Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1573 | Encrypted Channel |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1573 | Encrypted Channel |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation (command and control traffic) activity at the network level.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1573 | Encrypted Channel |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1573 | Encrypted Channel |
Comments
This diagnostic statement protects against Encrypted Channel through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1573 | Encrypted Channel |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1573 | Encrypted Channel | |
| CM-06 | Configuration Settings | mitigates | T1573 | Encrypted Channel | |
| SC-12 | Cryptographic Key Establishment and Management | mitigates | T1573 | Encrypted Channel | |
| SC-16 | Transmission of Security and Privacy Attributes | mitigates | T1573 | Encrypted Channel | |
| SC-23 | Session Authenticity | mitigates | T1573 | Encrypted Channel | |
| SI-03 | Malicious Code Protection | mitigates | T1573 | Encrypted Channel | |
| CM-02 | Baseline Configuration | mitigates | T1573 | Encrypted Channel | |
| CM-07 | Least Functionality | mitigates | T1573 | Encrypted Channel | |
| SI-04 | System Monitoring | mitigates | T1573 | Encrypted Channel | |
| AC-04 | Information Flow Enforcement | mitigates | T1573 | Encrypted Channel | |
| SC-07 | Boundary Protection | mitigates | T1573 | Encrypted Channel |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1573.001 | Symmetric Cryptography | 19 |
| T1573.002 | Asymmetric Cryptography | 18 |