DET0339 Detection Strategy for Weaken Encryption on Network Devices
| Item | Value |
|---|---|
| ID | DET0339 |
| Version | 1.0 |
| Created | 21 October 2025 |
| Last Modified | 21 October 2025 |
Technique Detected: T1600 (Weaken Encryption)
Analytics
Network Devices
AN0961
Defenders may observe unauthorized modifications to encryption-related configuration files, firmware, or crypto modules on network devices. Suspicious patterns include changes to cipher suite configurations, unexpected firmware updates affecting crypto libraries, disabling of hardware cryptographic accelerators, or reductions in key length policies. Correlating configuration changes with anomalies in encrypted traffic characteristics (e.g., weaker ciphers or sudden plaintext transmission) strengthens detection.
Log Sources
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | networkdevice:config | Configuration change events referencing encryption, TLS/SSL, or IPSec settings |
| Network Traffic Content (DC0085) | NSM:Flow | Traffic patterns showing downgrade from strong encryption (AES-256) to weaker or plaintext protocols |
| Module Load (DC0016) | snmp:status | Status change in cryptographic hardware modules (enabled -> disabled) |
Mutable Elements
| Field | Description |
|---|---|
| CipherSuiteWhitelist | List of approved encryption algorithms and key lengths; customizable to organizational policy. |
| TimeWindow | Correlation period between configuration changes and abnormal traffic; adjustable to reduce false positives. |
| AuthorizedFirmwareSources | Known trusted sources of firmware updates; deviations indicate possible compromise. |
| TrafficEntropyThreshold | Baseline entropy measurements of encrypted traffic; deviations may reveal weakening of encryption. |