M1020 SSL/TLS Inspection
Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.
Techniques Addressed by Mitigation
| Domain |
ID |
Name |
Use |
| enterprise |
T1573 |
Encrypted Channel |
SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. |
| enterprise |
T1573.002 |
Asymmetric Cryptography |
SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. |
| enterprise |
T1090 |
Proxy |
If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting. |
| enterprise |
T1090.004 |
Domain Fronting |
If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting. |