Weaken Encryption: Reduce Key Space

ID Name
T1600.001 Reduce Key Space
T1600.002 Disable Crypto Hardware

Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.[1]

Adversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.

Adversaries may modify the key size used and other encryption parameters using specialized commands in a Network Device CLI introduced to the system through Modify System Image to change the configuration of the device. [2]

ID: T1600.001
Sub-technique of:  T1600
Tactic: Defense Evasion
Platforms: Network
Permissions Required: Administrator
Data Sources: File monitoring
Version: 1.0
Created: 19 October 2020
Last Modified: 21 October 2020

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

There is no documented method for defenders to directly identify behaviors that reduce encryption key space. Detection efforts may be focused on closely related adversary behaviors, such as Modify System Image and Network Device CLI. Some detection methods require vendor support to aid in investigation.

References