DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B (MODIFIED)
Awareness training is most effective when it is complemented by practical exercises tailored
to the tactics, techniques, and procedures (TTPs) of the threat. Examples of practical
exercises include no-notice social engineering attempts to gain unauthorized access, collect
information, or simulate the adverse impact of opening malicious email attachments or
invoking, via spear phishing attacks, malicious web links. Rapid feedback is essential to
reinforce desired user behavior. Training results, especially failures of personnel in critical
roles, can be indicative of a potential serious problem. [Modified only to remove
requirement to notify supervisors from NIST SP 800-171B 3.2.2e].
CMMC CLARIFICATION
This practice increases the effectiveness of security awareness and training by including
exercises that directly related to real-world threats. In addition, the intent of the
requirement for feedback is to ensure that the organization is proactive in seeking to
measure the value being achieved by these exercises.
Example
You manage cyber awareness training for the company. You have been notified by the
company cybersecurity team that a well-known cyber-attack team known as “Fancy Bear”
has recently gone after peer organizations. You create a well-targeted phishing attack that
appears to come from an external source aimed at company employees in the software
development branch. When an employee clicks on a “bad” link, a notice is sent by the
receiving server to corporate security and a message is automatically generated once the
exercise ends to notify the employee that they should not have clicked the link and providing
the clues that would have allowed them to identify the phishing attack.
In an effort to “raise their game” in the speed and relevance of their phishing prevention
program, you work with the IT branch to create a process that takes actual “same day”
phishing attacks that were identified by email defenses. The first step is to neutralize the
emails by replacing attachments with corporate “Trojan horse” files and external links with
a corporate phishing remote server link. Then the neutered but authentic phishing attack
email is sent to the previous set of corporate addresses. Doing this allows you to train staff
against actual threats at a faster pace and saves on the overhead of creating a realistic-
looking phishing message.
References
• CMMC modification of Draft NIST SP 800-171B 3.2.2e
• CIS Controls v7.1 17.1, 17.2, 17.4
• NIST CSF v1.1 PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5
• CERT RMM v1.2 OTA:SG3.SP1, OTA:SG3.SP2
• NIST SP 800-53 Rev 4 AT-2(1), AT-2(8)