Ctrl+K

T1600 - Weaken Encryption

T1600 - Weaken Encryption#

Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)

Encryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.

Adversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as Modify System Image, Reduce Key Space, and Disable Crypto Hardware, an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks)

Atomic Tests:#

Currently, no tests are available for this technique.

Detection#

There is no documented method for defenders to directly identify behaviors that weaken encryption. Detection efforts may be focused on closely related adversary behaviors, such as Modify System Image. Some detection methods require vendor support to aid in investigation.

Shield Active Defense#

Network Monitoring#

Monitor network traffic in order to detect adversary activity.

Network monitoring involves capturing network activity data, including capturing of server, firewall, and other relevant logs. A defender can then review them or send them to a centralized collection location for further analysis.

Opportunity#

There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary.

Use Case#

A defender can monitor network traffic for anomalies associated with known MiTM behavior.

Procedures#

Capture network logs for internet-facing devices and send those logs to a central collection location. Capture all network device (router, switches, proxy, etc.) logs on a decoy network and send those logs to a central collection location.

Contents