1. Home
  2. ATT&CK Techniques
  3. T1600
  4. T1600.002
Defense Impairment

T1600.002: Disable Crypto Hardware

Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipula...

T1600.002 · Sub-technique ·1 platforms

Description

Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.

Many network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of Modify System Image, forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., Reduce Key Space). (Citation: Cisco Blog Legacy Device Attacks)

Platforms

Network Devices

References

Frequently Asked Questions

What is T1600.002 (Disable Crypto Hardware)?

T1600.002 is a MITRE ATT&CK technique named 'Disable Crypto Hardware'. It belongs to the Defense Impairment tactic(s). Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipula...

How can T1600.002 be detected?

Detection of T1600.002 (Disable Crypto Hardware) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1600.002?

Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.

Which threat groups use T1600.002?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.