M1017 User Training
User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization’s cybersecurity defenses. This mitigation can be implemented through the following measures:
Create Comprehensive Training Programs:
- Design training modules tailored to the organization’s risk profile, covering topics such as phishing, password management, and incident reporting.
- Provide role-specific training for high-risk employees, such as helpdesk staff or executives.
Use Simulated Exercises:
- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training.
- Run social engineering drills to evaluate employee responses and reinforce protocols.
Leverage Gamification and Engagement:
- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.
Incorporate Security Policies into Onboarding:
- Include cybersecurity training as part of the onboarding process for new employees.
- Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.
Regular Refresher Courses:
- Update training materials to include emerging threats and techniques used by adversaries.
- Ensure all employees complete periodic refresher courses to stay informed.
Emphasize Real-World Scenarios:
- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering.
- Discuss how specific employee actions can prevent or mitigate such attacks.
| Item | Value |
|---|---|
| ID | M1017 |
| Version | 1.3 |
| Created | 06 June 2019 |
| Last Modified | 24 December 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1557 | Adversary-in-the-Middle | Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host. |
| enterprise | T1557.002 | ARP Cache Poisoning | Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host. |
| enterprise | T1557.004 | Evil Twin | Train users to be suspicious about access points marked as “Open” or “Unsecure” as well as certificate errors. Certificate errors may arise when the application’s certificate does not match the one expected by the host. |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.007 | Re-opened Applications | Holding the Shift key while logging in prevents apps from opening automatically.4 |
| enterprise | T1185 | Browser Session Hijacking | Close all browser sessions regularly and when they are no longer needed. |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials. |
| enterprise | T1555.005 | Password Managers | Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials. |
| enterprise | T1213 | Data from Information Repositories | Develop and publish policies that define acceptable information to be stored in repositories. |
| enterprise | T1213.001 | Confluence | Develop and publish policies that define acceptable information to be stored in Confluence repositories. |
| enterprise | T1213.002 | Sharepoint | Develop and publish policies that define acceptable information to be stored in SharePoint repositories. |
| enterprise | T1213.003 | Code Repositories | Develop and publish policies that define acceptable information to be stored in code repositories. |
| enterprise | T1213.004 | Customer Relationship Management Software | Develop and publish policies that define acceptable information to be stored in CRM databases and acceptable handling of customer data. Only store customer information required for business operations. |
| enterprise | T1213.005 | Messaging Applications | Develop and publish policies that define acceptable information to be posted in chat applications. |
| enterprise | T1213.006 | Databases | Develop and publish policies that define acceptable information to be stored in databases and acceptable handling of customer data. Only store information required for business operations. |
| enterprise | T1189 | Drive-by Compromise | Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction. |
| enterprise | T1667 | Email Bombing | Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful social engineering via e-mail bombing. |
| enterprise | T1657 | Financial Theft | Train and encourage users to identify social engineering techniques used to enable financial theft. Also consider training users on procedures to prevent and respond to swatting and doxing, acts increasingly deployed by financially motivated groups to further coerce victims into satisfying ransom/extortion demands.23 |
| enterprise | T1656 | Impersonation | Train users to be aware of impersonation tricks and how to counter them, for example confirming incoming requests through an independent platform like a phone call or in-person, to reduce risk. |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.002 | GUI Input Capture | Use user training as a way to bring awareness and raise suspicion for potentially malicious events and dialog boxes (ex: Office documents prompting for credentials). |
| enterprise | T1036 | Masquerading | Train users not to open email attachments or click unknown links (URLs). Such training fosters more secure habits within your organization and will limit many of the risks. |
| enterprise | T1036.007 | Double File Extension | Train users to look for double extensions in filenames, and in general use training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
| enterprise | T1556 | Modify Authentication Process | - |
| enterprise | T1556.001 | Domain Controller Authentication | Train users to recognize and handle suspicious email attachments. Emphasize the importance of caution when opening attachments from unknown or unexpected sources, even if they appear legitimate. Implement email warning banners to alert users about emails originating from outside the organization or containing attachments, reinforcing awareness and helping users identify potential spearphishing attempts. |
| enterprise | T1111 | Multi-Factor Authentication Interception | Remove smart cards when not in use. |
| enterprise | T1621 | Multi-Factor Authentication Request Generation | Train users to only accept 2FA/MFA requests from login attempts they initiated, to review source location of the login attempt prompting the 2FA/MFA requests, and to report suspicious/unsolicited prompts. |
| enterprise | T1027 | Obfuscated Files or Information | Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software. |
| enterprise | T1003 | OS Credential Dumping | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
| enterprise | T1003.001 | LSASS Memory | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
| enterprise | T1003.002 | Security Account Manager | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
| enterprise | T1003.003 | NTDS | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
| enterprise | T1003.004 | LSA Secrets | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
| enterprise | T1003.005 | Cached Domain Credentials | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
| enterprise | T1566 | Phishing | Users can be trained to identify social engineering techniques and phishing emails. |
| enterprise | T1566.001 | Spearphishing Attachment | Users can be trained to identify social engineering techniques and spearphishing emails. |
| enterprise | T1566.002 | Spearphishing Link | Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Use email warning banners to alert users when emails contain links from external senders, prompting them to exercise caution and reducing the likelihood of falling victim to spearphishing attacks. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites. |
| enterprise | T1566.003 | Spearphishing via Service | Users can be trained to identify social engineering techniques and spearphishing messages with malicious links. |
| enterprise | T1566.004 | Spearphishing Voice | Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.1 |
| enterprise | T1598 | Phishing for Information | Users can be trained to identify social engineering techniques and spearphishing attempts. |
| enterprise | T1598.001 | Spearphishing Service | Users can be trained to identify social engineering techniques and spearphishing attempts. |
| enterprise | T1598.002 | Spearphishing Attachment | Users can be trained to identify social engineering techniques and spearphishing attempts. |
| enterprise | T1598.003 | Spearphishing Link | Users can be trained to identify social engineering techniques and spearphishing attempts. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites. |
| enterprise | T1598.004 | Spearphishing Voice | Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.1 |
| enterprise | T1072 | Software Deployment Tools | Have a strict approval policy for use of deployment systems. |
| enterprise | T1176 | Software Extensions | Train users to minimize extension use, and to only install trusted extensions. |
| enterprise | T1176.001 | Browser Extensions | Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run. |
| enterprise | T1176.002 | IDE Extensions | Train users to minimize IDE extension use, and to only install trusted extensions. |
| enterprise | T1528 | Steal Application Access Token | Users need to be trained to not authorize third-party applications they don’t recognize. The user should pay particular attention to the redirect URL: if the URL is a misspelled or convoluted sequence of words related to an expected service or SaaS application, the website is likely trying to spoof a legitimate service. Users should also be cautious about the permissions they are granting to apps. For example, offline access and access to read emails should excite higher suspicions because adversaries can utilize SaaS APIs to discover credentials and other sensitive communications. |
| enterprise | T1539 | Steal Web Session Cookie | Train users to identify aspects of phishing attempts where they’re asked to enter credentials into a site that has the incorrect domain for the application they are logging into. Additionally, train users not to run untrusted JavaScript in their browser, such as by copying and pasting code or dragging and dropping bookmarklets. |
| enterprise | T1221 | Template Injection | Train users to identify social engineering techniques and spearphishing emails that could be used to deliver malicious documents. |
| enterprise | T1552 | Unsecured Credentials | Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. |
| enterprise | T1552.001 | Credentials In Files | Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. |
| enterprise | T1552.008 | Chat Messages | Ensure that developers and system administrators are aware of the risk associated with sharing unsecured passwords across communication services. |
| enterprise | T1204 | User Execution | Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
| enterprise | T1204.001 | Malicious Link | Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
| enterprise | T1204.002 | Malicious File | Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
| enterprise | T1204.003 | Malicious Image | Train users to be aware of the existence of malicious images and how to avoid deploying instances and containers from them. |
| enterprise | T1204.005 | Malicious Library | Train developers to be aware of the existence of malicious libraries and how to avoid installing them. |
| enterprise | T1078 | Valid Accounts | Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
| enterprise | T1078.002 | Domain Accounts | Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
| enterprise | T1078.004 | Cloud Accounts | Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
References
-
CISA. (2021, February 1). Avoiding Social Engineering and Phishing Attacks. Retrieved September 8, 2023. ↩↩
-
CISA. (2023, August). Cyber Safety Review Board: Lapsus. Retrieved January 5, 2024. ↩
-
Giles, Bruce. (2024, January 4). Hackers threaten to send SWAT teams to Fred Hutch patients’ homes. Retrieved January 5, 2024. ↩
-
Apple. (2016, December 6). Automatically re-open windows, apps, and documents on your Mac. Retrieved July 11, 2017. ↩