The sub-techniques beta is now live! Read the release blog post for more info.

Obfuscation or cryptography

Obfuscation is the act of creating communications that are more difficult to understand. Encryption transforms the communications such that it requires a key to reverse the encryption. [1]

ID: T1313
Tactic: Adversary Opsec
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018

Procedure Examples

Name Description
Cleaver

Cleaver has used zhCat to encrypt traffic or use inline obfuscation to make detection more difficult. zhCat makes message traffic look benign.[2]

Detection

Detectable by Common Defenses (Yes/No/Partial): No

Explanation: Techniques and signatures are hard to detect. Advanced communications and exfiltration channels are nearly indistinguishable from background noise.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Known approaches include the use of cryptography for communications, rotating drops sites (such as random list of chat fora), and one-time [https://aws.amazon.com/s3/ Simple Storage Service (S3)] buckets, etc. All require sophisticated knowledge, infrastructure, and funding.

References

  1. FireEye, Inc. (2014). APT 28: A Window into Russia’s Cyber Espionage Operations?. Retrieved March 1, 2017.