CMMC Practice SI.5.222

Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions.


CMMC Version 1.02, pg. 293

Bold Coast Security Guidance

Endpoint detection and response (EDR) is the latest "buzz" in cybersecurity. Malicious actors have started to move away from pre-packaged malware and started running scripts through preloaded software, such as Windows Powershell, which is already whitelisted. EDR software is an advanced mechanism which looks for peculiar actions rather than specific applications. This can be very important to detect an advanced persistent threat which is attempting to move laterally through a network using existing resources. EDR software is a relatively new technology and deployment costs may be higher than current malware protections. The decision to deploy the EDR software will be documented in the policy, and the specific brand, costs, notification settings, and person responsible should be outlines in the plan. Be sure to include the EDR during scheduled penetration tests for evaluation of its effectiveness.

Discussion From Source

CMMC Organizations deploy preventive measures such as anti-virus or application whitelisting to reduce the effects of malware executables on endpoints. As the use of whitelisting becomes a more pervasive defense technique attackers are leveraging trusted operating systems software, scripts, or code to perform malicious activities including lateral movement and persistence. By using these tactics, the attacker seeks to reduce the chances of being discovered. This move to “living off the land” needs to be mitigated by analyzing the use and behavior of system commands and utilities.