{
  "docId": "019dd923-5de0-76bd-a166-0ebac6399c4f",
  "docSlug": "994e80d75408a4b6",
  "documentTitle": "INCIDENT RESPONSE INSIGHTS",
  "authorId": "misc",
  "authorName": "Booz Allen",
  "documentKindSlug": "consulting-deck",
  "documentKindLabel": "Consulting deck",
  "sourceTypeSlug": "strategy_consulting",
  "sourceTypeLabel": "Strategy consulting",
  "presentationDate": null,
  "orientation": "landscape",
  "aspectRatio": 1.778,
  "pageNumber": 8,
  "pageCount": 10,
  "prevPage": 7,
  "nextPage": 9,
  "slideType": "initiative_list",
  "function": "present_solution",
  "density": "dense",
  "nDataPoints": 0,
  "notes": "The slide is part of a series, continuing from a previous slide covering controls #1-5.",
  "elementsJson": [
    "headline_text",
    "bullet_list"
  ],
  "metadataConfidence": 1,
  "imagePath": null,
  "slideHref": "/slides/019dd923-5de0-76bd-a166-0ebac6399c4f/8",
  "deckHref": "/decks/019dd923-5de0-76bd-a166-0ebac6399c4f",
  "deckJsonHref": "/decks/019dd923-5de0-76bd-a166-0ebac6399c4f.json",
  "deckAnchorHref": "/decks/019dd923-5de0-76bd-a166-0ebac6399c4f#slide-8",
  "components": [
    {
      "bbox": null,
      "kind": "callout",
      "text": "Immutable backups are preferred as they can not be deleted or changed.",
      "attrs": null,
      "subkind": null,
      "toolName": "Visual emphasis",
      "toolSlug": "visual-emphasis",
      "confidence": null,
      "componentId": "019dd951-f389-7267-bc9f-7f0bfaef258e",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.82,
        "w": 0.38,
        "x": 0.61,
        "y": 0.11
      },
      "kind": "list",
      "text": "10) Incident Response Planning and Testing\n- Have a written plan in-place covering all aspects of IT staff responsibility in the event of an incident.\n- Conduct testing and simulation of an incident with the personnel who would be involved in the response.\n- Ensure IT personnel have 24x7 contact information for decision makers. Time is critical during an active incident. The decision makers will need to have the correct information quickly to assess initial steps such as whether to disconnect systems, isolate systems or completely disconnect the company from the internet.\n- Preservation of evidence is key to a forensic investigation which may be needed to assess potential notification obligations. Make sure IT staff knows which tools are available for system preservation and are trained on them. Look at having additional storage on-hand if compromised virtual machines need to be offloaded or disk images need to be created.",
      "attrs": null,
      "subkind": "bullet",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "4692231c-fe62-42c8-b604-59e454584fd0",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.25,
        "w": 0.38,
        "x": 0.21,
        "y": 0.11
      },
      "kind": "list",
      "text": "8) Backups (cont.)\n- If backups are stored offsite, check if the storage provider retains backups copies and if there are protections in-place to prevent deletion of the backups. Immutable backups are preferred as they can not be deleted or changed. Ensure the backups cannot be deleted as a result of an email or telephone call without some type of additional verification. A verification password is not a good verification option if it is stored in the company network or email system.",
      "attrs": null,
      "subkind": "bullet",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "a6f9d618-a74f-46ab-8f9d-39f1bdb44ea8",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.52,
        "w": 0.38,
        "x": 0.21,
        "y": 0.42
      },
      "kind": "list",
      "text": "9) Know your environment/Asset List/Software list/RMM & RDP Tools\n- Have a network diagram and asset list for all systems in the corporate network. Keep both up to date as network changes are made and as new devices are added or retired.\n- Have a list of authorized software in the environment. Review the network regularly for unauthorized software and uninstall it. Remove software which is no longer used or needed. Particular attention should be paid to tools which threat actors can use to \"live off the land\". This includes RMM tools, data transfer tools and network reconnaissance tools.\n- Only use approved Remote Monitoring and Management tools (RMM). Ensure the software requires multi-factor authentication, if available. Do not allow employees to install their own RMM tools. Require employees needing remote access to only use approved methods with the necessary safeguards in-place.",
      "attrs": null,
      "subkind": "bullet",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "c7b55b5d-a9e3-429e-931f-e11e4c3776f3",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.75,
        "w": 0.17,
        "x": 0.02,
        "y": 0.18
      },
      "kind": "paragraph",
      "text": "IR Update Summary\nRead on for a summary of our Incident Response team's recent observations alongside insights from across the cybersecurity community. The information shared here is intended to provide a snapshot of current activity and is subject to change as the various threat group tactics, techniques, and procedures evolve.\nHighlights\nUnderwriting Focus Area – Top 10 Security Controls. Last month we covered the top 5 security controls for underwriting focus. This month we highlight the remaining 5 security controls to round out the top 10 controls.",
      "attrs": null,
      "subkind": "paragraph",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "5bb56430-1a2b-4e93-ab54-b5ea645bc150",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.04,
        "w": 0.5,
        "x": 0.21,
        "y": 0.03
      },
      "kind": "title",
      "text": "Underwriting Focus Area – Top 10 Security Controls - #6 to #10 (cont.)",
      "attrs": null,
      "subkind": "headline",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "44dc0fe9-8a50-4ed8-b197-eabc141ae769",
      "frameworkName": null,
      "frameworkSlug": null
    }
  ],
  "metrics": [],
  "tools": [],
  "frameworks": [],
  "arcBeats": [
    {
      "to": 8,
      "from": 5,
      "beatId": "fd216dee-a04f-45b2-9de2-82ba6d2fc640",
      "arcName": "The Sparkline",
      "arcSlug": "sparkline",
      "beatName": "Detailed Analysis",
      "beatSlug": "sparkline-what-is-3",
      "evidence": "Ransom Demand By Threat Actors, Underwriting Focus Area – Top 10 Security Controls",
      "position": 1,
      "confidence": 0.8,
      "parentBeatName": "Complication",
      "parentBeatSlug": "complication"
    }
  ],
  "loops": [],
  "imagePathAlt": null,
  "thumbSrc": null,
  "thumbSrcAlt": null,
  "locked": true
}