Level 5 CMMC - CMMC Practices

SI.5.222  

Reference: CMMC 1.02

Family: SI

Level Introduced: 5

Practice:
Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions.

CMMC Clarification:
Normal system commands and scripts used by the adversary will be allowed by normal application whitelists. The adversary uses this fact to move around despite the presence of whitelisting or other defenses. An organization may use endpoint detection and response (EDR) to record system activities and events that occur. Analyzing EDR records is one way to identify execution of a script that operates outside of normal parameters, indicating an exploit is in progress. Another way to approach this is to use User and Entity Behavior Analytics solutions to identify malicious activity.

Example
As part of your cyber defenses the organization has deployed EDR to laptops and desktops. Recent threat intelligence indicates an increased use of Powershell attacks. Powershell provides a shell and script language to Window’s system functions. Its versatility makes it useful for system admininstrators as well as adversaries. Adversaries no longer need to download their own utilities which could be identified by common anti-malware software. Since you know the adversary will try to move around your network you focus on identifying lateral movement. You tune your EDR software to monitor for scripts run on remote computers and interactive remote shell sessions across your organizations’s laptops and desktops.

Additional Reading
Symantec Living off the land and fileless attack techniques: https://www.symantec.com/content/dam/symantec/docs/security-center/white- papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf
NIST Special Publication 800-83 Guide to Malware Incident Prevention and Handling for Desktops and Laptops: https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final

Organizations deploy preventive measures such as anti-virus or application whitelisting to reduce the effects of malware executables on endpoints. As the use of whitelisting becomes a more pervasive defense technique attackers are leveraging trusted operating systems software, scripts, or code to perform malicious activities including lateral movement and persistence. By using these tactics, the attacker seeks to reduce the chances of being discovered. This move to “living off the land” needs to be mitigated by analyzing the use and behavior of system commands and utilities.

Source: CMMC v1.02

Source: CMMC v1.02