Show
A man-in-the-middle (MitM) attack is a form of cyberattack where important data is intercepted by an attacker using a technique to interject themselves into the communication process. The attacker can be a passive listener in your conversation, silently stealing your secrets, or an active participant, altering the contents of your messages, or impersonating the person/system you think you’re talking to. Think back to the 20th century, when your younger sibling would pick up the phone when you were talking to your crush. You didn’t know they were listening, and then they went and tattled on you. That’s a basic MitM attack.
How Does A Man-in-the-Middle Attack Work?Most MitM attacks follow a straightforward order of operations, regardless of the specific techniques used in the attack. In this example, there are three entities, Alice, Bob, and Chuck (the attacker).
MitM techniques are usually employed early in the cyber kill chain – during reconnaissance, intrusion, and exploitation. Attackers often use MitM to harvest credentials and gather intelligence about their targets. Multi-factor authentication (MFA) can be an effective safeguard against stolen credentials. Even if your username and password are scooped up by a man-in-the-middle, they’d need your second factor to make use of them. Unfortunately, it’s possible to bypass MFA in some cases. Here is a practical example of a real-world MiTM attack against Microsoft Office 365 where MFA was bypassed by the attacker:
You can see this exact attack happen in a live environment during our weekly cyber-attack workshops. MitM Attack Techniques and TypesHere are a few of the common techniques that attackers use to become a man-in-the-middle. 1. ARP Cache PoisoningAddress Resolution Protocol (ARP) is a low-level process that translates the machine address (MAC) to the IP address on the local network. Attackers inject false information into this system to trick your computer to think the attacker’s computer is the network gateway. When you connect to the network, the attacker is receiving all of your network traffic (instead of your real network gateway) and passes the traffic along to its real destination. From your perspective, everything is normal. The attacker is able to see all of your packets.
2. DNS Cache PoisoningDNS cache poisoning is when the attacker gives you a fake DNS entry that leads to a different website. It might look like Google, but it’s not Google, and the attacker captures whatever data – username and password, for example – you enter into the faked website.
3. HTTPS SpoofingHTTPS is one of the ways users know that their data is “safe.” The S stands for secure. At least that is what an attacker wants you to think. Attackers set up HTTPS websites that look like legitimate sites with valid authentication certificates, but the URL will be just a bit different. For example, they will register a website with a unicode character that looks like an ‘a’ but isn’t. Continuing with the “example.com” example, the URL might look like https://www.example.com, but the ‘a’ in “example” is a cyrillic “a”, which is a valid unicode character that appears just like an arabic “a” with a different unicode value.
4. Wi-Fi EavesdroppingAttackers listen to traffic on public or unsecured Wi-Fi networks, or they create Wi-Fi networks with common names to trick people into connecting so they can steal credentials or credit card numbers or whatever other information users send on that network. Kody from SecurityFWD has several different videos that show how easy this is. 5. Session HijackingSession hijacking is a MitM attack where the attacker watches for you to log into a web page (banking account, email account, for example) and then steals your session cookie to log into that same account from their browser. This is the attack we demonstrate in our Live Cyber Attack workshop we mentioned previously. Once the attacker has your active session cookie on their computer, they can do whatever you could do on that website. Our guy Chuck could transfer all of your savings to an offshore account, buy a bunch of goods with your saved credit card, or use the stolen session to infiltrate your company network and establish a stronger foothold on the corporate network. Are MitM Attacks Common?MitM attacks have been around for a long time, and while they’re not as common as phishing and malware or even ransomware, they are usually part of targeted attacks with specific intent. For example, an attacker who wants to steal a credit card number might snoop on a coffee shop Wi-Fi for that data. Another attacker might use MitM techniques as part of a larger plan to break into a large enterprise. Our MitM Cyber Attack Lab demonstrates how an attacker can use malware to intercept network traffic and gain entry into the enterprise email system. How to Detect a Man-in-the-Middle AttackMitM attacks can be difficult to catch, but their presence does create ripples in the otherwise regular network activity that cybersecurity professionals and end-users can notice. The conventional wisdom is more prevention than detection. Signs to Look ForHere are some signs there may be extra listeners on your networks.
How to Prevent a Man-in-the-Middle AttackHere are several best practices to protect you and your networks from MitM attacks. None of them are 100% fool-proof. General Best PracticesOverall, good cybersecurity hygiene will help protect you from MitM attacks.
Why Encryption Can Protect You From MitM AttacksEnd-to-end encryption can help prevent a MitM from reading your network messages. Encryption involves both the sender and the receiver using a shared key to encrypt and decrypt messages that they send and receive. Without that shared key, the messages are gobbledygook, so the MitM can’t read them. Encryption makes it harder for an attacker to intercept and read the network data, but it isn’t impossible, and it’s not a guarantee against compromise, because attackers have developed techniques to work around encryption. For example, in the MitM Cyber Attack Lab, we demonstrate how an attacker can steal the authentication token that contains the username, password, and MFA authentication data to log in to an email account. Once they hijack the session cookie, it doesn’t matter that the communication between the client and server is encrypted — the hacker simply logins as the end-user and can access everything the user can access. Future of MitM AttacksMitM attacks will continue to be a useful tool in attackers’ arsenals as long as they can continue to intercept important data like passwords and credit card numbers. It’s a perpetual arms race between software developers and network providers to close the vulnerabilities attackers exploit to execute MitM. Take the massive proliferation of the Internet of Things (IoT) over the past few years. IoT devices don’t yet adhere to the same security standards or have the same capabilities as other devices, which makes them more vulnerable to MitM attacks. Attackers use them as a way into an organization’s network so they can move to other techniques. Who knew that a new fancy internet-capable thermostat was a security hole? Attackers do! Wider adoption of wireless networking, 5G networks, for example, is another opportunity for attackers to use MitM to steal data and infiltrate organizations, as demonstrated at BlackHat 2019. It is incumbent on the wireless companies to fix vulnerabilities like the ones shown at BlackHat and provide a secure backbone for users and devices. Overall, there are more devices connected to more networks, which means more opportunities for attackers to use MitM techniques. Knowing the telltale signs of a MitM attack and putting in place detection methods can help you spot attacks before they do damage. Check out our Live Cyber Attack Workshop, where we demonstrate how an attacker can intercept a user’s authentication token using MitM to infiltrate and steal important data and show how Varonis can detect this attack. |