User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

ID: M1017
Version: 1.2
Created: 06 June 2019
Last Modified: 21 October 2020

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1557 Adversary-in-the-Middle

Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host.

.002 ARP Cache Poisoning

Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host.

Enterprise T1547 .007 Boot or Logon Autostart Execution: Re-opened Applications

Holding the Shift key while logging in prevents apps from opening automatically.[1]

Enterprise T1176 Browser Extensions

Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run.

Enterprise T1185 Browser Session Hijacking

Close all browser sessions regularly and when they are no longer needed.

Enterprise T1213 Data from Information Repositories

Develop and publish policies that define acceptable information to be stored in repositories.

.001 Confluence

Develop and publish policies that define acceptable information to be stored in Confluence repositories.

.002 Sharepoint

Develop and publish policies that define acceptable information to be stored in SharePoint repositories.

.003 Code Repositories

Develop and publish policies that define acceptable information to be stored in code repositories.

Enterprise T1657 Financial Theft

Train and test users to identify social engineering techniques used to enable financial theft.

Enterprise T1656 Impersonation

Train users to be aware of impersonation tricks and how to counter them, for example confirming incoming requests through an independent platform like a phone call or in-person, to reduce risk.

Enterprise T1056 .002 Input Capture: GUI Input Capture

Use user training as a way to bring awareness and raise suspicion for potentially malicious events and dialog boxes (ex: Office documents prompting for credentials).

Enterprise T1036 Masquerading

Train users not to open email attachments or click unknown links (URLs). Such training fosters more secure habits within your organization and will limit many of the risks.

.007 Double File Extension

Train users to look for double extensions in filenames, and in general use training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

Enterprise T1111 Multi-Factor Authentication Interception

Remove smart cards when not in use.

Enterprise T1621 Multi-Factor Authentication Request Generation

Train users to only accept 2FA/MFA requests from login attempts they initiated, to review source location of the login attempt prompting the 2FA/MFA requests, and to report suspicious/unsolicited prompts.

Enterprise T1027 Obfuscated Files or Information

Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software.

Enterprise T1003 OS Credential Dumping

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

.001 LSASS Memory

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

.002 Security Account Manager

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

.003 NTDS

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

.004 LSA Secrets

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

.005 Cached Domain Credentials

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

Enterprise T1566 Phishing

Users can be trained to identify social engineering techniques and phishing emails.

.001 Spearphishing Attachment

Users can be trained to identify social engineering techniques and spearphishing emails.

.002 Spearphishing Link

Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites.

.003 Spearphishing via Service

Users can be trained to identify social engineering techniques and spearphishing messages with malicious links.

.004 Spearphishing Voice

Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.[2]

Enterprise T1598 Phishing for Information

Users can be trained to identify social engineering techniques and spearphishing attempts.

.001 Spearphishing Service

Users can be trained to identify social engineering techniques and spearphishing attempts.

.002 Spearphishing Attachment

Users can be trained to identify social engineering techniques and spearphishing attempts.

.003 Spearphishing Link

Users can be trained to identify social engineering techniques and spearphishing attempts. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites.

.004 Spearphishing Voice

Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.[2]

Enterprise T1072 Software Deployment Tools

Have a strict approval policy for use of deployment systems.

Enterprise T1528 Steal Application Access Token

Users need to be trained to not authorize third-party applications they don’t recognize. The user should pay particular attention to the redirect URL: if the URL is a misspelled or convoluted sequence of words related to an expected service or SaaS application, the website is likely trying to spoof a legitimate service. Users should also be cautious about the permissions they are granting to apps. For example, offline access and access to read emails should excite higher suspicions because adversaries can utilize SaaS APIs to discover credentials and other sensitive communications.

Enterprise T1539 Steal Web Session Cookie

Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into.

Enterprise T1221 Template Injection

Train users to identify social engineering techniques and spearphishing emails that could be used to deliver malicious documents.

Enterprise T1552 Unsecured Credentials

Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.

.001 Credentials In Files

Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.

.008 Chat Messages

Ensure that developers and system administrators are aware of the risk associated with sharing unsecured passwords across communication services.

Enterprise T1204 User Execution

Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

.001 Malicious Link

Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

.002 Malicious File

Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

.003 Malicious Image

Train users to be aware of the existence of malicious images and how to avoid deploying instances and containers from them.

Enterprise T1078 Valid Accounts

Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.

.002 Domain Accounts

Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.

.004 Cloud Accounts

Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.

References