Malicious Code Analysis
System and Information Integrity
NIST Control Text
Employ the following tools and techniques to analyze the characteristics and behavior of malicious code: [Assignment: organization-defined tools and techniques]; and
Incorporate the results from malicious code analysis into organizational incident response and flaw remediation processes.
NIST Discussion
The use of malicious code analysis tools provides organizations with a more in-depth understanding of adversary tradecraft (i.e., tactics, techniques, and procedures) and the functionality and purpose of specific instances of malicious code. Understanding the characteristics of malicious code facilitates effective organizational responses to current and future threats. Organizations can conduct malicious code analyses by employing reverse engineering techniques or by monitoring the behavior of executing code.
SL5 Supplemental Guidance
The organization retains samples of detected adversarial content for analysis to understand attack mechanisms and improve detection capabilities. Analysis techniques vary based on attack type and available research, as effective analysis methods for adversarial AI content remain an active research area.
Analysis results feed continuous improvement: updating detection systems, refining thresholds, and identifying detection vulnerabilities. The organization tracks attack patterns and collects indicators of compromise (IOCs) from internal detections and external threat intelligence sources, distributing IOCs to detection developers, reviewers, and security operations.
The organization tracks which data was screened with which detector versions to enable re-scanning when detection capabilities improve significantly.