Defenders may observe unauthorized modifications to encryption-related configuration files, firmware, or crypto modules on network devices. Suspicious patterns include changes to cipher suite configurations, unexpected firmware updates affecting crypto libraries, disabling of hardware cryptographic accelerators, or reductions in key length policies. Correlating configuration changes with anomalies in encrypted traffic characteristics (e.g., weaker ciphers or sudden plaintext transmission) strengthens detection.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | networkdevice:config | Configuration change events referencing encryption, TLS/SSL, or IPSec settings |
| Network Traffic Content (DC0085) | NSM:Flow | Traffic patterns showing downgrade from strong encryption (AES-256) to weaker or plaintext protocols |
| Module Load (DC0016) | snmp:status | Status change in cryptographic hardware modules (enabled -> disabled) |
| Field | Description |
|---|---|
| CipherSuiteWhitelist | List of approved encryption algorithms and key lengths; customizable to organizational policy. |
| TimeWindow | Correlation period between configuration changes and abnormal traffic; adjustable to reduce false positives. |
| AuthorizedFirmwareSources | Known trusted sources of firmware updates; deviations indicate possible compromise. |
| TrafficEntropyThreshold | Baseline entropy measurements of encrypted traffic; deviations may reveal weakening of encryption. |