Detections
Analytics

800-53|SC-44

Title

DETONATION CHAMBERS

Description

The organization employs a detonation chamber capability within [Assignment: organization-defined information system, system component, or location].

Supplemental

Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator (URL) requests in the safety of an isolated environment or virtualized sandbox. These protected and isolated execution environments provide a means of determining whether the associated attachments/applications contain malicious code. While related to the concept of deception nets, the control is not intended to maintain a long-term environment in which adversaries can operate and their actions can be observed. Rather, it is intended to quickly identify malicious code and reduce the likelihood that the code is propagated to user environments of operation (or prevent such propagation completely).

Reference Item Details

Related: SC-25,SC-26,SC-30,SC-7

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P0

Audit Items

View all Reference Audit Items

NamePluginAudit Name
MS.AAD.3.1v1 - Phishing-resistant MFA SHALL be enforced for all users.microsoft_azureCISA SCuBA Microsoft 365 Entra ID v1.5.0
MS.AAD.3.5v1 - The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled.microsoft_azureCISA SCuBA Microsoft 365 Entra ID v1.5.0
MS.AAD.3.6v1 - Phishing-resistant MFA SHALL be required for highly privileged roles.microsoft_azureCISA SCuBA Microsoft 365 Entra ID v1.5.0
MS.DEFENDER.1.1v1 - The standard and strict preset security policies SHALL be enabled.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.1.2v1 - All users SHALL be added to Exchange Online Protection (EOP) in either the standard or strict preset security policy.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.1.3v1 - All users SHALL be added to Defender for Office 365 protection in either the standard or strict preset security policy.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.1.4v1 - Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.1.5v1 - Sensitive accounts SHALL be added to Defender for Office 365 protection in the strict preset security policy.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.2.1v1 - User impersonation protection SHOULD be enabled for sensitive accounts in both the standard and strict preset policies.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.2.2v1 - Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.2.3v1 - Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.3.1v1 - Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.EXO.1.1v1 - Automatic forwarding to external domains SHALL be disabled.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.2.2v2 - An SPF policy SHALL be published for each domain that fails all non-approved senders.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.3.1v1 - DKIM SHOULD be enabled for all domains.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.4.1v1 - A DMARC policy SHALL be published for every second-level domain.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.4.2v1 - The DMARC message rejection option SHALL be p=reject.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.7.1v1 - External sender warnings SHALL be implemented.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.9.1v2 - Emails SHALL be filtered by attachment file types.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.9.3v2 - Disallowed file types SHALL be determined and enforced.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.9.4v1 - Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender's Common Attachment Filter.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.9.5v1 - At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe).microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.10.1v1 - Emails SHALL be scanned for malware.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.10.2v1 - Emails identified as containing malware SHALL be quarantined or dropped.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.10.3v1 - Email scanning SHALL be capable of reviewing emails after delivery.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.11.1v1 - Impersonation protection checks SHOULD be used.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.11.2v1 - User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.11.3v1 - The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.14.1v2 - A spam filter SHALL be enabled.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.14.2v1 - Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.14.3v1 - Allowed domains SHALL NOT be added to inbound anti-spam protection policies.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.14.4v1 - If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.15.1v1 - URL comparison with a block-list SHOULD be enabled.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.15.2v1 - Direct download links SHOULD be scanned for malware.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.15.3v1 - User click tracking SHOULD be enabled.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.16.1v1 - At a minimum, the following alerts SHALL be enabled:microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.TEAMS.2.1v1 - External access for users SHALL only be enabled on a per-domain basis.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
MS.TEAMS.2.2v1 - Unmanaged users SHALL NOT be enabled to initiate contact with internal users.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
MS.TEAMS.2.3v1 - Internal users SHOULD NOT be enabled to initiate contact with unmanaged users.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
MS.TEAMS.4.1v1 - Teams email integration SHALL be disabled.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
MS.TEAMS.7.1v1 - Attachments included with Teams messages SHOULD be scanned for malware.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
MS.TEAMS.7.2v1 - Users SHOULD be prevented from opening or downloading files detected as malware.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
MS.TEAMS.8.1v1 - URL comparison with a blocklist SHOULD be enabled.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
MS.TEAMS.8.2v1 - User click tracking SHOULD be enabled.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0