IRO-15: Detonation Chambers (Sandboxes)
Mechanisms exist to utilize a detonation chamber capability to detect and/or block potentially-malicious files and email attachments.
Control Question: Does the organization utilize a detonation chamber capability to detect and/or block potentially-malicious files and email attachments?
General (10)
| Framework | Mapping Values |
|---|---|
| CIS CSC 8.1 | 9 9.6 9.7 |
| CIS CSC 8.1 IG3 | 9.7 |
| IEC 62443-4-2 2019 | NDR 3.2 (15.6.1) |
| MITRE ATT&CK 10 | T1137, T1137.001, T1137.002, T1137.003, T1137.004, T1137.005, T1137.006, T1203, T1204, T1204.001, T1204.002, T1204.003, T1221, T1564.009, T1566, T1566.001, T1566.002, T1566.003, T1598, T1598.001, T1598.002, T1598.003 |
| MPA Content Security Program 5.1 | TS-1.0 TS-1.8 |
| NIST 800-53 R4 | SC-44 |
| NIST 800-53 R5 (source) | SC-44 |
| NIST 800-53 R5 (NOC) (source) | SC-44 |
| SCF CORE ESP Level 2 Critical Infrastructure | IRO-15 |
| SCF CORE ESP Level 3 Advanced Threats | IRO-15 |
US (3)
| Framework | Mapping Values |
|---|---|
| US CERT RMM 1.2 | EC:SG1.SP2 |
| US DHS CISA TIC 3.0 | 3.PEP.FI.DCHAM 3.PEP.EM.PDPRO 3.PEP.EM.MFPRO |
| US HIPAA HICP Large Practice | 6.L.D |
EMEA (2)
| Framework | Mapping Values |
|---|---|
| EMEA UK Cyber Essentials | 4 |
| EMEA UK DEFSTAN 05-138 | 2411 |
APAC (2)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0651 ISM-0652 ISM-1389 |
| APAC New Zealand NZISM 3.6 | 15.2.21.C.01 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to utilize a detonation chamber capability to detect and/ or block potentially-malicious files and email attachments.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to utilize a detonation chamber capability to detect and/ or block potentially-malicious files and email attachments.
Level 2 — Planned & Tracked
Incident Response (IRO) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for incident response operations. o Implement and maintain an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.
- Incident response operations are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel:
- Physical controls, administrative processes and technologies exist to use a detonation chamber capability for incident response operations.
Level 3 — Well Defined
Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data privacy and business function representatives that can perform coordinated incident response.
- The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data privacy response operations.
- A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
- Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
- An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
- Physical controls, administrative processes and technologies exist to use a detonation chamber capability for incident response operations.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to utilize a detonation chamber capability to detect and/ or block potentially-malicious files and email attachments.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to utilize a detonation chamber capability to detect and/ or block potentially-malicious files and email attachments.
Assessment Objectives
- IRO-15_A01 the system, system component or location where a detonation chamber capability is to be employed is defined.
- IRO-15_A02 a detonation chamber capability is employed within the organization-defined system, system component or location.