NIST 800-53 REV 5 • AWARENESS AND TRAINING

AT-2(4)Suspicious Communications and Anomalous System Behavior

Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using {{ insert: param, at-02.04_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

A well-trained workforce provides another organizational control that can be employed as part of a defense-in-depth strategy to protect against malicious code coming into organizations via email or the web applications. Personnel are trained to look for indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an email containing strange or poor grammar, or receiving an email from an unfamiliar sender that appears to be from a known sponsor or contractor). Personnel are also trained on how to respond to suspicious email or web communications. For this process to work effectively, personnel are trained and made aware of what constitutes suspicious communications. Training personnel on how to recognize anomalous behaviors in systems can provide organizations with early warning for the presence of malicious code. Recognition of anomalous behavior by organizational personnel can supplement malicious code detection and protection tools and systems employed by organizations.

Practitioner Notes

Teach people to recognize and report suspicious communications and unusual system behavior. If something looks wrong, they should know what to do.

Example 1: In your training, show examples of suspicious communications: emails with mismatched display names and email addresses, unexpected MFA prompts, messages with urgency and threats ("Your account will be locked in 2 hours"). Provide a one-click Report Phishing button in Outlook (Defender for Office 365 → Report Message add-in) so reporting is easy.

Example 2: Train users to recognize anomalous system behavior: unexpected pop-ups, programs running slowly, files being encrypted, unusual browser redirects, or their mouse moving on its own. Create a simple one-page guide posted near each workstation with the help desk number and instructions to immediately disconnect the network cable if they suspect compromise.

More Awareness and Training Controls

AT-1 Policy and Procedures AT-2 Literacy Training and Awareness AT-2(1) Practical Exercises AT-2(2) Insider Threat