Incident Response Retainer Services for Enterprises

It is possible to decrypt files after a ransomware attack in rare cases only. Usually, if there are no backups it is impossible to recover the data.

We need a signed 3-way NDA (non-disclosure agreement between you, us and the partner) and issued PO (purchase order) or service engagement letter.

Pricing is based on included hours and the specialists required for the engagement, with defined terms for additional time. Retainer structures may also allow unused hours to be applied to approved proactive cybersecurity services.

We expect our clients to perform following actions:

• Deployment of Group-IB Managed XDR appliance (if agreed to deploy)
• Brief our IR team about the discovered incident and your infrastructure details
• Provide our IR team with necessary access to security controls
• IT infrastructure manipulation
• Apply recommendations from our final report

• Your information security team may not have all the capabilities required. If your company has been affected by an incident, it means that your own team was unable to detect and prevent the incident in time because it lacks certain necessary skills and experience to quickly and effectively tackle modern threats.
• Your team may not have had experience with complicated attacks. Countering attacks and identifying traces of compromise requires experience gained by responding to incidents daily and knowledge of the most recent tactics, techniques and procedures used by hackers. Most in-house teams have not had the opportunity to gain the skills and experience needed.
• You are at risk of further incidents. When the active phase of an attack starts, it means that the hackers have been inside the infrastructure anywhere from three days to three months. In that time they could have not only stolen confidential data but also created additional points of entry into your infrastructure. Retracing all their steps and preventing them from attacking you again requires professional incident response teams, solid skills, and extensive experience in digital forensics.

• If your team has come across an incident, you may need additional resources to quickly counter the attack and identify traces of compromise. When an incident occurs, your team is likely to have their hands full in ensuring business continuity rather than identification of the root causality of an incident.
• It is likely that you may not have the capabilities to identify and monitor every possible threat and that it will be difficult to trace the hackers back to the initial compromised resource without help from digital forensics specialists who perform these actions daily and track the evolution of threat actors.
• An in-house team does not always have the necessary incident response skills and experience to quickly and effectively tackle modern threats. Countering attacks and identifying traces of compromise requires extensive experience in incident response and knowledge about the most recent tactics, techniques and procedures used by attackers. It also requires the vast diversified information that has been collated with years of experience.
• Effective incident response requires advanced skills in digital forensics and in analyzing malicious code along with not just being able to detect the compromises but to attribute them to the correct threat actors and their techniques.

• Group-IB was named a representative vendor in Gartner’s 2024 Market Guide for Digital Forensics and Incident Response Retainer Services
• Group-IB is included among 36 major cybersecurity companies by Forrester in the report “Now Tech: Global Cybersecurity Consulting Providers, Q3 2021″
• Group-IB has been named the largest and most experienced IRR provider by Aite-Novarica Group Incident Response Retainer Services, 2022

Our Incident Response team leverages an in-house solution – Group-IB Managed XDR, which enables advanced protection, rapid collection of forensic data and containment of compromised hosts, as well as 24/7 monitoring and notification supported by CERT-GIB.

We install EDR agents and for two weeks after responding to the incident, the CERT-GIB team will monitor the infrastructure so your IT team has time to implement our recommendations.

While the incident is going, you will be supported by our account manager. Depending on the type of incident, we will allocate not only incident responder, but digital forensics specialist, malware analyst and a cyber threat intelligence specialist.

On average, there are 2 DFIR specialists allocated for each incident. Depends on a complexity of the incident could be up to 5 specialists.

You can activate a response instantly through your pre-approved escalation channel. We move the legal and procurement steps to the beginning of our partnership so that during a real attack, our only focus is on minimizing your downtime.

Response time targets are defined in the retainer terms and depend on factors such as region, time zone, and whether on-site support is required. The onboarding phase confirms the activation process, so your team is not improvising under pressure.

If you aren’t dealing with an active threat, you can use those hours to improve your readiness with cybersecurity services like simulated attack drills, security assessments, and staff training.