NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-3(10)Malicious Code Analysis

Employ the following tools and techniques to analyze the characteristics and behavior of malicious code: {{ insert: param, si-03.10_odp }} ; and Incorporate the results from malicious code analysis into organizational incident response and flaw remediation processes.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

The use of malicious code analysis tools provides organizations with a more in-depth understanding of adversary tradecraft (i.e., tactics, techniques, and procedures) and the functionality and purpose of specific instances of malicious code. Understanding the characteristics of malicious code facilitates effective organizational responses to current and future threats. Organizations can conduct malicious code analyses by employing reverse engineering techniques or by monitoring the behavior of executing code.

Practitioner Notes

Analyze malicious code in detail to understand what it does, how it works, and what indicators of compromise it leaves behind.

Example 1: When your antivirus quarantines a suspicious file, submit it to VirusTotal for multi-engine analysis and behavioral analysis. Review the report for network indicators (C2 domains, IP addresses) and file indicators (hashes, mutexes) that you can add to your SIEM detection rules.

Example 2: Set up a malware analysis sandbox (Cuckoo Sandbox, ANY.RUN) on an isolated network. Detonate suspicious files in the sandbox and analyze their behavior — what files they create, what registry keys they modify, what network connections they make. Use findings to improve your defenses.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status