IR-4(12): Malicious Code and Forensic Analysis

Control Family:

Incident Response

Parent Control:

IR-4: Incident Handling

CSF v1.1 References:

ID.SC-5
DE.AE-2
DE.AE-3
DE.AE-4
DE.AE-5
RS.AN-1
RS.AN-2
RS.AN-3
RS.AN-4
RS.CO-3
RS.CO-4
RS.IM-1
RS.IM-2
RS.MI-1
RS.MI-2
RS.RP-1
RC.CO-1
RC.CO-2
RC.CO-3
RC.IM-1
RC.IM-2
RC.RP-1

Baselines:

(Not part of any baseline)

Control is new to this version of the control set.

Control Statement

Analyze malicious code and/or other residual artifacts remaining in the system after the incident.

Supplemental Guidance

When conducted carefully in an isolated environment, analysis of malicious code and other residual artifacts of a security incident or breach can give the organization insight into adversary tactics, techniques, and procedures. It can also indicate the identity or some defining characteristics of the adversary. In addition, malicious code analysis can help the organization develop responses to future incidents.