SC-26(1) — Detection of Malicious Code

Use decoy components specifically designed to detect malicious code — malware that interacts with the decoy reveals itself.

Example 1: Deploy canary files in directories commonly targeted by ransomware. Create hidden files named with patterns ransomware typically targets (like budget.xlsx). Monitor these files — if they are encrypted or modified, you have an immediate ransomware indicator.

Example 2: Set up a deception platform (like Attivo or Illusive Networks) that deploys fake credentials, fake network shares, and fake services throughout your environment. Malware that harvests credentials or scans for open shares interacts with the decoys and triggers an alert.