Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0681: Analytic 0681

Defenders may observe attempts to alter cryptographic settings on network devices that reduce key strength or allowable cipher suites. Suspicious indicators include configuration changes that downgrade encryption algorithms, key length parameters, or the disabling of strong encryption in favor of legacy ciphers. These activities often appear as CLI commands modifying crypto policies, firmware changes affecting crypto libraries, or unexpected updates to key management files. Correlation across device config logs and traffic analysis showing weaker ciphers provides higher confidence of malicious key space reduction.

EnterpriseAN0681AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0681 is a detection analytic for spotting attempts to weaken cryptographic protections on network devices, such as downgrading encryption algorithms, reducing key length, enabling legacy ciphers, or changing crypto-related files or firmware. For leaders, the practical issue is trust in the network control plane: if device encryption settings are weakened, secure administration, key management, and protected communications may no longer meet resilience or compliance expectations.

Executive priority

Prioritize this where network devices are critical to business operations, regulated connectivity, remote administration, or segmentation. Leaders should ask whether configuration changes to crypto policies are logged, reviewed, and correlated with traffic evidence showing weaker cipher use. This analytic supports control assurance and audit readiness because it focuses on whether cryptographic baselines on network infrastructure remain intact after administrative, firmware, or file-level changes.

Technical view

For SOC, detection engineering, and IR teams, validate visibility into network device configuration logs, CLI command history where available, firmware or crypto library changes, key management file updates, and network traffic analysis that can identify negotiated cipher suites. Because the ATT&CK object does not provide a formal detection rule and has no tactic or relationship context, teams should build local logic around deviations from approved crypto baselines and raise confidence when configuration changes align with observed weaker cipher negotiation.

Likely telemetry

  • Network device configuration change logs
  • CLI command or administrative session logs for network devices
  • Firmware update and device software change records
  • Crypto policy, crypto library, or key management file change evidence
  • Network traffic metadata showing negotiated encryption algorithms or cipher suites

Detection direction

  • Establish approved cryptographic baselines for network devices and alert on downgrades to weaker algorithms, shorter key lengths, or legacy cipher suites.
  • Correlate device-side configuration changes with traffic analysis showing weaker cipher negotiation for higher confidence.
  • Tune for authorized maintenance, firmware upgrades, and planned compatibility changes to reduce false positives.
  • Investigate unexpected disabling of strong encryption or modifications to key management files, especially when not tied to approved change records.
  • Account for blind spots where network devices do not export detailed CLI, configuration, firmware, or crypto negotiation telemetry.

Mitigation priorities

  • Define and maintain standard crypto configuration baselines for network devices.
  • Require change control and review for crypto policy, firmware, and key management file changes.
  • Ensure network device logging is enabled and retained for configuration and administrative actions.
  • Monitor traffic for negotiated cipher suites where feasible to validate that device configuration matches expected encryption posture.
  • Review exceptions for legacy cipher use and document business justification, compensating controls, and retirement plans.
Analyst notes and limits

This take is based only on the supplied ATT&CK analytic AN0681. The object is scoped to Network Devices and describes suspicious indicators for cryptographic key space reduction but does not provide an official detection rule, tactics, aliases, labels, or relationship context. The strongest defensive value comes from pairing configuration evidence with traffic evidence.

No active exploitation, attribution, impact pattern, or related ATT&CK techniques were supplied. Local device types, logging depth, approved crypto standards, and change management evidence are required to determine actual detection coverage and priority.

Official MITRE ATT&CK definition

Analytic 0681

Defenders may observe attempts to alter cryptographic settings on network devices that reduce key strength or allowable cipher suites. Suspicious indicators include configuration changes that downgrade encryption algorithms, key length parameters, or the disabling of strong encryption in favor of legacy ciphers. These activities often appear as CLI commands modifying crypto policies, firmware changes affecting crypto libraries, or unexpected updates to key management files. Correlation across device config logs and traffic analysis showing weaker ciphers provides higher confidence of malicious key space reduction.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
96ae0fcc4885e3dc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 96ae0fcc4885…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0681
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use