User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

ID: M1017
Version: 1.2
Created: 06 June 2019
Last Modified: 21 October 2020

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1547 .007 Boot or Logon Autostart Execution: Re-opened Applications

Holding the Shift key while logging in prevents apps from opening automatically. [1]

.011 Boot or Logon Autostart Execution: Plist Modification

Holding the shift key during login prevents apps from opening automatically. [1]

Enterprise T1176 Browser Extensions

Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run.

Enterprise T1213 Data from Information Repositories

Develop and publish policies that define acceptable information to be stored in repositories.

.001 Confluence

Develop and publish policies that define acceptable information to be stored in Confluence repositories.

.002 Sharepoint

Develop and publish policies that define acceptable information to be stored in SharePoint repositories.

Enterprise T1056 .002 Input Capture: GUI Input Capture

Use user training as a way to bring awareness and raise suspicion for potentially malicious events and dialog boxes (ex: Office documents prompting for credentials).

Enterprise T1185 Man in the Browser

Close all browser sessions regularly and when they are no longer needed.

Enterprise T1557 Man-in-the-Middle

Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to MiTM HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host.

.002 ARP Cache Poisoning

Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to MiTM HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host.

Enterprise T1003 OS Credential Dumping

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

.001 LSASS Memory

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

.002 Security Account Manager

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

.005 Cached Domain Credentials

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

.004 LSA Secrets

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

.003 NTDS

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

Enterprise T1566 Phishing

Users can be trained to identify social engineering techniques and phishing emails.

.001 Spearphishing Attachment

Users can be trained to identify social engineering techniques and spearphishing emails.

.002 Spearphishing Link

Users can be trained to identify social engineering techniques and spearphishing emails with malicious links.

.003 Spearphishing via Service

Users can be trained to identify social engineering techniques and spearphishing messages with malicious links.

Enterprise T1598 Phishing for Information

Users can be trained to identify social engineering techniques and spearphishing attempts.

.001 Spearphishing Service

Users can be trained to identify social engineering techniques and spearphishing attempts.

.002 Spearphishing Attachment

Users can be trained to identify social engineering techniques and spearphishing attempts.

.003 Spearphishing Link

Users can be trained to identify social engineering techniques and spearphishing attempts.

Enterprise T1072 Software Deployment Tools

Have a strict approval policy for use of deployment systems.

Enterprise T1528 Steal Application Access Token

Users need to be trained to not authorize third-party applications they don’t recognize. The user should pay particular attention to the redirect URL: if the URL is a misspelled or convoluted sequence of words related to an expected service or SaaS application, the website is likely trying to spoof a legitimate service. Users should also be cautious about the permissions they are granting to apps. For example, offline access and access to read emails should excite higher suspicions because adversaries can utilize SaaS APIs to discover credentials and other sensitive communications.

Enterprise T1539 Steal Web Session Cookie

Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into.

Enterprise T1221 Template Injection

Train users to identify social engineering techniques and spearphishing emails.

Enterprise T1111 Two-Factor Authentication Interception

Remove smart cards when not in use.

Enterprise T1552 Unsecured Credentials

Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.

.001 Credentials In Files

Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.

Enterprise T1204 User Execution

Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

.001 Malicious Link

Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

.002 Malicious File

Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

References