What is a man in the middle attack?
Man-in-the-middle (MitM) attacks, or as they are sometimes referred to using a more gender-neutral term, Adversary-in-the-Middle (AitM), is a type of digital security threat where a threat actor intercepts the communication between two parties without their knowledge. The threat actor’s aim may be to capture sensitive information travelling between the two parties, or their motive may be to intercept and change the data in some way that benefits them.
When talking about the three main tenants of information security: confidentiality, integrity and availability (CIA), in the first example above, interception of private data breaches confidentiality. The second, the manipulation of that data, breaches both confidentiality and integrity. MitM attacks can have a devastating impact on an organisation or individual, depending on the sensitivity of the data being intercepted.
A quick note about this article: to keep this article brief, I’ve tried to keep it high-level as MitM attacks and how they are performed can get highly technical. Where relevant, I’ve included notes or links where you can go down that rabbit hole on your own, or feel free to leave a comment or question, and we can delve in further in the comments section.
Why perform MitM attacks?
The motivations of threat actors performing MitM attacks can be vast but include:
Stealing sensitive information: This could include stealing login credentials like usernames and passwords, financial data, intellectual property, personal information, or any other information that has immediate or potential value.
Eavesdropping: This scenario is commonly associated with espionage or surveillance activities. It is not limited to organised crime groups or nation-states alone; competitors may engage in such practices to acquire insider knowledge or strategic information to gain a competitive edge in the market. This form of data interception can also be utilised to gather sensitive information that can be used for purposes like blackmail or extortion.
Injecting malicious code or malware: When a threat actor injects malicious code into web pages transmitted to a person’s web browser, it opens up opportunities for exploiting vulnerabilities and carrying out malicious actions on the victim’s device. This form of attack allows the threat actor to manipulate files being downloaded, potentially replacing them with their own malware-infected versions. For example, they could modify a software update or attach their malware to deceive the user into unknowingly installing malicious software on their device.
Impersonation: By masquerading as a trusted wireless network, a threat actor gains the ability to intercept network traffic and carry out various malicious activities, as mentioned above. Additionally, they can exploit this position to impersonate legitimate websites, leading unsuspecting users to interact with fraudulent or malicious content. The threat actor could also manipulate email content and impersonate other individuals, deceiving recipients into believing they are communicating with someone else entirely.
These examples only just scratch the surface of the reasons behind a MitM attack, but you get the idea.
MitM attack examples
Threat actors employ a wide range of techniques and attack vectors, but let’s focus on a few simple examples to illustrate the risks that can affect individuals and organisations alike. The following scenarios highlight common vulnerabilities that have the potential to impact many people, either on a personal level or within an organisational context.
Wireless network (WiFi) attacks
One of the most common examples of MitM attacks is the one that takes place on public WiFi networks. When you connect your phone, tablet, laptop or another device to a public WiFi network, there is no way to know if the network you are connecting to is a legitimate network or one a threat actor is broadcasting to attract unsuspecting victims.
Say you are sitting at the airport and you see a ’QANTAS Lounge’ WiFi network (or SSID, which is the term for the name assigned to a wireless network). It is very easy for me, as a threat actor, to set up my laptop to broadcast my own SSID called ‘QANTAS Lounge’. You think you are connecting to the real QANTAS Lounge network so you can get out to the Internet while waiting for your plane, but instead, you have connected to a fake network that captures all your network traffic, records it, and then passes it on to the Internet so you don’t suspect a thing.
And while you may think this would take a lot of skill for a threat actor to achieve, you can buy devices to do this for you online, such as the infamous WiFi Pineapple from Hak5 which is a hardware device used by penetration testers when testing wireless networks. But like most technology made for good, it can be used for evil as well. What is even scarier, devices like the WiFi Pineapple easily perform impersonation attacks using previous networks you have connected to. What is this dark magic you ask?
Your devices send out probe requests for previous networks you have connected to, such as your home or work network. It’s basically your device’s way of saying “Hey.. Is xyz network out there? I want to connect!”. So, all those previous free WiFi networks you connected to in your travels, in hotels, coffee shops and other places, it’s likely your device is broadcasting those SSIDs right now. And it doesn’t take much to impersonate one of those networks and have your device automatically connect to it without you even knowing! But we are getting a bit off the path of basic MitM examples and into the various HOWTOs. It is good to know, however, what these threats are so you can mitigate against them.
As you can imagine from what we just discussed, this is one of the reasons that we recommend NEVER using public WiFi. Always tether to your mobile phone.
Web page intercepts
Another common attack is where a threat actor places themselves between your web browser and the website you are trying to visit. Those phishing emails you receive or hear about where the person clicks a link and goes to a ‘malicious site’, this is often the tactic being used.
You receive an email that wants you to log into your Microsoft 365 account to perform some urgent task, and there is a link in the email. You click the link and it takes you to the login page and you don’t suspect anything because it looks exactly like the usual Microsoft 365 login page. But it isn’t. The threat actor has made an exact copy. You enter your username and password. The threat actor’s malicious site captures your credentials and saves them for later, and then redirects you to the real Microsoft 365 website. The fake site even puts your username and password in for you when it redirects you so you end up authenticated to the real site. You are now on the real site, but your account credentials have been compromised and are ready to be used by the threat actor.
This is the real concern with MitM attacks. When they are performed well, it can be almost impossible to realise anything has actually happened. Life goes on until the compromised information is used by the threat actor and you are left wondering how they got access to your account.
Data manipulation
During the lead into this article, I mentioned data being captured and changed, or manipulated, by a threat actor. There are countless reasons why a threat actor may want to mess with the integrity of data, from changing transaction details, through to spreading disinformation from a trusted source. Let’s use a simple transactional example and something that was very commonplace at the dawn of online shopping in the late 90s and early 2000s.
I’m a criminal and I find an online store that sells expensive computer hardware. After performing some analysis on the website, I find the way they handle the transaction is insecure. During the checkout, all my items, cost calculations, and everything needed for the transaction are performed in my web browser and then passed to the backend website for processing. This includes the final amount to be deducted from my credit card. In this scenario, I can perform a MitM attack between myself and the website. After clicking ‘Submit’ on the website, my invoice information is sent to the web server. I intercept that information before it leaves my computer, I change the total from $5,000 to $1, and I send it on to the web server. As the company hasn’t implemented any security checks that pick up tampering with this request, I am billed $1 and my new computer hardware will shortly be on its way!
Other attack vectors
In addition to the attack vectors mentioned, a plethora of other techniques exist that threat actors can employ. These techniques delve into the more technical aspects of cybersecurity. If you would like to explore further, here are a couple of examples along with external resources so you can delve deeper into these subjects.
ARP spoofing
ARP spoofing, also known as ARP poisoning, is a technique used in network attacks to trick devices on a local network. In a network, devices use ARP to map IP addresses to MAC addresses. When Device A wants to communicate with Device B, it sends an ARP request asking, “Who has this IP address?” The device with that IP address responds with its MAC address, allowing the two devices to establish communication.
In an ARP spoofing attack, a threat actor on the same network pretends to be Device B and responds to Device A’s ARP request sending a fake ARP response, saying, ‘I have that IP address, and my MAC address is this’. As a result, Device A updates its ARP cache and associates the threat actor’s MAC address with Device B’s IP address. Now, when Device A wants to send data to Device B, it mistakenly sends it to the threat actor’s device, thinking it’s Device B. The threat actor can intercept, modify, or eavesdrop on the communication, acting as a man-in-the-middle between Device A and Device B. The threat actor may also forward the data to Device B to maintain the illusion of normal communication, making it less suspicious to the victim.
For additional information, ARP spoofing: What it is and how to prevent an ARP attack.
DNS spoofing
DNS spoofing, also known as DNS cache poisoning, is a technique used by threat actors to manipulate the Domain Name System (DNS) resolution process. It involves manipulating the DNS cache of a DNS server or a victim’s device to redirect legitimate domain name requests to malicious or fake IP addresses.
When you type a website’s domain name (e.g. www.example.com) into your web browser, your device relies on DNS to translate that domain name into an IP address that computers can understand. The DNS server is responsible for providing the correct IP address associated with the requested domain name.
In a DNS spoofing attack, the threat actor tricks the DNS server or the victim’s device into associating a legitimate domain name with a false IP address. This is typically achieved by sending forged DNS responses to the targeted DNS server or by modifying the DNS cache on the victim’s device. As a result, when the victim’s device sends a request for a particular domain name, the manipulated DNS server or the victim’s compromised DNS cache responds with the fake IP address provided by the threat actor. The victim’s device then connects to the threat actor’s controlled IP address instead of the legitimate server associated with the domain name. This way the threat actor can redirect the victim to a malicious website that looks identical to the legitimate one, allowing them to carry out various attacks, such as phishing, stealing login credentials, distributing malware, or performing man-in-the-middle attacks to intercept and manipulate communication.
For additional information, What is DNS Spoofing?
How do I defend against MitM attacks?
You may be asking: How can we defend against man-in-the-middle attacks? To address this, we need to break the mitigations into two sections, considering that MitM attacks can involve technical complexities and some countermeasures may require IT-related changes. The first set of mitigations focuses on individual users protecting themselves, while the second set addresses the responsibilities of IT teams in combating these attacks.
User mitigations
Use secure communication protocols: Always use secure communication protocols, such as HTTPS, when visiting websites. Never transmit sensitive information unencrypted. Encryption ensures that the data exchanged between parties is protected from interception and manipulation. Always be wary if your browser says that there is an issue with the website’s certificate. This is a tell-tale sign your connection is insecure, and it could mean someone has planted themselves between yourself and the website.
Certificate validation: Validate the authenticity of SSL/TLS certificates when connecting to websites or services. Check certificate details, such as the issuer and expiration date, and verify the chain of trust to detect potential certificate tampering or fraud. Most browsers have a lock icon in the URL bar that you can click and view the certificate information.
Only connect to trusted WiFi networks: Never connect to public or ‘free’ WiFi networks. You never know who you are actually connecting to. Limit yourself to networks you know and trust and when in public, tether to your mobile phone.
Delete old WiFi networks: If you connect to a new network and don’t plan to use it again or not for an extended period, when you have finished using it, go into your WiFi settings and delete it. Go in there right now and delete all the old networks you have on your devices. I’ll wager you have quite a few 🙂
Use multi-factor authentication (MFA): Always utilise strong authentication mechanisms, such as multi-factor authentication (MFA), to protect your accounts and prevent unauthorised access. This will reduce the risk if your credentials are compromised during a MitM attack.
Use a VPN: If you absolutely have to connect to an untrusted network, use a VPN. A VPN establishes an encrypted tunnel between your device and the target network, protecting data from interception.
User education: Raise awareness among colleagues, family and friends about the risks of MitM attacks and provide guidance on secure practices discussed in this article. Encourage them to be cautious if they connect to untrusted networks (no matter what you say some people will still insist on using them) and to verify the authenticity of websites and digital certificates.
IT mitigations
Only set up secure communication protocols: When setting up any systems that require authentication or pass sensitive information, ensure only secure protocols are used, such as HTTPS, SSH, SFTP etc.
Set up MFA where possible: Implement MFA on all systems with authentication to add an extra layer of security beyond just a username and password. By requiring a second form of authentication, such as a code from an authenticator app or a temporary code sent to a trusted device, even if a threat actor manages to intercept login credentials, they won’t be able to access the account without the additional authentication factor.
Public-key infrastructure (PKI): Implement a robust PKI infrastructure to ensure the authenticity of digital certificates used in secure communication. This helps prevent threat actors from impersonating legitimate entities and conducting MitM attacks.
Implement ARP and DNS security measures: Deploy ARP spoofing detection and protection mechanisms, such as dynamic ARP inspection (DAI) to prevent ARP spoofing attacks and use DNSSEC (DNS Security Extensions) to protect against DNS spoofing. These measures add extra layers of security to prevent MitM attacks at the network level.
Network monitoring and intrusion detection: Employ network monitoring tools and intrusion detection/prevention systems to detect and alert on any unusual or suspicious network activity. Monitor for signs of ARP spoofing, DNS spoofing, or other MitM attack techniques.
Public key pinning: Public key pinning is a technique that involves associating a specific public key or certificate with a particular website. By pinning the correct public key, you can ensure that your device only accepts that specific key for establishing secure connections with the website. This helps prevent threat actors from successfully impersonating the website with a different key.
As I alluded to earlier, we have only scratched the surface on MitM attacks, but hopefully, this gives you an idea of the risk they pose to individuals and organisations, and arms you with the knowledge to help identify and reduce this risk.
0 Comments