User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1557 | Adversary-in-the-Middle |
Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host. |
|
| .002 | ARP Cache Poisoning |
Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host. |
||
| Enterprise | T1547 | .007 | Boot or Logon Autostart Execution: Re-opened Applications |
Holding the Shift key while logging in prevents apps from opening automatically. [1] |
| .011 | Boot or Logon Autostart Execution: Plist Modification |
Holding the shift key during login prevents apps from opening automatically.[1] |
||
| Enterprise | T1176 | Browser Extensions |
Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run. |
|
| Enterprise | T1185 | Browser Session Hijacking |
Close all browser sessions regularly and when they are no longer needed. |
|
| Enterprise | T1213 | Data from Information Repositories |
Develop and publish policies that define acceptable information to be stored in repositories. |
|
| .001 | Confluence |
Develop and publish policies that define acceptable information to be stored in Confluence repositories. |
||
| .002 | Sharepoint |
Develop and publish policies that define acceptable information to be stored in SharePoint repositories. |
||
| .003 | Code Repositories |
Develop and publish policies that define acceptable information to be stored in code repositories. |
||
| Enterprise | T1056 | .002 | Input Capture: GUI Input Capture |
Use user training as a way to bring awareness and raise suspicion for potentially malicious events and dialog boxes (ex: Office documents prompting for credentials). |
| Enterprise | T1036 | .007 | Masquerading: Double File Extension |
Train users to look for double extensions in filenames, and in general use training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
| Enterprise | T1003 | OS Credential Dumping |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
|
| .001 | LSASS Memory |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
||
| .002 | Security Account Manager |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
||
| .003 | NTDS |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
||
| .004 | LSA Secrets |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
||
| .005 | Cached Domain Credentials |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
||
| Enterprise | T1566 | Phishing |
Users can be trained to identify social engineering techniques and phishing emails. |
|
| .001 | Spearphishing Attachment |
Users can be trained to identify social engineering techniques and spearphishing emails. |
||
| .002 | Spearphishing Link |
Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. |
||
| .003 | Spearphishing via Service |
Users can be trained to identify social engineering techniques and spearphishing messages with malicious links. |
||
| Enterprise | T1598 | Phishing for Information |
Users can be trained to identify social engineering techniques and spearphishing attempts. |
|
| .001 | Spearphishing Service |
Users can be trained to identify social engineering techniques and spearphishing attempts. |
||
| .002 | Spearphishing Attachment |
Users can be trained to identify social engineering techniques and spearphishing attempts. |
||
| .003 | Spearphishing Link |
Users can be trained to identify social engineering techniques and spearphishing attempts. |
||
| Enterprise | T1072 | Software Deployment Tools |
Have a strict approval policy for use of deployment systems. |
|
| Enterprise | T1528 | Steal Application Access Token |
Users need to be trained to not authorize third-party applications they don’t recognize. The user should pay particular attention to the redirect URL: if the URL is a misspelled or convoluted sequence of words related to an expected service or SaaS application, the website is likely trying to spoof a legitimate service. Users should also be cautious about the permissions they are granting to apps. For example, offline access and access to read emails should excite higher suspicions because adversaries can utilize SaaS APIs to discover credentials and other sensitive communications. |
|
| Enterprise | T1539 | Steal Web Session Cookie |
Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into. |
|
| Enterprise | T1221 | Template Injection |
Train users to identify social engineering techniques and spearphishing emails. |
|
| Enterprise | T1111 | Two-Factor Authentication Interception |
Remove smart cards when not in use. |
|
| Enterprise | T1552 | Unsecured Credentials |
Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. |
|
| .001 | Credentials In Files |
Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. |
||
| Enterprise | T1204 | User Execution |
Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
|
| .001 | Malicious Link |
Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
||
| .002 | Malicious File |
Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
||
| .003 | Malicious Image |
Train users to be aware of the existence of malicious images and how to avoid deploying instances and containers from them. |
||
| Enterprise | T1078 | Valid Accounts |
Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
|
| .002 | Domain Accounts |
Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
||
| .004 | Cloud Accounts |
Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
||