SI-3: Malicious Code Protection
From NIST's SP800-53:
a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1102.002 | Bidirectional Communication | Command and Control |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1055.012 | Process Hollowing | Defense Evasion, Privilege Escalation |
| T1557.003 | DHCP Spoofing | Collection, Credential Access |
| T1003.002 | Security Account Manager | Credential Access |
| T1176 | Browser Extensions | Persistence |
| T1559 | Inter-Process Communication | Execution |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1546.006 | LC_LOAD_DYLIB Addition | Persistence, Privilege Escalation |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1055.002 | Portable Executable Injection | Defense Evasion, Privilege Escalation |
| T1185 | Browser Session Hijacking | Collection |
| T1218.014 | MMC | Defense Evasion |
| T1106 | Native API | Execution |
| T1566.002 | Spearphishing Link | Initial Access |
| T1561 | Disk Wipe | Impact |
| T1003.001 | LSASS Memory | Credential Access |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1008 | Fallback Channels | Command and Control |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1102.003 | One-Way Communication | Command and Control |
| T1560.001 | Archive via Utility | Collection |
| T1030 | Data Transfer Size Limits | Exfiltration |
| T1559.002 | Dynamic Data Exchange | Execution |
| T1547.007 | Re-opened Applications | Persistence, Privilege Escalation |
| T1055.005 | Thread Local Storage | Defense Evasion, Privilege Escalation |
| T1090.001 | Internal Proxy | Command and Control |
| T1218.004 | InstallUtil | Defense Evasion |
| T1055.013 | Process Doppelgänging | Defense Evasion, Privilege Escalation |
| T1036.003 | Rename System Utilities | Defense Evasion |
| T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1059 | Command and Scripting Interpreter | Execution |
| T1055.015 | ListPlanting | Defense Evasion, Privilege Escalation |
| T1546.013 | PowerShell Profile | Persistence, Privilege Escalation |
| T1572 | Protocol Tunneling | Command and Control |
| T1055.003 | Thread Execution Hijacking | Defense Evasion, Privilege Escalation |
| T1490 | Inhibit System Recovery | Impact |
| T1561.002 | Disk Structure Wipe | Impact |
| T1070 | Indicator Removal | Defense Evasion |
| T1546.014 | Emond | Persistence, Privilege Escalation |
| T1219 | Remote Access Software | Command and Control |
| T1102 | Web Service | Command and Control |
| T1037 | Boot or Logon Initialization Scripts | Persistence, Privilege Escalation |
| T1137 | Office Application Startup | Persistence |
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1132.002 | Non-Standard Encoding | Command and Control |
| T1059.008 | Network Device CLI | Execution |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1105 | Ingress Tool Transfer | Command and Control |