MITRE ATT&CK: The Magic of User Training

October is National Cybersecurity Awareness Month, and this year the theme is “Do Your Part. #BeCyberSmart.” It reminds all of us — individuals and organizations alike — to be proactive and accountable. Cybersecurity is our shared responsibility, and we can do it together.

At Cisco, we’re thrilled to contribute a monthlong roster of engaging events, activities, and educational content. From executive perspectives to career development, we’ve got you covered. And along those lines, let’s focus this installment of the MITRE ATT&CK Magic of Mitigations blog series on User Training (M1017).

First, let’s talk about cyber training and what it means to you.

What’s your perspective on cyber training?

It probably depends on your role. For instance:

  • If you’re a CISO, responsible for the entire risk management program, then no doubt security awareness and training is already on your long list. Maybe your training program needs improvement, but many priorities are vying for your attention and budget.
  • If you’re a security manager, maybe you feel an ongoing frustration when, despite the security training, people still click on things, write passwords down, or worse. After all, you’re the one on the hook when things go wrong.
  • If you’re a security analyst or incident responder, maybe you’re overwhelmed by the heavy workload and complicated tools of the trade. You’re always under pressure and mistakes are easy to make. You could probably benefit from more product training, if only you had the time, and you probably wonder: Can cyber solutions be more helpful and intuitive? Can they talk to each other and automate some response actions?
  • Or maybe you’re the end user, generally tired of security training. Like you don’t already have enough to do. Can’t security just protect you? Why do you have to think about it all the time?

For years, cybersecurity has been difficult and labor-intensive, hence the need for training in the first place. Do you think it’s possible for security to become easier for everyone? And can the technology just, well, do better?

Here’s what MITRE means

Before we tackle those tough questions, let’s look at how MITRE defines User Training (M1017) in the ATT&CK Enterprise Matrix. By the way, ATT&CK stands for Adversary Tactics, Techniques & Common Knowledge — a long way of saying “this is how hackers behave.”

User Training in this context is about helping end users become more cyber-aware. It teaches them about phishing, social engineering, business email compromise, and other attacks. It encourages vigilance. It’s not so much about training your security team, though. The rest of ATT&CK helps with that.

Now it may not sound like a big deal, but there’s real magic in this Mitigation. User Training actually addresses 14 different ATT&CK Techniques, including the following:

  • Input Capture (T1056). Hackers can trick users into providing access credentials through legit-looking interfaces. It’s the sort of attack that’s hard to prevent, especially when they put malicious code on external portals. But when users are trained on the warning signs, they won’t be fooled so easily.
  • Man in the Browser (T1185). Web browser vulnerabilities open the door for hackers to take information like cookies or inherit digital certificates. So when you encourage users to close browsers when they’re done, you’ve found a simple way to guard against man-in-the-browser attacks.
  • Phishing (T1566). Hackers keep evolving. For example, we see fewer dead giveaways like poor spelling, bad grammar, or distorted images in phishing emails these days. And their content is topical, taking advantage of current trends like pandemic-induced remote work and cloud-based email. Spearphishing (T1566.002) attacks using well-designed social engineering approaches that lull people into letting their guard down. Therefore keeping users trained on the latest phishing methods, and testing them every once in a while, goes a long way.

Of course, User Training is just one of over 40 ATT&CK Mitigations, so MITRE certainly isn’t heaping all of the responsibility on people. But knowledgeable and vigilant end users are definitely magical defenses these days. They’re sharing responsibility with the security team. Now what about your cyber vendors? Are they doing their part?

Here’s what we’re doing

Let’s return to those tougher questions now, the ones about making everyone’s lives easier. At Cisco, we’re making great strides in simplifying security:

  • For you, the CISO: You get a trusted security partner, a clear leader in cybersecurity. We help you manage cyber risks with a comprehensive, integrated security portfolio that’s simple, efficient, and effective. Our buying programs make pricing attractive and buying easy. You benefit from a greatly improved cyber posture, at lower cost, with fewer vendors to manage.
  • For you, the security managers and architects: How about simply better security that’s easy to deploy, integrate, use, scale and manage? From the cloud edge, to applications, to networks, to endpoints, you get modern cybersecurity capabilities that optimize your entire program. You benefit directly from our knowledge and experience through Talos IR Service, which helps you prepare for and respond to attacks. Cisco Security Awareness brings phishing simulation and awareness training packages so you can act now on MITRE’s User Training recommendations.
  • For you, the security team: You get industry-leading security solutions that work together with both Cisco and third-party products. We delivering clear, consistent, intuitive interfaces. And we build security knowledge and Talos threat intelligence into our solutions to accelerate detection and response times. For example, check out the search queries that AMP for Endpoints has already pre-mapped to MITRE ATT&CK.
  • For all end users: You benefit from security that guides you along the way, then gets out of your way. For example, the Duo MFA app not only makes multi-factor authentication fast and easy, it also alerts you to new security updates for your device. And Cisco Umbrella, Email Security, and AMP for Endpoints are all around you, defending you from phishing attacks, harmful websites, malware and ransomware.

As you see, we’re committed to doing our part. Like we said, cybersecurity is a shared responsibility and we’ll do it together.

Connect with us!

Our comprehensive security portfolio integrated through SecureX does so much more that what’s described here. If you’re using MITRE ATT&CK to defend your organization, then check out our detailed whitepaper that maps our solutions to the Enterprise Matrix. It’s on our Cyber Frameworks page along with other helpful resources. And let us know what you think! What guides your cyber decisions? What would you like to see from us?

Throughout October, remember check in regularly to our Cybersecurity Awareness Month page. We have a lot of important cyber resources to share with you!

Beyond that is Infrastructure Security Month in November, so I’ll feature Network Segmentation (M1030) in the next installment. Stay tuned!