Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0961: Analytic 0961

Defenders may observe unauthorized modifications to encryption-related configuration files, firmware, or crypto modules on network devices. Suspicious patterns include changes to cipher suite configurations, unexpected firmware updates affecting crypto libraries, disabling of hardware cryptographic accelerators, or reductions in key length policies. Correlating configuration changes with anomalies in encrypted traffic characteristics (e.g., weaker ciphers or sudden plaintext transmission) strengthens detection.

EnterpriseAN0961AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because encryption settings on network devices are part of the trust boundary for business communications. Unauthorized changes to cipher suites, key-length policy, firmware crypto libraries, or hardware crypto acceleration can weaken confidentiality or cause unexpected plaintext exposure. For leaders, the key question is whether network device configuration and encrypted-traffic behavior are monitored well enough to prove that encryption posture has not silently degraded.

Executive priority

Treat this as a control-assurance and resilience issue for network infrastructure. Priority should go to confirming change governance, audit evidence, and monitoring coverage for encryption-related network device settings. This is especially relevant where encrypted communications support regulated data flows, remote access, inter-site connectivity, or operational continuity. Because ATT&CK provides no tactic mapping, relationships, or official detection logic for this analytic, organizations should use it as a validation prompt rather than as a complete detection specification.

Technical view

SOC, detection engineering, and IR teams should validate whether they can observe unauthorized modifications to encryption-related configuration files, firmware, crypto modules, cipher suite settings, key-length policies, and hardware cryptographic accelerator status on network devices. They should also test whether configuration-change records can be correlated with encrypted traffic characteristics, such as weaker cipher negotiation or sudden plaintext transmission. Investigation should focus on whether the change was approved, whether firmware or crypto-library changes align with maintenance records, and whether traffic behavior changed after the device-side modification.

Likely telemetry

  • Network device configuration change logs
  • Network device firmware update or image-change records
  • Administrative access and command logs from network devices
  • Crypto module or encryption feature status where available
  • Cipher suite and protocol negotiation observations from encrypted traffic

Detection direction

  • Build or validate alerts for encryption-related configuration changes on network devices, especially cipher suite changes, key-length reductions, firmware updates affecting crypto libraries, and disabling of hardware cryptographic accelerators.
  • Correlate device-side changes with encrypted traffic anomalies to reduce noise and increase confidence.
  • Tune for approved maintenance windows and authorized change tickets to limit false positives.
  • Review blind spots where network device logs are not centralized, firmware events are not retained, or encrypted traffic characteristics are not measured.
  • Because no official detection logic is supplied, detection content should be locally engineered and tested against each device class and logging capability.

Mitigation priorities

  • Establish strict change control for encryption-related network device settings and firmware updates.
  • Centralize and retain network device configuration and administrative activity logs.
  • Baseline approved cipher suites, key-length policies, firmware versions, and crypto module settings.
  • Regularly compare running configurations and firmware state against approved baselines.
  • Ensure incident response playbooks include validation of encryption posture after suspicious network device changes.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Network Devices and describes observable unauthorized changes to encryption-related device configuration, firmware, or crypto modules. No ATT&CK tactics, relationships, aliases, labels, or official detection logic were supplied, so this take emphasizes defensive validation and telemetry readiness rather than a specific adversary procedure.

This summary is limited to the official STIX fields, external reference, and empty relationship context provided. It does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Local device types, logging configuration, traffic visibility, and change-management evidence are required to determine practical coverage.

Official MITRE ATT&CK definition

Analytic 0961

Defenders may observe unauthorized modifications to encryption-related configuration files, firmware, or crypto modules on network devices. Suspicious patterns include changes to cipher suite configurations, unexpected firmware updates affecting crypto libraries, disabling of hardware cryptographic accelerators, or reductions in key length policies. Correlating configuration changes with anomalies in encrypted traffic characteristics (e.g., weaker ciphers or sudden plaintext transmission) strengthens detection.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9d6b3d9ead82e64d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9d6b3d9ead82…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0961
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use