M1041: Encrypt Sensitive Information
Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. This mitigation can be implemented through the following measures:
Encrypt Data at Rest:
- Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices. - Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.
Encrypt Data in Transit:
- Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks. - Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.
Encrypt Backups:
- Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access. - Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.
Encrypt Application Secrets:
- Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults. - Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.
Database Encryption:
- Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems. - Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.
Analyst context for executives and security teams
Encrypt Sensitive Information is a foundational mitigation for reducing the business damage of credential theft, data collection, traffic interception, and data tampering. Its value is not that encryption stops every attack, but that it can make stolen files, backups, network traffic, secrets, databases, and email data less useful to an adversary when access controls or monitoring fail.
Executive priority
Leaders should treat this as a resilience and compliance evidence issue: which sensitive data, credentials, backups, application secrets, databases, cloud storage, and email repositories are encrypted at rest, in transit, and during processing, and who can prove it? The relationship context ties this mitigation to credential access, collection, exfiltration, lateral movement, and data manipulation behaviors, so gaps can affect incident containment, breach reporting, audit readiness, and recovery confidence.
Technical view
Because ATT&CK provides no detection text for this mitigation, SOC, IR, cloud, identity, and infrastructure teams should validate control state rather than look for a single alert. Confirm encryption configuration and key protection for endpoints, backups, databases, cloud/object storage, application secrets, email transport, web applications, and sensitive repositories. Prioritize areas connected to the related techniques: OS credential material and NTDS-related data, private keys and unsecured credentials, application access tokens, email stores and forwarding exposure, cloud storage, databases, network traffic vulnerable to sniffing or adversary-in-the-middle activity, and stored data integrity risks.
Likely telemetry
- Endpoint encryption inventory and compliance status for full-disk or file-level encryption
- TLS/HTTPS and STARTTLS configuration evidence for web and mail services
- Backup job logs and backup storage configuration showing encryption during storage and transfer
- Secrets vault audit logs and configuration records for credentials, API keys, and application secrets
- Database encryption settings such as transparent or column-level encryption status
Detection direction
- Validate that encryption control evidence is collected centrally; absence of configuration telemetry is a major blind spot because ATT&CK does not define a behavioral detection for this mitigation.
- Tune compliance checks around sensitive data locations rather than only device ownership; related techniques include email, databases, cloud storage, backups, credentials, and private keys.
- Review exceptions carefully: unencrypted legacy protocols, local email caches, exported database copies, backup replicas, and unmanaged secrets can create high-value collection paths.
- Correlate encryption gaps with credential-access and collection risk areas such as domain controller data, application tokens, private keys, email repositories, and cloud storage.
- Avoid treating encryption as proof of protection by itself; key access, weak configuration, plaintext processing locations, and excessive administrative access can still determine real exposure.
Mitigation priorities
- Start with data and credential discovery: identify sensitive repositories, credential material, private keys, backups, application secrets, email stores, databases, and cloud storage.
- Implement or verify strong encryption for data at rest, in transit, backups, application secrets, and databases as described by ATT&CK.
- Centralize key and secret management where feasible, with auditable access and separation from the protected data.
- Prioritize domain controllers, identity infrastructure, email platforms, databases, cloud storage, and backup systems because the related techniques show these are high-value targets for credential access and collection.
- Require routine evidence collection for audits and incident response, including encryption status, policy exceptions, and key-access records.
Analyst notes and limits
This ATT&CK object is a course of action, not an adversary behavior. Its relationship set shows broad defensive relevance across credential access, collection, exfiltration, lateral movement, and impact techniques. The strongest Glexia validation question is whether encryption is consistently implemented and provable across the places adversaries are described as collecting or abusing sensitive data.
MITRE does not provide detection guidance, tactics, or platforms for M1041 itself. Platform references come from related techniques only. Local architecture, data classification, key-management design, and control evidence are required to determine actual coverage or risk reduction.
Encrypt Sensitive Information
Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. This mitigation can be implemented through the following measures:
Encrypt Data at Rest:
- Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices. - Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.
Encrypt Data in Transit:
- Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks. - Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.
Encrypt Backups:
- Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access. - Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.
Encrypt Application Secrets:
- Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults. - Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.
Database Encryption:
- Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems. - Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1659 | Content Injection | Where possible, ensure that online traffic is appropriately encrypted through services such as trusted VPNs. |
| Enterprise | T1552 | Unsecured Credentials | When possible, store keys on separate cryptographic hardware instead of on the local system. |
| Enterprise | T1557.002 | ARP Cache Poisoning Sub-technique | Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. |
| Enterprise | T1557 | Adversary-in-the-Middle | Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. |
| Enterprise | T1070 | Indicator Removal | Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. |
| Enterprise | T1602.002 | Network Device Configuration Dump Sub-technique | Configure SNMPv3 to use the highest level of security (authPriv) available.CitationUS-CERT TA17-156A SNMP Abuse 2017 |
| Enterprise | T1003 | OS Credential Dumping | Ensure Domain Controller backups are properly secured. |
| Enterprise | T1565.002 | Transmitted Data Manipulation Sub-technique | Encrypt all important data flows to reduce the impact of tailored modifications on data in transit. |
| Enterprise | T1565 | Data Manipulation | Consider encrypting important information to reduce an adversary’s ability to perform tailored data modifications. |
| Enterprise | T1558 | Steal or Forge Kerberos Tickets | Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.CitationAdSecurity Cracking Kerberos Dec 2015 |
| Enterprise | T1530 | Data from Cloud Storage | Encrypt data stored at rest in cloud storage.CitationAmazon S3 Security, 2019CitationMicrosoft Azure Storage Security, 2019 Managed encryption keys can be rotated by most providers. At a minimum, ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications.CitationGoogle Cloud Encryption Key Rotation |
| Enterprise | T1213.006 | Databases Sub-technique | Encrypt data stored at rest in databases. |
| Enterprise | T1040 | Network Sniffing | Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
| Enterprise | T1602.001 | SNMP (MIB Dump) Sub-technique | Configure SNMPv3 to use the highest level of security (authPriv) available.CitationUS-CERT TA17-156A SNMP Abuse 2017 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. |
| Enterprise | T1119 | Automated Collection | Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. Strong passwords should be used on certain encrypted documents that use them to prevent offline cracking through Brute Force techniques. |
| Enterprise | T1649 | Steal or Forge Authentication Certificates | Ensure certificates as well as associated private keys are appropriately secured. Consider utilizing additional hardware credential protections such as trusted platform modules (TPM) or hardware security modules (HSM). Enforce HTTPS and enable Extended Protection for Authentication.CitationSpecterOps Certified Pre Owned |
| Enterprise | T1114.003 | Email Forwarding Rule Sub-technique | Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
| Enterprise | T1565.001 | Stored Data Manipulation Sub-technique | Consider encrypting important information to reduce an adversary’s ability to perform tailored data modifications. |
| Enterprise | T1558.004 | AS-REP Roasting Sub-technique | Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.CitationAdSecurity Cracking Kerberos Dec 2015 |
| Enterprise | T1669 | Wi-Fi Networks | Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure that web traffic that may contain credentials is protected by SSL/TLS. |
| Enterprise | T1114 | Email Collection | Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
| Enterprise | T1558.003 | Kerberoasting Sub-technique | Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.CitationAdSecurity Cracking Kerberos Dec 2015 |
| Enterprise | T1020.001 | Traffic Duplication Sub-technique | Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. |
| Enterprise | T1685.006 | Clear Linux or Mac System Logs Sub-technique | Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. |
| Enterprise | T1602 | Data from Configuration Repository | Configure SNMPv3 to use the highest level of security (authPriv) available.CitationUS-CERT TA17-156A SNMP Abuse 2017 |
| Enterprise | T1003.003 | NTDS Sub-technique | Ensure Domain Controller backups are properly secured.CitationMetcalf 2015 |
| Enterprise | T1552.004 | Private Keys Sub-technique | When possible, store keys on separate cryptographic hardware instead of on the local system. For example, on Windows systems use a TPM to secure keys and other sensitive credential material.CitationMicrosoft Primary Refresh Token |
| Enterprise | T1550.001 | Application Access Token Sub-technique | File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services. |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. |
| Enterprise | T1213 | Data from Information Repositories | Encrypt data stored at rest in databases. |
| Enterprise | T1558.002 | Silver Ticket Sub-technique | Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.CitationAdSecurity Cracking Kerberos Dec 2015 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 8ad3dddbc025… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1041Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.