Skip to content

M1020 SSL/TLS Inspection

Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.

Item Value
ID M1020
Version 1.0
Created 06 June 2019
Last Modified 06 June 2019
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1573 Encrypted Channel SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.
enterprise T1573.002 Asymmetric Cryptography SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.
enterprise T1090 Proxy If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.
enterprise T1090.004 Domain Fronting If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.
Back to top