Awareness And Training
Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.
This practice increases the effectiveness of security awareness and training by including exercises that directly related to real-world threats. In addition, the intent of the requirement for feedback is to ensure that the organization is proactive in seeking to measure the value being achieved by these exercises. Example You manage cyber awareness training for the company. You have been notified by the company cybersecurity team that a well-known cyber-attack team known as “Fancy Bear” has recently gone after peer organizations. You create a well-targeted phishing attack that appears to come from an external source aimed at company employees in the software development branch. When an employee clicks on a “bad” link, a notice is sent by the receiving server to corporate security and a message is automatically generated once the exercise ends to notify the employee that they should not have clicked the link and providing the clues that would have allowed them to identify the phishing attack. In an effort to “raise their game” in the speed and relevance of their phishing prevention program, you work with the IT branch to create a process that takes actual “same day” phishing attacks that were identified by email defenses. The first step is to neutralize the emails by replacing attachments with corporate “Trojan horse” files and external links with a corporate phishing remote server link. Then the neutered but authentic phishing attack email is sent to the previous set of corporate addresses. Doing this allows you to train staff against actual threats at a faster pace and saves on the overhead of creating a realistic looking phishing message.
DRAFT NIST SP 800-171B (MODIFIED) Awareness training is most effective when it is complemented by practical exercises tailored to the tactics, techniques, and procedures (TTPs) of the threat. Examples of practical exercises include no-notice social engineering attempts to gain unauthorized access, collect information, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links. Rapid feedback is essential to reinforce desired user behavior. Training results, especially failures of personnel in critical roles, can be indicative of a potential serious problem. [Modified only to remove requirement to notify supervisors from NIST SP 800-171B 3.2.2e].
CIS Controls v7.1 17.1, 17.2, 17.4
NIST SP 800-53 Rev 4 AT-2(1)
NIST CSF v1.1 PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5
CERT RMM v1.2 OTA:SG3.SP1, OTA:SG3.SP2
CMMC modification of Draft NIST SP 800-171B 3.2.2e