Back to Control Explorer
SI.5.222
Content
Control Acronym
SI
Family
System And Information Integrity
CMMC Level
5
800-171 Control #
N/A
CMMC Description
Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions.
CMMC Clarification
Normal system commands and scripts used by the adversary will be allowed by normal application whitelists. The adversary uses this fact to move around despite the presence of whitelisting or other defenses. An organization may use endpoint detection and response (EDR) to record system activities and events that occur. Analyzing EDR records is one way to identify execution of a script that operates outside of normal parameters, indicating an exploit is in progress. Another way to approach this is to use User and Entity Behavior Analytics solutions to identify malicious activity. Example As part of your cyber defenses the organization has deployed EDR to laptops and desktops. Recent threat intelligence indicates an increased use of Powershell attacks. Powershell provides a shell and script language to Window’s system functions. Its versatility makes it useful for system admininstrators as well as adversaries. Adversaries no longer need to download their own utilities which could be identified by common anti-malware software. Since you know the adversary will try to move around your network you focus on identifying lateral movement. You tune your EDR software to monitor for scripts run on remote computers and interactive remote shell sessions across your organizations’s laptops and desktops. ADDITIONAL READING Symantec Living off the land and fileless attack techniques: https://www.symantec.com/content/dam/symantec/docs/security-center/whitepapers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf NIST Special Publication 800-83 Guide to Malware Incident Prevention and Handling for Desktops and Laptops: https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final
800-171 Description
800-171 Discussion
N/A
Other Source Discussion
CMMC Organizations deploy preventive measures such as anti-virus or application whitelisting to reduce the effects of malware executables on endpoints. As the use of whitelisting becomes a more pervasive defense technique attackers are leveraging trusted operating systems software, scripts, or code to perform malicious activities including lateral movement and persistence. By using these tactics, the attacker seeks to reduce the chances of being discovered. This move to “living off the land” needs to be mitigated by analyzing the use and behavior of system commands and utilities.
CIS Control References
NIST 800-53 Control Ref.
CMMC Derived
CMMC