Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0494: Detection Strategy for Weaken Encryption: Disable Crypto Hardware on Network Devices

This detection strategy is tied to adversary behavior that weakens encryption on network devices by disabling dedicated crypto hardware. For leaders, the p...

EnterpriseDET0494Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is tied to adversary behavior that weakens encryption on network devices by disabling dedicated crypto hardware. For leaders, the practical issue is not just confidentiality: a change to router, switch, or firewall encryption capability can undermine trusted network paths, complicate incident response, and create audit questions about whether critical traffic protections are still operating as intended.

Executive priority

Prioritize this as a control-assurance and resilience concern for environments that rely on network devices to protect traffic between sites, data centers, cloud connectivity, or sensitive operational segments. Leaders should ask whether teams can prove when crypto hardware settings change, who made the change, whether the change was authorized, and whether configuration evidence is retained for incident and compliance review.

Technical view

The supplied ATT&CK object provides no official detection logic, but it detects T1600.002, Disable Crypto Hardware, under defense-impairment for Network Devices. SOC and IR teams should validate visibility into administrative changes on routers, switches, and firewalls, especially configuration changes affecting hardware encryption, crypto acceleration, VPN/tunnel encryption behavior, or related device security features. Detection engineering should focus on comparing expected secure baselines against current and historical device configuration, then correlating unexpected crypto-related changes with administrator identity, access path, maintenance window, and subsequent network behavior.

Likely telemetry

  • Network device configuration change logs and archived configuration snapshots
  • AAA, TACACS/RADIUS, local administrator, and privileged session records for network device access
  • Syslog or management-plane events from routers, switches, and firewalls
  • Change-management records for approved network encryption or hardware acceleration changes
  • Device state or inventory data showing crypto hardware, acceleration, or encryption feature status where available

Detection direction

  • Establish known-good baselines for network device encryption and crypto hardware settings, then alert on deviations outside approved change windows.
  • Correlate crypto-related configuration changes with authenticated administrator activity and change tickets to reduce false positives from planned maintenance.
  • Prioritize detections on externally connected, inter-site, data center, cloud edge, and segmentation-enforcing network devices because weakened encryption there can affect broad traffic paths.
  • Validate that logs are generated before, during, and after configuration commits; a common blind spot is relying only on periodic config backups that may miss short-lived changes.
  • Review whether network device logs are centralized and tamper-resistant enough to support incident response if a device’s defensive capability is impaired.

Mitigation priorities

  • Define and document approved encryption and crypto hardware baselines for network devices that protect sensitive or critical traffic.
  • Restrict and monitor privileged administrative access to network devices, including emergency and local accounts.
  • Require change control for crypto hardware, encryption, VPN, and tunnel configuration changes, with retention of before-and-after configuration evidence.
  • Centralize network device logs and configuration backups so responders can determine when a weakening change occurred and whether it was authorized.
  • Periodically audit network devices against the approved baseline and investigate unexplained drift.
Analyst notes and limits

This take is based on detection strategy DET0494 and its relationship to ATT&CK technique T1600.002, Disable Crypto Hardware. The business value is in validating whether the organization can observe and prove the integrity of encryption-related settings on network devices, not in assuming a specific adversary, tool, or exploit path.

The official detection strategy fields supplied here do not include a description, detection logic, platforms, or tactics. Platform and tactic context come from the related technique only: Network Devices and defense-impairment. Local device capabilities, logging formats, and change-management practices are required to build reliable detections.

Official MITRE ATT&CK definition

Detection Strategy for Weaken Encryption: Disable Crypto Hardware on Network Devices

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1600.002 Disable Crypto Hardware Sub-technique This object detects Disable Crypto Hardware.
Relationship explorer

All related ATT&CK context

detects · Technique T1600.002: Disable Crypto Hardware Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
da380056d21b9e9d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle da380056d21b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0494
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use