discernment to preserve the investigation.

4. Eradication

For firefighters, eradication means attacking the source directly to bring the fire under control.

The aim is not only to switch off, but also to do so in a measured and appropriate way:

• Minimum water dosage to limit collateral damage (e.g. flooding).

• Precise location of the outbreak: spraying without knowing what’s burning is pointless.

• Identifying the type of fire: methods vary (oil, metal, wood), and water can aggravate some cases.

• Adapted strategy: on a gas fire, give priority to cutting off the supply rather than spraying.

• Final check: furnace off, no residual hot spots.

Similarly, in cybersecurity, eradication requires more than just “blocking the symptom”: we need to understand the exact nature of the threat and choose the right technical means to eliminate it, or risk creating new problems more serious than the initial incident.

5. Recovery

For firefighters, recovery means returning to normal once the fire has been extinguished:

• with the support of experts (forensic scientists, engineers, etc.), it must be determined whether the surrounding apartments can be inhabited again or whether temporary solutions must be found for the occupants.
• take CO (carbon monoxide) measurements, to make sure the air is healthy
• assess the damage to the building’s structure to avoid collapse or “over-accident” after the fire
• organize cleaning and restoration work (smoke extraction, pumping out used water, securing electrical installations)
• ensure that the site is safe for residents and occupants

As part of the response to a cybersecurity incident, the recovery phase aims to ensure a safe and sustainable recovery. The disaster is over, but the danger is not: only a thorough audit can guarantee that everything can be restarted without risk. Here, we’ll be restoring systems, checking data integrity and implementing enhanced monitoring. The goal: a safe, relapse-free recovery.

6. Lessons learned

For firefighters, this approach takes several forms:

• An on-the-spot debriefing takes place after the main events, with each participant explaining his or her role, actions, vision and understanding of the situation,
• RETEX can be formally organized after a major intervention, to analyze in greater depth what went well and what could be improved,
• certain real-life situations are reused in exercises to train teams in a continuous improvement approach.

In DFIR, it’s a good time to draw up a report, analyze strengths and weaknesses, and update procedures and tools.

In the event of a fire or cybersecurity incident, this feedback helps to avoid repeating the same mistakes, to share best practices, and to transform each crisis into a collective learning experience.

Conclusion

Whether it’s a fire or a cyber attack, crisis management is based on universal principles: rigorous preparation, rapid analysis, coordinated action and capitalizing on experience.

At Approach Cyber, our incident management expertise enables us to intervene methodically and efficiently, while having the capacity to mobilize international resources in the event of a major crisis. This operational agility is essential to guarantee a rapid and appropriate response, whatever the scope or severity of the incident.

But just as in the case of fire, where smoke detectors and fire extinguishers are installed in buildings, it’s essential to prepare your information systems for an attack. This means setting up a CSIRT (Computer Security Incident Response Team) service, to support you in preparation, detection, response and remediation.

By subscribing to a CSIRT service, you can be sure that, on the day the digital fire breaks out, you won’t be alone, and that the right reflexes will already be in place.

Article authors :

• Nicolas LINDT, cybersecurity consultant for Approach Cyber (Switzerland) and volunteer firefighter for the canton of Vaud (Switzerland),
• Jean-François STENUIT, Digital Forensics & Incident Response (DFIR) specialist for Approach Cyber (Belgium), GCIH-certified

Got Hacked? Don’t Panic! Act Fast with Our Cyber Emergency Team! Download, print and display our “In Case of Emergency” cheat sheet.