Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.
Techniques Addressed by Mitigation
If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be Domain Fronting.
|Enterprise||T1032||Standard Cryptographic Protocol||
SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.