Kroll Conversations: Meet the EMEA DFIR Experts

Read our profile on Kroll DFIR experts in the U.S. here.

 

True resilience demands not only the ability to respond quickly to security incidents but the scope to prepare for them before they take place. Alexia Konstantinidi and Dominic Helfer help organizations achieve this critical balance every day as part of Kroll’s EMEA Digital Forensics and Incident Response (DFIR) team within Kroll’s Cyber and Data Resilience business.

Alexia explains: “This role isn’t just reactive. Alongside a variety of incident response engagements, such as ransomware, business email compromise and insider threats, I work a great deal on the proactive side. A lot of that involves training executive and technical teams by simulating real-world attack scenarios through tabletop exercises and cyber range activities. Another proactive element is developing preparedness documentation such as incident response plans and recovery strategies.”

While the team is helping organizations prepare for when the worst happens, much of Dominic’s day-to-day is about identifying the critical details behind a cyberattack. He comments:

“My work is highly focused around digital forensics, covering both incident response-focused cases, like determining what the threat actor did within an enterprise environment, and more traditional forensic investigations, such as investigating insider threats or supporting litigation. Another aspect of my work is the analysis of Software as a Service and cloud environments like Microsoft 365, Google Workspace and others.”

 

The Freedom to Specialize

Every day is dedicated to investigating incidents and enabling a better response to them, but according to Alexia, there’s plenty of scope to explore specialist areas:

“Members of my team are interdisciplinary and encouraged to focus on various specializations. The range of engagements we deliver means we are exposed to all sorts of threats and industries. I’ve had opportunities to collaborate with Kroll’s Operational Technology (OT) practice to develop incident response capabilities for OT and industrial control systems environments. I’ve also been researching how threat actors are leveraging artificial intelligence in fraud and cyberattacks.”

With so many often cutting-edge areas to get involved in, Alexia and Dominic are actively enhancing their professional track record. Both have more than half a decade of experience in DFIR, with Alexia’s previous roles including DFIR consultant with IBM X-Force and Dominic having held incident response consultant roles for leading IT security companies in Germany.

 

Business-Wide Expertise

Alongside extensive practical experience and a highly collaborative team, another element is critical to the job: specialist expertise within other Kroll service lines.

“I'm currently working with the Kroll Investigations, Diligence and Compliance (IDC) practice on an interesting case,” Dominic says. “We combine our expertise in the technical investigation of devices with theirs in general investigations into companies. Alongside a case with the French IDC team around the extraction of data, I have also started working on a new case with IDC, the Kroll Advisory team and Kroll Transaction Advisory Services. We are working together to assess how effectively an institution in the financial services sector has improved its operations after an incident.”

For Alexia, this culture of partnership across teams is one of the best things about working at Kroll:

“I collaborate closely with the Kroll Cyber Threat Intelligence team, bringing that in-depth insight across our work to inform both reactive and proactive engagements. This ability to link closely with other Kroll teams gives us a clearer picture of an organization and its needs. It works the other way around, too. Other teams across Kroll have brought in our team to perform digital forensics for areas that are not directly cyber-related, such as mobile forensics or other technology, like drones, which is very interesting.”

 

People First

The rewards of working in DFIR are people-centered as well as technical, as Alexia sums up:

“What some people might not expect is how client-facing this role can be. While we are technical experts, we also get the opportunity to build client relationships. The job doesn’t limit us to being a person behind a keyboard. Most engagements have the need to engage directly with our clients—in person or remotely—and that really helps build the relationship. It’s great to see clients repeatedly coming back to us for other types of support.”

For Dominic, the best part of his job is applying technical insight to make life easier for clients:

“The biggest reward for me is transforming chaotic data and evidence into clear, actionable answers for our customers. That ‘gotcha!’ moment, when finding information that was intended to stay hidden, is very rewarding. I really enjoy being able to support our clients in crisis situations, especially in incident response cases, like ransomware, where the infrastructure is down and they are extorted to pay a lot of money in order to get their data decrypted. Those cases are very demanding, but getting the thank you from the client is really rewarding and keeps me highly motivated.”

 

The Changing Face of DFIR

Seeing the impact of security incidents every day means Dominic and Alexia recognize the complex challenges many organizations now face. In their view, the need for companies to take preemptive action is more urgent than ever.

“Cyber risk has become a bigger priority for organizations,” Alexia says. “While there is a lot of change, what remains the same is that many threat actor groups are agnostic, in that they don’t care who their victim is. I think we’re going to see more attacks on large-scale companies because threat actors are aiming for higher returns and greater leverage when it comes to their ransom demands. This is why businesses—irrespective of size—should be taking steps now to secure themselves.”

Dominic adds: “I think a key element is to continually look at enhancing technical approaches—for example, streamlining how information about an incident is collected. I think Kroll is already doing that in a great way, especially through our partnership with  CrowdStrike, alongside all the internal tools we have developed. One of the reasons I wanted to join Kroll was because of the integrated tool stack we have here. I think that even more streamlining of information collection and getting knowledge of the collected data over to our clients to build their detection system will become even more important in the future.”

 

Discover Our DFIR Services