Back to Control Explorer

SI.5.222

Content

Control Acronym

SI

Family

System And Information Integrity

CMMC Level

5

800-171 Control #

N/A

CMMC Description

Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions.

CMMC Clarification

Normal system commands and scripts used by the adversary will be allowed by normal application whitelists. The adversary uses this fact to move around despite the presence of whitelisting or other defenses. An organization may use endpoint detection and response (EDR) to record system activities and events that occur. Analyzing EDR records is one way to identify execution of a script that operates outside of normal parameters, indicating an exploit is in progress. Another way to approach this is to use User and Entity Behavior Analytics solutions to identify malicious activity. Example As part of your cyber defenses the organization has deployed EDR to laptops and desktops. Recent threat intelligence indicates an increased use of Powershell attacks. Powershell provides a shell and script language to Window’s system functions. Its versatility makes it useful for system admininstrators as well as adversaries. Adversaries no longer need to download their own utilities which could be identified by common anti-malware software. Since you know the adversary will try to move around your network you focus on identifying lateral movement. You tune your EDR software to monitor for scripts run on remote computers and interactive remote shell sessions across your organizations’s laptops and desktops. ADDITIONAL READING Symantec Living off the land and fileless attack techniques: https://www.symantec.com/content/dam/symantec/docs/security-center/whitepapers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf NIST Special Publication 800-83 Guide to Malware Incident Prevention and Handling for Desktops and Laptops: https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final

800-171 Description

800-171 Discussion

N/A

Other Source Discussion

CMMC Organizations deploy preventive measures such as anti-virus or application whitelisting to reduce the effects of malware executables on endpoints. As the use of whitelisting becomes a more pervasive defense technique attackers are leveraging trusted operating systems software, scripts, or code to perform malicious activities including lateral movement and persistence. By using these tactics, the attacker seeks to reduce the chances of being discovered. This move to “living off the land” needs to be mitigated by analyzing the use and behavior of system commands and utilities.

CIS Control References

NIST 800-53 Control Ref.

CMMC Derived

CMMC

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Sub-Criterias

Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15