{"description": "Enterprise techniques mitigated by User Training, ATT&CK mitigation M1017 (v1.3)", "name": "User Training (M1017)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1557", "comment": "Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application\u2019s certificate does not match the one expected by the host.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1557.002", "comment": "Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application\u2019s certificate does not match the one expected by the host.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1557.004", "comment": "Train users to be suspicious about access points marked as \u201cOpen\u201d or \u201cUnsecure\u201d as well as certificate errors. Certificate errors may arise when the application\u2019s certificate does not match the one expected by the host.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.007", "comment": "Holding the Shift key while logging in prevents apps from opening automatically.(Citation: Re-Open windows on Mac)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1185", "comment": "Close all browser sessions regularly and when they are no longer needed.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.005", "comment": "Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213", "comment": "Develop and publish policies that define acceptable information to be stored in repositories.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1213.001", "comment": "Develop and publish policies that define acceptable information to be stored in Confluence repositories.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213.002", "comment": "Develop and publish policies that define acceptable information to be stored in SharePoint repositories.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213.003", "comment": "Develop and publish policies that define acceptable information to be stored in code repositories.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213.004", "comment": "Develop and publish policies that define acceptable information to be stored in CRM databases and acceptable handling of customer data. Only store customer information required for business operations. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213.005", "comment": "Develop and publish policies that define acceptable information to be posted in chat applications. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213.006", "comment": "Develop and publish policies that define acceptable information to be stored in databases and acceptable handling of customer data. Only store information required for business operations. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1189", "comment": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1667", "comment": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful social engineering via e-mail bombing.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1657", "comment": "Train and encourage users to identify social engineering techniques used to enable financial theft. Also consider training users on procedures to prevent and respond to swatting and doxing, acts increasingly deployed by financially motivated groups to further coerce victims into satisfying ransom/extortion demands.(Citation: Cyber Safety Review Board: Lapsus)(Citation: SWAT-hospital)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.002", "comment": "Use user training as a way to bring awareness and raise suspicion for potentially malicious events and dialog boxes (ex: Office documents prompting for credentials).", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "Train users not to open email attachments or click unknown links (URLs). Such training fosters more secure habits within your organization and will limit many of the risks.  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.007", "comment": "Train users to look for double extensions in filenames, and in general use training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556", "showSubtechniques": true}, {"techniqueID": "T1556.001", "comment": "Train users to recognize and handle suspicious email attachments. Emphasize the importance of caution when opening attachments from unknown or unexpected sources, even if they appear legitimate. Implement email warning banners to alert users about emails originating from outside the organization or containing attachments, reinforcing awareness and helping users identify potential spearphishing attempts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1111", "comment": "Remove smart cards when not in use.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1621", "comment": "Train users to only accept 2FA/MFA requests from login attempts they initiated, to review source location of the login attempt prompting the 2FA/MFA requests, and to report suspicious/unsolicited prompts.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1003", "comment": "Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.003", "comment": "Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.004", "comment": "Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.005", "comment": "Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "comment": "Users can be trained to identify social engineering techniques and phishing emails.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "Users can be trained to identify social engineering techniques and spearphishing emails.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Use email warning banners to alert users when emails contain links from external senders, prompting them to exercise caution and reducing the likelihood of falling victim to spearphishing attacks. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.003", "comment": "Users can be trained to identify social engineering techniques and spearphishing messages with malicious links.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.004", "comment": "Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.(Citation: CISA Phishing)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598", "comment": "Users can be trained to identify social engineering techniques and spearphishing attempts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598.001", "comment": "Users can be trained to identify social engineering techniques and spearphishing attempts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598.002", "comment": "Users can be trained to identify social engineering techniques and spearphishing attempts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598.003", "comment": "Users can be trained to identify social engineering techniques and spearphishing attempts. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598.004", "comment": "Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.(Citation: CISA Phishing)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1684", "comment": "Reduces success of phishing/vishing/impersonation and modern \u201chuman interface\u201d lures.(Citation: SE SentinelOne 2)(Citation: Sophos User Interaction)(Citation: Unit 42 Global Incident Response Report 2026)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1684.001", "comment": "Train users to be aware of impersonation tricks and how to counter them, for example confirming incoming requests through an independent platform like a phone call or in-person, to reduce risk.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1072", "comment": "Have a strict approval policy for use of deployment systems.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1176", "comment": "Train users to minimize extension use, and to only install trusted extensions. ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1176.001", "comment": "Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1176.002", "comment": "Train users to minimize IDE extension use, and to only install trusted extensions. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1528", "comment": "Users need to be trained to not authorize third-party applications they don\u2019t recognize. The user should pay particular attention to the redirect URL: if the URL is a misspelled or convoluted sequence of words related to an expected service or SaaS application, the website is likely trying to spoof a legitimate service. Users should also be cautious about the permissions they are granting to apps. For example, offline access and access to read emails should excite higher suspicions because adversaries can utilize SaaS APIs to discover credentials and other sensitive communications.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1539", "comment": "Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into. Additionally, train users not to run untrusted JavaScript in their browser, such as by copying and pasting code or dragging and dropping bookmarklets.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1221", "comment": "Train users to identify social engineering techniques and spearphishing emails that could be used to deliver malicious documents.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "comment": "Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.008", "comment": "Ensure that developers and system administrators are aware of the risk associated with sharing unsecured passwords across communication services.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "comment": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.003", "comment": "Train users to be aware of the existence of malicious images and how to avoid deploying instances and containers from them.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.005", "comment": "Train developers to be aware of the existence of malicious libraries and how to avoid installing them. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "comment": "Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078.004", "comment": "Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by User Training", "color": "#66b1ff"}]}