Reference: CMMC 1.02
Level Introduced: 4
Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.
This practice increases the effectiveness of security awareness and training by including exercises that directly related to real-world threats. In addition, the intent of the requirement for feedback is to ensure that the organization is proactive in seeking to measure the value being achieved by these exercises.
You manage cyber awareness training for the company. You have been notified by the company cybersecurity team that a well-known cyber-attack team known as â€œFancy Bearâ€ has recently gone after peer organizations. You create a well-targeted phishing attack that appears to come from an external source aimed at company employees in the software development branch. When an employee clicks on a â€œbadâ€ link, a notice is sent by the receiving server to corporate security and a message is automatically generated once the exercise ends to notify the employee that they should not have clicked the link and providing the clues that would have allowed them to identify the phishing attack.
In an effort to â€œraise their gameâ€ in the speed and relevance of their phishing prevention program, you work with the IT branch to create a process that takes actual â€œsame dayâ€ phishing attacks that were identified by email defenses. The first step is to neutralize the emails by replacing attachments with corporate â€œTrojan horseâ€ files and external links with a corporate phishing remote server link. Then the neutered but authentic phishing attack email is sent to the previous set of corporate addresses. Doing this allows you to train staff against actual threats at a faster pace and saves on the overhead of creating a realistic- looking phishing message.
Include practical exercises in awareness training for [Assignment: organization-defined roles] that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.
Awareness training is most effective when it is complemented by practical exercisestailored to the tactics, techniques, and procedures (TTP) of the threat. Examples of practical exercises include no587 notice social engineering attempts to gain unauthorized access, collect information, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links. Rapid feedback is essential to reinforce desired user behavior. Training results, especially failures of personnel in critical roles, can be indicative of a potentially serious problem. It is important that senior management are made aware of such situations so that they can take appropriate remediating actions.
[SP 800-181] provides guidance on role-based security training, including a lexicon and taxonomy that describes cybersecurity work via work roles.
SECURITY AWARENESS | PRACTICAL EXERCISES
The organization includes practical exercises in security awareness training that simulate actual cyber attacks.
Practical exercises may include, for example, no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links. Related controls: CA-2, CA-7, CP-4, IR-3.