Register to stream ATT&CKcon 2.0 October 29-30

User Training

Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

ID: M1017
Version: 1.0

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1176 Browser Extensions Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run.
Enterprise T1003 Credential Dumping Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
Enterprise T1081 Credentials in Files Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.
Enterprise T1213 Data from Information Repositories Develop and publish policies that define acceptable information to be stored in repositories.
Enterprise T1141 Input Prompt Use user training as a way to bring awareness and raise suspicion for potentially malicious events (ex: Office documents prompting for credentials).
Enterprise T1162 Login Item Holding the shift key during login prevents apps from opening automatically. [1]
Enterprise T1185 Man in the Browser Close all browser sessions regularly and when they are no longer needed.
Enterprise T1164 Re-opened Applications Holding the Shift key while logging in prevents apps from opening automatically.
Enterprise T1193 Spearphishing Attachment Users can be trained to identify social engineering techniques and spearphishing emails.
Enterprise T1192 Spearphishing Link Users can be trained to identify social engineering techniques and spearphishing emails with malicious links.
Enterprise T1194 Spearphishing via Service Users can be trained to identify social engineering techniques and spearphishing emails with malicious links.
Enterprise T1221 Template Injection Train users to identify social engineering techniques and spearphishing emails.
Enterprise T1072 Third-party Software Have a strict approval policy for use of deployment systems.
Enterprise T1111 Two-Factor Authentication Interception Remove smart cards when not in use.
Enterprise T1204 User Execution Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

References