As part of building out a new Digital Forensics and Incident Response (DFIR) consulting practice we needed to think about the types of engagements and service products that we would take to the market and why. One of these is an Incident Response (IR) retainer service, what they are, what they mean to a customer, what they mean to a provider and what they are not.
 
Some people might have told you that an IR retainer is a bit like an insurance policy, I do not really like that analogy as it seems to elude that having an IR retainer in place will in some indemnify you of the incident, which it does not. An IR retainer will not protect you from a cyber incident, but it will assist you to manage resourcing uncertainty when a cyber incident occurs.
 
The best way for me to explain the value of an IR retainer is to take you through a situation I am intimately familiar with. 
 
It’s Friday afternoon, around 3:30pm, maybe later depending on what plans you have for that night, when the “bat” phone rings…

Hi, we really need your help, we’ve discovered a breach of our customer data and we think it’s still going on, but we’re not sure, can you start immediately?

For those not familiar with the commercials surrounding setting up a consulting engagement, the following needs to take place before we can begin work, both ethically and legally, to ensure that both the customer and provider are protected by any corresponding laws.

1. A scope of work needs to be drafted up including an estimate of what type of work needs to be undertaken and an approximation of the timeframe it will be completed in.
2. A statement of work, or service agreement is drawn up with the terms and conditions.
3. That service agreement then needs to be approved by the provider and set to the customer.
4. The customer then needs to review the agreement and sign and return it. 

Sounds simple right, just sign the paper and return it? Not so simple, especially for big companies where all forms of agreements must be reviewed by a legal team, in their time, then signed off by the appropriate authority within the company, or worse, the very systems you would normally use to transmit and approve legal arrangements are done. In the past I have seen this take months to happen for regular engagements, and sometime days to weeks for incident response engagements. This is not what you want to be going through when you are in the midst of a crisis.
 
Also, imagine a widespread incident like the recent HAFNIUM vulnerabilities and resultant exploits and breaches. If you call your provider, chances are they are already busy with other customers and may not have the capacity to help you at the time. In companies I’ve worked for we have had a 3-month waitlist for consulting availability.
 
This is why companies buy, want and need a retainer for incident response services.
 
What an IR retainer does give you:

1. An agreement already in place with a provider, service terms agreed upon well before you need to engage them. No hassle of having to look through legal terms when all you want is help.
2. SLAs in place so that you know the timeframes you can expect to have people standing by and ready to jump in.
3. Usually your provider will want to come in and do an initial review of your environment to list out the tools, logs and systems to understand what is in place and where, and help you decide at what point you would be making the call to bring help in.
4. Prepaid hours so that you can get started immediately once a scope of work has been agreed upon.
5. Prepaid hours that can be used for other consulting services should you not require the hours for any incidents.

Having an IR retainer in place won’t fix all your problems, but it certainly helps to get things moving quickly at a time when things HAVE to move quickly to contain the damage.

ParaFlare have launched their IR retainer as both a standalone service as well as an add on to the managed detection and response offering. Reach out to us if you’d like to learn a little bit more.