Awareness And Training
Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
This practice requires that awareness training specifically include tactics and indicators used by advanced cyber threat actors. The intent is to go beyond the basic cyber security awareness training elements such as password management and good cyber hygiene and to broaden awareness for more advanced attack techniques. Example You manage cyber awareness training for the company. You are notified by a cybersecurity team member that a well-known cyber-attack team known as Fancy Bear has recently gone after peer organizations. The team member shares that one of their most common first steps is to look up employees via publicly available information sources, such as social media and corporate connection applications, and then craft well-targeted phishing attacks against software developers that invites them to a free conference in an overseas location. You quickly create and disseminate materials to sensitize corporate software developers to email phishing attacks and provide specific information, including examples, of prior Fancy Bear phishing emails as well as “friend” and “connection” requests. You also include the updates in the standard awareness training for the entire organization.
DRAFT NIST SP 800-171B One of the most effective ways to detect APT activities and to reduce the effectiveness of those activities is to provide specific awareness training for individuals. A well-trained and security aware workforce provides another organizational safeguard that can be employed as part of a defense- in-depth strategy to protect organizations against malicious code injections via email or the web applications. Threat awareness training includes educating individuals on the various ways APTs can infiltrate into organizations including through websites, emails, advertisement pop-ups, articles, and social engineering. Training can include techniques for recognizing suspicious emails, the use of removable systems in nonsecure settings, and the potential targeting of individuals by adversaries outside the workplace. Awareness training is assessed and updated periodically to ensure that the training is relevant and effective, particularly with respect to the threat since it is constantly, and often rapidly, evolving.
CIS Controls v7.1 17.1, 17.2, 17.4
NIST SP 800-53 Rev 4 AT-2
NIST CSF v1.1 PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5
CERT RMM v1.2 OTA:SG2.SP1
Draft NIST SP 800-171B 3.2.1e