The sub-techniques beta is now live! Read the release blog post for more info.

User Training

Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

ID: M1017
Version: 1.0
Created: 06 June 2019
Last Modified: 06 June 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1176 Browser Extensions

Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run.

Enterprise T1003 Credential Dumping

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

Enterprise T1081 Credentials in Files

Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.

Enterprise T1213 Data from Information Repositories

Develop and publish policies that define acceptable information to be stored in repositories.

Enterprise T1141 Input Prompt

Use user training as a way to bring awareness and raise suspicion for potentially malicious events (ex: Office documents prompting for credentials).

Enterprise T1162 Login Item

Holding the shift key during login prevents apps from opening automatically.[1]

Enterprise T1185 Man in the Browser

Close all browser sessions regularly and when they are no longer needed.

Enterprise T1164 Re-opened Applications

Holding the Shift key while logging in prevents apps from opening automatically.

Enterprise T1193 Spearphishing Attachment

Users can be trained to identify social engineering techniques and spearphishing emails.

Enterprise T1192 Spearphishing Link

Users can be trained to identify social engineering techniques and spearphishing emails with malicious links.

Enterprise T1194 Spearphishing via Service

Users can be trained to identify social engineering techniques and spearphishing emails with malicious links.

Enterprise T1528 Steal Application Access Token

Users need to be trained to not authorize third-party applications they don’t recognize. The user should pay particular attention to the redirect URL: if the URL is a misspelled or convoluted sequence of words related to an expected service or SaaS application, the website is likely trying to spoof a legitimate service. Users should also be cautious about the permissions they are granting to apps. For example, offline access and access to read emails should excite higher suspicions because adversaries can utilize SaaS APIs to discover credentials and other sensitive communications.

Enterprise T1539 Steal Web Session Cookie

Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into.

Enterprise T1221 Template Injection

Train users to identify social engineering techniques and spearphishing emails.

Enterprise T1072 Third-party Software

Have a strict approval policy for use of deployment systems.

Enterprise T1111 Two-Factor Authentication Interception

Remove smart cards when not in use.

Enterprise T1204 User Execution

Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

References