User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1557 | Adversary-in-the-Middle |
Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host. |
|
| .002 | ARP Cache Poisoning |
Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host. |
||
| .004 | Evil Twin |
Train users to be suspicious about access points marked as "Open" or "Unsecure" as well as certificate errors. Certificate errors may arise when the application’s certificate does not match the one expected by the host. |
||
| Enterprise | T1547 | .007 | Boot or Logon Autostart Execution: Re-opened Applications |
Holding the Shift key while logging in prevents apps from opening automatically.[1] |
| Enterprise | T1176 | Browser Extensions |
Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run. |
|
| Enterprise | T1185 | Browser Session Hijacking |
Close all browser sessions regularly and when they are no longer needed. |
|
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials. |
| .005 | Credentials from Password Stores: Password Managers |
Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials. |
||
| Enterprise | T1213 | Data from Information Repositories |
Develop and publish policies that define acceptable information to be stored in repositories. |
|
| .001 | Confluence |
Develop and publish policies that define acceptable information to be stored in Confluence repositories. |
||
| .002 | Sharepoint |
Develop and publish policies that define acceptable information to be stored in SharePoint repositories. |
||
| .003 | Code Repositories |
Develop and publish policies that define acceptable information to be stored in code repositories. |
||
| .004 | Customer Relationship Management Software |
Develop and publish policies that define acceptable information to be stored in CRM databases and acceptable handling of customer data. Only store customer information required for business operations. |
||
| .005 | Messaging Applications |
Develop and publish policies that define acceptable information to be posted in chat applications. |
||
| Enterprise | T1657 | Financial Theft |
Train and encourage users to identify social engineering techniques used to enable financial theft. Also consider training users on procedures to prevent and respond to swatting and doxing, acts increasingly deployed by financially motivated groups to further coerce victims into satisfying ransom/extortion demands.[2][3] |
|
| Enterprise | T1656 | Impersonation |
Train users to be aware of impersonation tricks and how to counter them, for example confirming incoming requests through an independent platform like a phone call or in-person, to reduce risk. |
|
| Enterprise | T1056 | .002 | Input Capture: GUI Input Capture |
Use user training as a way to bring awareness and raise suspicion for potentially malicious events and dialog boxes (ex: Office documents prompting for credentials). |
| Enterprise | T1036 | Masquerading |
Train users not to open email attachments or click unknown links (URLs). Such training fosters more secure habits within your organization and will limit many of the risks. |
|
| .007 | Double File Extension |
Train users to look for double extensions in filenames, and in general use training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
||
| Enterprise | T1556 | .001 | Modify Authentication Process: Domain Controller Authentication |
Train users to recognize and handle suspicious email attachments. Emphasize the importance of caution when opening attachments from unknown or unexpected sources, even if they appear legitimate. Implement email warning banners to alert users about emails originating from outside the organization or containing attachments, reinforcing awareness and helping users identify potential spearphishing attempts. |
| Enterprise | T1111 | Multi-Factor Authentication Interception |
Remove smart cards when not in use. |
|
| Enterprise | T1621 | Multi-Factor Authentication Request Generation |
Train users to only accept 2FA/MFA requests from login attempts they initiated, to review source location of the login attempt prompting the 2FA/MFA requests, and to report suspicious/unsolicited prompts. |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software. |
|
| Enterprise | T1003 | OS Credential Dumping |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
|
| .001 | LSASS Memory |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
||
| .002 | Security Account Manager |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
||
| .003 | NTDS |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
||
| .004 | LSA Secrets |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
||
| .005 | Cached Domain Credentials |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
||
| Enterprise | T1566 | Phishing |
Users can be trained to identify social engineering techniques and phishing emails. |
|
| .001 | Spearphishing Attachment |
Users can be trained to identify social engineering techniques and spearphishing emails. |
||
| .002 | Spearphishing Link |
Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Use email warning banners to alert users when emails contain links from external senders, prompting them to exercise caution and reducing the likelihood of falling victim to spearphishing attacks. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites. |
||
| .003 | Spearphishing via Service |
Users can be trained to identify social engineering techniques and spearphishing messages with malicious links. |
||
| .004 | Spearphishing Voice |
Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.[4] |
||
| Enterprise | T1598 | Phishing for Information |
Users can be trained to identify social engineering techniques and spearphishing attempts. |
|
| .001 | Spearphishing Service |
Users can be trained to identify social engineering techniques and spearphishing attempts. |
||
| .002 | Spearphishing Attachment |
Users can be trained to identify social engineering techniques and spearphishing attempts. |
||
| .003 | Spearphishing Link |
Users can be trained to identify social engineering techniques and spearphishing attempts. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites. |
||
| .004 | Spearphishing Voice |
Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.[4] |
||
| Enterprise | T1072 | Software Deployment Tools |
Have a strict approval policy for use of deployment systems. |
|
| Enterprise | T1528 | Steal Application Access Token |
Users need to be trained to not authorize third-party applications they don’t recognize. The user should pay particular attention to the redirect URL: if the URL is a misspelled or convoluted sequence of words related to an expected service or SaaS application, the website is likely trying to spoof a legitimate service. Users should also be cautious about the permissions they are granting to apps. For example, offline access and access to read emails should excite higher suspicions because adversaries can utilize SaaS APIs to discover credentials and other sensitive communications. |
|
| Enterprise | T1539 | Steal Web Session Cookie |
Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into. Additionally, train users not to run untrusted JavaScript in their browser, such as by copying and pasting code or dragging and dropping bookmarklets. |
|
| Enterprise | T1221 | Template Injection |
Train users to identify social engineering techniques and spearphishing emails that could be used to deliver malicious documents. |
|
| Enterprise | T1552 | Unsecured Credentials |
Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. |
|
| .001 | Credentials In Files |
Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. |
||
| .008 | Chat Messages |
Ensure that developers and system administrators are aware of the risk associated with sharing unsecured passwords across communication services. |
||
| Enterprise | T1204 | User Execution |
Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
|
| .001 | Malicious Link |
Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
||
| .002 | Malicious File |
Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
||
| .003 | Malicious Image |
Train users to be aware of the existence of malicious images and how to avoid deploying instances and containers from them. |
||
| Enterprise | T1078 | Valid Accounts |
Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
|
| .002 | Domain Accounts |
Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
||
| .004 | Cloud Accounts |
Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
||