mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-15 12:15:16 +03:00
886658219f
- Add mitre_f3 frontmatter block to 94 fraud-relevant skills (phishing, account takeover, banking malware, BEC, identity/KYC, payment/card fraud, money-mule/cash-out, ransomware extortion, DFIR, threat intel) - Map each skill to F3 v1.1 tactics + precise technique IDs, including the two F3-specific tactics ATT&CK lacks: Positioning (FA0001) and Monetization (FA0002) - All 123 F3 v1.1 technique IDs validated against the upstream STIX bundle (github.com/center-for-threat-informed-defense/fight-fraud-framework): 0 invalid IDs, 0 invalid tactics, 0 name mismatches, no placeholder IDs - mitre_f3 kept as a separate block from mitre_attack (F3 redefines several ATT&CK tactics for the fraud context) - Add docs/mitre-f3-mapping.md schema reference - Update README: F3 as the 6th framework, dedicated F3 section + badge
133 lines
4.7 KiB
Markdown
133 lines
4.7 KiB
Markdown
---
|
|
name: implementing-anti-phishing-training-program
|
|
description: Security awareness training is the human layer of phishing defense. An
|
|
effective anti-phishing training program combines regular simulations, interactive
|
|
learning modules, metric tracking, and positiv
|
|
domain: cybersecurity
|
|
subdomain: phishing-defense
|
|
tags:
|
|
- phishing
|
|
- email-security
|
|
- social-engineering
|
|
- dmarc
|
|
- awareness
|
|
- training
|
|
- security-culture
|
|
version: '1.0'
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
nist_csf:
|
|
- PR.AT-01
|
|
- DE.CM-09
|
|
- RS.CO-02
|
|
- DE.AE-02
|
|
mitre_attack:
|
|
- T1566
|
|
- T1598
|
|
- T1534
|
|
- T1036
|
|
mitre_f3:
|
|
version: '1.1'
|
|
tactics:
|
|
- reconnaissance
|
|
- initial-access
|
|
- stealth
|
|
techniques:
|
|
- id: T1660
|
|
name: Phishing
|
|
tactic: initial-access
|
|
source: attack
|
|
- id: T1598
|
|
name: Phishing for Information
|
|
tactic: reconnaissance
|
|
source: attack
|
|
- id: T1672
|
|
name: Email Spoofing
|
|
tactic: stealth
|
|
source: attack
|
|
- id: F1032
|
|
name: Impersonate Official
|
|
tactic: initial-access
|
|
source: f3
|
|
- id: F1031
|
|
name: Impersonate Account Holder
|
|
tactic: initial-access
|
|
source: f3
|
|
---
|
|
# Implementing Anti-Phishing Training Program
|
|
|
|
## Overview
|
|
Security awareness training is the human layer of phishing defense. An effective anti-phishing training program combines regular simulations, interactive learning modules, metric tracking, and positive reinforcement to build a security-conscious culture. This skill covers designing, deploying, and measuring a comprehensive phishing awareness program using platforms like KnowBe4, Proofpoint Security Awareness, and open-source alternatives.
|
|
|
|
|
|
## When to Use
|
|
|
|
- When deploying or configuring implementing anti phishing training program capabilities in your environment
|
|
- When establishing security controls aligned to compliance requirements
|
|
- When building or improving security architecture for this domain
|
|
- When conducting security assessments that require this implementation
|
|
|
|
## Prerequisites
|
|
- Management buy-in and budget approval
|
|
- Security awareness training platform (KnowBe4, Proofpoint SAT, Cofense)
|
|
- Employee email list and organizational structure
|
|
- Baseline phishing susceptibility data (from initial simulation)
|
|
- Learning management system (LMS) integration capability
|
|
|
|
## Key Concepts
|
|
|
|
### Training Program Pillars
|
|
1. **Baseline Assessment**: Initial phishing simulation to measure current susceptibility
|
|
2. **Interactive Training**: Role-based modules covering phishing identification
|
|
3. **Regular Simulations**: Monthly/quarterly phishing tests with progressive difficulty
|
|
4. **Just-in-Time Learning**: Immediate training after a user fails a simulation
|
|
5. **Positive Reinforcement**: Recognition for reporting phishing correctly
|
|
6. **Metrics & Reporting**: Track improvement over time by department and role
|
|
|
|
### SANS Security Awareness Maturity Model
|
|
- **Level 1**: Non-existent - No program
|
|
- **Level 2**: Compliance-focused - Annual checkbox training
|
|
- **Level 3**: Promoting Awareness - Engaging, regular content
|
|
- **Level 4**: Long-term Sustainment - Continuous program with culture change
|
|
- **Level 5**: Metrics Framework - Risk-based measurement and optimization
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Establish Baseline
|
|
- Run initial phishing simulation across all departments
|
|
- Measure click rate, submit rate, and report rate
|
|
- Identify high-risk departments and roles
|
|
|
|
### Step 2: Design Curriculum
|
|
- **General awareness**: Phishing identification basics for all employees
|
|
- **Role-specific**: Finance (BEC/wire fraud), IT (credential phishing), Executives (whaling)
|
|
- **Progressive difficulty**: Beginner, intermediate, advanced modules
|
|
- **Micro-learning**: Short (3-5 minute) frequent sessions vs. annual marathon
|
|
|
|
### Step 3: Deploy Training Platform
|
|
- Configure KnowBe4/Proofpoint SAT with organizational groups
|
|
- Set up automated enrollment workflows
|
|
- Integrate with LMS for completion tracking
|
|
- Configure reporting dashboards
|
|
|
|
### Step 4: Run Continuous Simulations
|
|
- Monthly simulations with varied scenarios
|
|
- Increase difficulty based on organizational performance
|
|
- Include diverse attack types: links, attachments, QR codes, BEC
|
|
|
|
### Step 5: Measure and Optimize
|
|
Use `scripts/process.py` to analyze training completion, simulation results, and program effectiveness over time.
|
|
|
|
## Tools & Resources
|
|
- **KnowBe4**: https://www.knowbe4.com/
|
|
- **Proofpoint Security Awareness**: https://www.proofpoint.com/us/products/security-awareness-training
|
|
- **Cofense PhishMe**: https://cofense.com/
|
|
- **SANS Security Awareness**: https://www.sans.org/security-awareness-training/
|
|
- **Terranova Security**: https://terranovasecurity.com/
|
|
|
|
## Validation
|
|
- 90%+ training completion rate across organization
|
|
- Measurable reduction in phishing click rate over 6 months
|
|
- Increase in user phishing report rate
|
|
- Department-level improvement tracking
|