MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

User Training

Train users to detect malicious intent or activity, how to report it, etc.

User training involves teaching end users to be human sensors who know how to recognize cyber threats and the procedures for reporting them. Users can be effective sensors for social engineering attempts, phishing email detection, as well as other cyber threats.

Details

ID: DTE0035

Tactics: Detect, Disrupt

Opportunities

ID	Description
DOS0018	Users trained and encouraged to report phishing can detect attacks that other defenses do not.
DOS0091	Users trained and encouraged to report unsolicited application authorization requests can detect attacks that other defenses do not.
DOS0131	There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors.

Use Cases

ID	Description
DUC0018	A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks.
DUC0091	A program to train users on how to recognize and report third-party applications requesting authorization can create "Human Sensors" that help detect application token theft.
DUC0236	A program to train users to report emails that they did not send but appear in their sent folder.

Procedures

ID	Description
DPR0061	Train users to immediately report suspicious emails. Those emails could then be used for malware detonation or adversary engagement purposes.
DPR0062	Train users to report potentially compromised devices so they can be isolated or migrated into deception networks.

ATT&CK® Techniques

ID	Name	ATT&CK Tactics
T1528	Steal Application Access Token	Credential Access
T1534	Internal Spearphishing	Lateral Movement
T1566	Phishing	Initial Access
T1585	Establish Accounts	Resource Development
T1586	Compromise Accounts	Resource Development
T1598	Phishing for Information	Reconnaissance

Link	Preview