Skip to content

M1017 User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Item Value
ID M1017
Version 1.2
Created 06 June 2019
Last Modified 21 October 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1557 Adversary-in-the-Middle Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host.
enterprise T1557.002 ARP Cache Poisoning Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host.
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.007 Re-opened Applications Holding the Shift key while logging in prevents apps from opening automatically.1
enterprise T1176 Browser Extensions
Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run.
enterprise T1185 Browser Session Hijacking Close all browser sessions regularly and when they are no longer needed.
enterprise T1213 Data from Information Repositories Develop and publish policies that define acceptable information to be stored in repositories.
enterprise T1213.001 Confluence Develop and publish policies that define acceptable information to be stored in Confluence repositories.
enterprise T1213.002 Sharepoint Develop and publish policies that define acceptable information to be stored in SharePoint repositories.
enterprise T1213.003 Code Repositories Develop and publish policies that define acceptable information to be stored in code repositories.
enterprise T1056 Input Capture -
enterprise T1056.002 GUI Input Capture Use user training as a way to bring awareness and raise suspicion for potentially malicious events and dialog boxes (ex: Office documents prompting for credentials).
enterprise T1036 Masquerading -
enterprise T1036.007 Double File Extension Train users to look for double extensions in filenames, and in general use training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.
enterprise T1111 Multi-Factor Authentication Interception Remove smart cards when not in use.
enterprise T1621 Multi-Factor Authentication Request Generation Train users to only accept 2FA/MFA requests from login attempts they initiated, to review source location of the login attempt prompting the 2FA/MFA requests, and to report suspicious/unsolicited prompts.
enterprise T1003 OS Credential Dumping Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
enterprise T1003.001 LSASS Memory Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
enterprise T1003.002 Security Account Manager Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
enterprise T1003.003 NTDS Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
enterprise T1003.004 LSA Secrets Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
enterprise T1003.005 Cached Domain Credentials Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
enterprise T1566 Phishing Users can be trained to identify social engineering techniques and phishing emails.
enterprise T1566.001 Spearphishing Attachment Users can be trained to identify social engineering techniques and spearphishing emails.
enterprise T1566.002 Spearphishing Link Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0
enterprise T1566.003 Spearphishing via Service Users can be trained to identify social engineering techniques and spearphishing messages with malicious links.
enterprise T1598 Phishing for Information Users can be trained to identify social engineering techniques and spearphishing attempts.
enterprise T1598.001 Spearphishing Service Users can be trained to identify social engineering techniques and spearphishing attempts.
enterprise T1598.002 Spearphishing Attachment Users can be trained to identify social engineering techniques and spearphishing attempts.
enterprise T1598.003 Spearphishing Link Users can be trained to identify social engineering techniques and spearphishing attempts.
enterprise T1072 Software Deployment Tools Have a strict approval policy for use of deployment systems.
enterprise T1528 Steal Application Access Token Users need to be trained to not authorize third-party applications they don’t recognize. The user should pay particular attention to the redirect URL: if the URL is a misspelled or convoluted sequence of words related to an expected service or SaaS application, the website is likely trying to spoof a legitimate service. Users should also be cautious about the permissions they are granting to apps. For example, offline access and access to read emails should excite higher suspicions because adversaries can utilize SaaS APIs to discover credentials and other sensitive communications.
enterprise T1539 Steal Web Session Cookie Train users to identify aspects of phishing attempts where they’re asked to enter credentials into a site that has the incorrect domain for the application they are logging into.
enterprise T1221 Template Injection Train users to identify social engineering techniques and spearphishing emails that could be used to deliver malicious documents.
enterprise T1552 Unsecured Credentials Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.
enterprise T1552.001 Credentials In Files Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.
enterprise T1204 User Execution Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.
enterprise T1204.001 Malicious Link Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.
enterprise T1204.002 Malicious File Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.
enterprise T1204.003 Malicious Image Train users to be aware of the existence of malicious images and how to avoid deploying instances and containers from them.
enterprise T1078 Valid Accounts Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.
enterprise T1078.002 Domain Accounts Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.
enterprise T1078.004 Cloud Accounts Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.

References

Back to top