Thank you to Tidal Cyber and SOC Prime for becoming ATT&CK's first Benefactors. To join the cohort, or learn more about this program visit our Benefactors page.

SSL/TLS Inspection

Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.

ID: M1020

Version: 1.0

Created: 06 June 2019

Last Modified: 06 June 2019

Version Permalink

Live Version

Techniques Addressed by Mitigation

Domain	ID		Name	Use
Enterprise	T1573		Encrypted Channel	SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.
		.002	Asymmetric Cryptography	SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.
Enterprise	T1090		Proxy	If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.
		.004	Domain Fronting	If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.

SSL/TLS Inspection

Enterprise Layer

Techniques Addressed by Mitigation