User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1557 | 中间人攻击 |
Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host. |
|
| .002 | ARP Cache Poisoning |
Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host. |
||
| .004 | Evil Twin |
Train users to be suspicious about access points marked as "Open" or "Unsecure" as well as certificate errors. Certificate errors may arise when the application’s certificate does not match the one expected by the host. |
||
| Enterprise | T1213 | 从信息存储库获取数据 |
Develop and publish policies that define acceptable information to be stored in repositories. |
|
| .001 | Confluence |
Develop and publish policies that define acceptable information to be stored in Confluence repositories. |
||
| .002 | Sharepoint |
Develop and publish policies that define acceptable information to be stored in SharePoint repositories. |
||
| .003 | Code Repositories |
Develop and publish policies that define acceptable information to be stored in code repositories. |
||
| .004 | Customer Relationship Management Software |
Develop and publish policies that define acceptable information to be stored in CRM databases and acceptable handling of customer data. Only store customer information required for business operations. |
||
| .005 | Messaging Applications |
Develop and publish policies that define acceptable information to be posted in chat applications. |
||
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials. |
| .005 | 从密码存储中获取凭证: Password Managers |
Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials. |
||
| Enterprise | T1656 | 伪装 |
Train users to be aware of impersonation tricks and how to counter them, for example confirming incoming requests through an independent platform like a phone call or in-person, to reduce risk. |
|
| Enterprise | T1036 | 伪装 |
Train users not to open email attachments or click unknown links (URLs). Such training fosters more secure habits within your organization and will limit many of the risks. |
|
| .007 | Double File Extension |
Train users to look for double extensions in filenames, and in general use training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
||
| Enterprise | T1598 | 信息钓鱼 |
Users can be trained to identify social engineering techniques and spearphishing attempts. |
|
| .001 | Spearphishing Service |
Users can be trained to identify social engineering techniques and spearphishing attempts. |
||
| .002 | Spearphishing Attachment |
Users can be trained to identify social engineering techniques and spearphishing attempts. |
||
| .003 | Spearphishing Link |
Users can be trained to identify social engineering techniques and spearphishing attempts. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites. |
||
| .004 | Spearphishing Voice |
Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.[1] |
||
| Enterprise | T1556 | .001 | 修改身份验证过程: Domain Controller Authentication |
Train users to recognize and handle suspicious email attachments. Emphasize the importance of caution when opening attachments from unknown or unexpected sources, even if they appear legitimate. Implement email warning banners to alert users about emails originating from outside the organization or containing attachments, reinforcing awareness and helping users identify potential spearphishing attempts. |
| Enterprise | T1547 | .007 | 启动或登录自动启动执行: Re-opened Applications |
Holding the Shift key while logging in prevents apps from opening automatically.[2] |
| Enterprise | T1111 | 多因素身份验证拦截 |
Remove smart cards when not in use. |
|
| Enterprise | T1621 | 多因素身份验证请求生成 |
Train users to only accept 2FA/MFA requests from login attempts they initiated, to review source location of the login attempt prompting the 2FA/MFA requests, and to report suspicious/unsolicited prompts. |
|
| Enterprise | T1003 | 操作系统凭证转储 |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
|
| .001 | LSASS Memory |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
||
| .002 | Security Account Manager |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
||
| .003 | NTDS |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
||
| .004 | LSA Secrets |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
||
| .005 | Cached Domain Credentials |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
||
| Enterprise | T1078 | 有效账户 |
Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
|
| .002 | Domain Accounts |
Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
||
| .004 | Cloud Accounts |
Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
||
| Enterprise | T1552 | 未加密凭证 |
Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. |
|
| .001 | Credentials In Files |
Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. |
||
| .008 | Chat Messages |
Ensure that developers and system administrators are aware of the risk associated with sharing unsecured passwords across communication services. |
||
| Enterprise | T1221 | 模板注入 |
Train users to identify social engineering techniques and spearphishing emails that could be used to deliver malicious documents. |
|
| Enterprise | T1185 | 浏览器会话劫持 |
Close all browser sessions regularly and when they are no longer needed. |
|
| Enterprise | T1176 | 浏览器扩展 |
Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run. |
|
| Enterprise | T1027 | 混淆文件或信息 |
Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software. |
|
| Enterprise | T1204 | 用户执行 |
Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
|
| .001 | Malicious Link |
Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
||
| .002 | Malicious File |
Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
||
| .003 | Malicious Image |
Train users to be aware of the existence of malicious images and how to avoid deploying instances and containers from them. |
||
| Enterprise | T1539 | 窃取Web会话Cookie |
Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into. Additionally, train users not to run untrusted JavaScript in their browser, such as by copying and pasting code or dragging and dropping bookmarklets. |
|
| Enterprise | T1528 | 窃取应用访问令牌 |
Users need to be trained to not authorize third-party applications they don’t recognize. The user should pay particular attention to the redirect URL: if the URL is a misspelled or convoluted sequence of words related to an expected service or SaaS application, the website is likely trying to spoof a legitimate service. Users should also be cautious about the permissions they are granting to apps. For example, offline access and access to read emails should excite higher suspicions because adversaries can utilize SaaS APIs to discover credentials and other sensitive communications. |
|
| Enterprise | T1657 | 财务窃取 |
Train and encourage users to identify social engineering techniques used to enable financial theft. Also consider training users on procedures to prevent and respond to swatting and doxing, acts increasingly deployed by financially motivated groups to further coerce victims into satisfying ransom/extortion demands.[3][4] |
|
| Enterprise | T1072 | 软件部署工具 |
Have a strict approval policy for use of deployment systems. |
|
| Enterprise | T1056 | .002 | 输入捕获: GUI Input Capture |
Use user training as a way to bring awareness and raise suspicion for potentially malicious events and dialog boxes (ex: Office documents prompting for credentials). |
| Enterprise | T1566 | 钓鱼 |
Users can be trained to identify social engineering techniques and phishing emails. |
|
| .001 | Spearphishing Attachment |
Users can be trained to identify social engineering techniques and spearphishing emails. |
||
| .002 | Spearphishing Link |
Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Use email warning banners to alert users when emails contain links from external senders, prompting them to exercise caution and reducing the likelihood of falling victim to spearphishing attacks. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites. |
||
| .003 | Spearphishing via Service |
Users can be trained to identify social engineering techniques and spearphishing messages with malicious links. |
||
| .004 | Spearphishing Voice |
Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.[1] |
||