Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
ID: M1017
Version: 1.2
Created: 06 Jun 2019
Last Modified: 17 Oct 2024

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1557 Adversary-in-the-Middle

Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host.

T1557.002 ARP Cache Poisoning

Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host.

T1557.004 Evil Twin

Train users to be suspicious about access points marked as “Open” or “Unsecure” as well as certificate errors. Certificate errors may arise when the application’s certificate does not match the one expected by the host.

Enterprise T1547 T1547.007 Boot or Logon Autostart Execution: Re-opened Applications

Holding the Shift key while logging in prevents apps from opening automatically.(Citation: Re-Open windows on Mac)

Enterprise T1176 Browser Extensions

Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run.

Enterprise T1185 Browser Session Hijacking

Close all browser sessions regularly and when they are no longer needed.

Enterprise T1555 T1555.003 Credentials from Password Stores: Credentials from Web Browsers

Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials.

T1555.005 Password Managers

Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials.

Enterprise T1213 Data from Information Repositories

Develop and publish policies that define acceptable information to be stored in repositories.

T1213.001 Confluence

Develop and publish policies that define acceptable information to be stored in Confluence repositories.

T1213.002 Sharepoint

Develop and publish policies that define acceptable information to be stored in SharePoint repositories.

T1213.003 Code Repositories

Develop and publish policies that define acceptable information to be stored in code repositories.

T1213.004 Customer Relationship Management Software

Develop and publish policies that define acceptable information to be stored in CRM databases and acceptable handling of customer data. Only store customer information required for business operations.

T1213.005 Messaging Applications

Develop and publish policies that define acceptable information to be posted in chat applications.

Enterprise T1657 Financial Theft

Train and encourage users to identify social engineering techniques used to enable financial theft. Also consider training users on procedures to prevent and respond to swatting and doxing, acts increasingly deployed by financially motivated groups to further coerce victims into satisfying ransom/extortion demands.(Citation: Cyber Safety Review Board: Lapsus)(Citation: SWAT-hospital)

Enterprise T1656 Impersonation

Train users to be aware of impersonation tricks and how to counter them, for example confirming incoming requests through an independent platform like a phone call or in-person, to reduce risk.

Enterprise T1056 T1056.002 Input Capture: GUI Input Capture

Use user training as a way to bring awareness and raise suspicion for potentially malicious events and dialog boxes (ex: Office documents prompting for credentials).

Enterprise T1036 Masquerading

Train users not to open email attachments or click unknown links (URLs). Such training fosters more secure habits within your organization and will limit many of the risks.

T1036.007 Double File Extension

Train users to look for double extensions in filenames, and in general use training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

Enterprise T1556 T1556.001 Modify Authentication Process: Domain Controller Authentication

Train users to recognize and handle suspicious email attachments. Emphasize the importance of caution when opening attachments from unknown or unexpected sources, even if they appear legitimate. Implement email warning banners to alert users about emails originating from outside the organization or containing attachments, reinforcing awareness and helping users identify potential spearphishing attempts.

Enterprise T1111 Multi-Factor Authentication Interception

Remove smart cards when not in use.

Enterprise T1621 Multi-Factor Authentication Request Generation

Train users to only accept 2FA/MFA requests from login attempts they initiated, to review source location of the login attempt prompting the 2FA/MFA requests, and to report suspicious/unsolicited prompts.

Enterprise T1003 OS Credential Dumping

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

T1003.001 LSASS Memory

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

T1003.002 Security Account Manager

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

T1003.003 NTDS

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

T1003.004 LSA Secrets

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

T1003.005 Cached Domain Credentials

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

Enterprise T1027 Obfuscated Files or Information

Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software.

Enterprise T1566 Phishing

Users can be trained to identify social engineering techniques and phishing emails.

T1566.001 Spearphishing Attachment

Users can be trained to identify social engineering techniques and spearphishing emails.

T1566.002 Spearphishing Link

Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Use email warning banners to alert users when emails contain links from external senders, prompting them to exercise caution and reducing the likelihood of falling victim to spearphishing attacks. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites.

T1566.003 Spearphishing via Service

Users can be trained to identify social engineering techniques and spearphishing messages with malicious links.

T1566.004 Spearphishing Voice

Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.(Citation: CISA Phishing)

Enterprise T1598 Phishing for Information

Users can be trained to identify social engineering techniques and spearphishing attempts.

T1598.001 Spearphishing Service

Users can be trained to identify social engineering techniques and spearphishing attempts.

T1598.002 Spearphishing Attachment

Users can be trained to identify social engineering techniques and spearphishing attempts.

T1598.003 Spearphishing Link

Users can be trained to identify social engineering techniques and spearphishing attempts. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites.

T1598.004 Spearphishing Voice

Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.(Citation: CISA Phishing)

Enterprise T1072 Software Deployment Tools

Have a strict approval policy for use of deployment systems.

Enterprise T1528 Steal Application Access Token

Users need to be trained to not authorize third-party applications they don’t recognize. The user should pay particular attention to the redirect URL: if the URL is a misspelled or convoluted sequence of words related to an expected service or SaaS application, the website is likely trying to spoof a legitimate service. Users should also be cautious about the permissions they are granting to apps. For example, offline access and access to read emails should excite higher suspicions because adversaries can utilize SaaS APIs to discover credentials and other sensitive communications.

Enterprise T1539 Steal Web Session Cookie

Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into. Additionally, train users not to run untrusted JavaScript in their browser, such as by copying and pasting code or dragging and dropping bookmarklets.

Enterprise T1221 Template Injection

Train users to identify social engineering techniques and spearphishing emails that could be used to deliver malicious documents.

Enterprise T1552 Unsecured Credentials

Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.

T1552.001 Credentials In Files

Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.

T1552.008 Chat Messages

Ensure that developers and system administrators are aware of the risk associated with sharing unsecured passwords across communication services.

Enterprise T1204 User Execution

Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

T1204.001 Malicious Link

Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

T1204.002 Malicious File

Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

T1204.003 Malicious Image

Train users to be aware of the existence of malicious images and how to avoid deploying instances and containers from them.

Enterprise T1078 Valid Accounts

Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.

T1078.002 Domain Accounts

Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.

T1078.004 Cloud Accounts

Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.