Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation
In Ocean’s Eleven (2001), the casino isn’t protected by a single impenetrable vault. Instead, it relies on layers of controls—motion sensors, pressure floors, timed locks, and human oversight. The brilliance of the heist is that it only succeeds when multiple safeguards are bypassed at once. If even one layer holds, the plan fails.
That layered-defense mindset is exactly what CIS Safeguard 10.5: Enable Anti-Exploitation Features is designed to enforce.
What Is CIS Safeguard 10.5?
CIS Safeguard 10.5: Enable Anti-Exploitation Features is part of CIS Critical Security Control 10 – Malware Defenses.
The safeguard requires organizations to:
- Enable built-in anti-exploitation protections in operating systems and applications
- Ensure these protections are configured and enforced, not merely available
- Use exploitation mitigations to disrupt attacker techniques, even when vulnerabilities exist
The intent is clear:
You don’t need to prevent every vulnerability—you need to prevent exploitation from succeeding.
What Are Anti-Exploitation Features?
Anti-exploitation features are defensive mechanisms built into modern operating systems that make common exploitation techniques unreliable or fail outright.
Examples include:
- ASR (Attack Surface Reduction) rules
- DEP (Data Execution Prevention)
- ASLR (Address Space Layout Randomization)
- Control Flow Guard (CFG)
- Heap and stack protections
- Exploit protection frameworks
These controls don’t depend on malware signatures. They disrupt how exploits work.
Why Exploitation Is Still the Critical Moment
Most modern attacks follow a familiar pattern:
- A vulnerability exists
- A user opens a file or visits a page
- Exploit code attempts to gain execution
- Malware establishes persistence
Anti-exploitation features target step 3—the most fragile part of the attack chain.
If exploitation fails:
- The payload never runs
- No persistence is established
- Incident response is never needed
In Ocean’s Eleven, the heist doesn’t fail because the crew lacks skill—it fails when a control behaves unexpectedly. Exploit mitigations create that same unpredictability for attackers.
Threats CIS Safeguard 10.5 Directly Mitigates
- Zero-Day Exploits
Anti-exploitation features are especially effective against zero-days because:
- They don’t rely on prior knowledge
- They block entire classes of exploit behavior
- They force attackers to chain additional techniques
Even when a vulnerability is unknown, exploitation may still fail.
- Memory Corruption Attacks
Many exploits depend on:
- Buffer overflows
- Return-oriented programming (ROP)
- Shellcode injection
Mitigations like DEP, ASLR, and CFG directly interfere with these techniques—often causing crashes instead of compromises.
- File-Based and Browser Exploits
Malicious documents, PDFs, and browser exploits often rely on predictable memory layouts and execution paths. Anti-exploitation features break those assumptions.
The result isn’t always silent blocking—sometimes it’s a failed process. And that’s a win.
Why “Enable” Is the Operative Word
Most modern operating systems ship with anti-exploitation capabilities available but not fully enforced.
CIS Safeguard 10.5 exists because:
- Defaults vary by version and vendor
- Some protections are disabled for compatibility
- Others require explicit configuration or policy enforcement
A control that exists but isn’t enabled provides false confidence.
In Ocean’s Eleven, a security system that’s installed but switched off is worse than useless—it creates complacency. The same is true here.
Anti-Exploitation Is Not Endpoint Detection
Safeguard 10.5 is preventive, not reactive.
Unlike traditional endpoint detection:
- No alert is required
- No analyst action is needed
- No signature update is involved
The exploit simply doesn’t work.
This makes anti-exploitation features one of the highest-value, lowest-noise controls in Control 10.
How Safeguard 10.5 Fits Into Control 10
CIS Control 10 layers defenses intentionally:
- 10.1–10.3: Detect and block known malware
- 10.4: Prevent malware from entering via removable media
- 10.5: Break exploitation—even when malware is new or unknown
Without anti-exploitation features, malware defenses rely too heavily on detection after the fact.
Practical Implementation Tips
To operationalize CIS Safeguard 10.5:
- Audit What’s Already Available
Many protections exist but aren’t enforced consistently.
- Start With High-Risk Applications
Browsers, document readers, and email clients benefit the most.
- Use Policy-Based Enforcement
Centralized configuration prevents drift and exceptions.
- Expect Some Noise Early
Compatibility issues may surface—but they reveal real risk.
Common Misconceptions This Safeguard Addresses
Organizations often assume:
- Patching alone is sufficient
- Exploits are rare compared to malware
- Anti-exploitation causes too many issues
In reality, exploitation is the gateway, and mitigations are far more stable than their reputation suggests.
Final Thoughts
CIS Safeguard 10.5 is about changing the odds. Attackers don’t need perfection—they need one working exploit. Defenders don’t need perfection either—they need one layer that holds.
Anti-exploitation features don’t stop every attempt. They stop the one that matters—the one that would have worked.
Resources
Here’s a link to the Policy Templates provided free of charge from the fine folks at the Center for Internet Security:
Looking for even more details? Here you go. If this still doesn’t satisfy your curiosity, DM me.
CIS Control 10: Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
CIS Safeguard 10.5: Enable Anti-Exploitation Features
Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™
Shameless Marketing Information
Gotham Technology group offers professional and managed services implementing and managing Endpoint Protection Solutions. These solutions cover both Next Generation Anti-Virus, Endpoint Detection & Response and a host of other endpoint security tools.