Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.
For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as Asymmetric Cryptography.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1573.002 | Asymmetric Cryptography |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1573.002 | Asymmetric Cryptography |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some activity at the network level, specifically adversaries known to conceal C2 traffic with asymmetric encryption algorithms.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1573.002 | Asymmetric Cryptography |
Comments
This diagnostic statement protects against Asymmetric Cryptography through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1573.002 | Asymmetric Cryptography |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1573.002 | Asymmetric Cryptography | |
| CM-06 | Configuration Settings | mitigates | T1573.002 | Asymmetric Cryptography | |
| SC-12 | Cryptographic Key Establishment and Management | mitigates | T1573.002 | Asymmetric Cryptography | |
| SC-16 | Transmission of Security and Privacy Attributes | mitigates | T1573.002 | Asymmetric Cryptography | |
| SC-23 | Session Authenticity | mitigates | T1573.002 | Asymmetric Cryptography | |
| SI-03 | Malicious Code Protection | mitigates | T1573.002 | Asymmetric Cryptography | |
| CM-02 | Baseline Configuration | mitigates | T1573.002 | Asymmetric Cryptography | |
| CM-07 | Least Functionality | mitigates | T1573.002 | Asymmetric Cryptography | |
| SI-04 | System Monitoring | mitigates | T1573.002 | Asymmetric Cryptography | |
| AC-04 | Information Flow Enforcement | mitigates | T1573.002 | Asymmetric Cryptography | |
| SC-07 | Boundary Protection | mitigates | T1573.002 | Asymmetric Cryptography |