IG2 IG3

Enable Anti>Exploitation Features

Control Group: 10. Malware Defenses

Asset Type: Devices

Security Function: Protect

Description

Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

Tool Recommendations

CrowdStrike Falcon Gartner MQ Leader, EPP 2024; Forrester Wave Leader, XDR 2024

Cloud-native endpoint protection platform with next-gen AV, EDR, threat intelligence, and managed hunting

CrowdStrike · Per-endpoint subscription

Microsoft Defender for Endpoint Gartner MQ Leader, EPP 2024

Enterprise endpoint security with threat prevention, EDR, automated investigation, and attack surface reduction

Microsoft · Per-device subscription (P1/P2)

SentinelOne Singularity Gartner MQ Leader, EPP 2024; Forrester Wave Leader, XDR 2024

AI-powered endpoint protection with autonomous response, EDR, and XDR capabilities across endpoint, cloud, and identity

SentinelOne · Per-endpoint subscription

Palo Alto Cortex XDR Gartner MQ Leader, EPP 2024; Forrester Wave Leader, XDR 2024

Extended detection and response platform correlating endpoint, network, cloud, and identity data for threat detection

Palo Alto Networks · Per-endpoint subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Memory Corruption Exploit Achieving Code Execution

Confidentiality

Attackers exploit buffer overflow, use-after-free, or heap spray vulnerabilities in applications to achieve arbitrary code execution, which anti-exploitation features like DEP, ASLR, and CFG would prevent or significantly complicate.

Fileless Malware Exploiting Disabled Exploit Mitigations

Integrity

Fileless attack techniques that operate entirely in memory exploit the absence of anti-exploitation features to inject malicious code into legitimate processes, evading traditional file-based anti-malware detection entirely.

Browser Zero-Day Exploitation Without Exploit Guard

Confidentiality

Zero-day browser exploits succeed because anti-exploitation features like Windows Defender Exploit Guard, Control Flow Guard, or sandboxing are not enabled, allowing memory manipulation techniques that these mitigations would block.

Vulnerabilities (When Safeguard Absent)

OS-Level Anti-Exploitation Features Not Enabled

Built-in operating system anti-exploitation features such as DEP, ASLR enforcement, SEHOP, and Windows Defender Exploit Guard are not enabled or are configured with exceptions that reduce their effectiveness.

Application-Level Exploit Mitigations Disabled

Application-specific exploit mitigations like Apple SIP, Gatekeeper, or browser sandboxing are disabled or weakened by configuration, removing defense-in-depth layers that would block or contain exploitation attempts.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Anti-Malware Policy

Control 10

Related Safeguards in Control 10

10.1 Deploy and Maintain Anti>Malware Software

10.2 Configure Automatic Anti>Malware Signature Updates

10.3 Disable Autorun and Autoplay for Removable Media

10.4 Configure Automatic Anti>Malware Scanning of Removable Media

10.6 Centrally Manage Anti>Malware Software

10.7 Use Behavior>Based Anti>Malware Software