A man-in-the-middle attack (MITM) is defined as an attack that intercepts communication between two parties with the aim of gathering or altering data for disruption or financial gain. This article explains a man-in-the-middle attack in detail and the best practices for detection and prevention in 2022.
Table of Contents
A man-in-the-middle (MITM) attack intercepts communication between two parties with the aim of gathering or altering data for disruption or financial gain.Â
Man-in-the-middle attacks have been around for as long as humans have been communicating. As modes of communication keep changing, so do the methods used by hackers to position themselves between any two parties exchanging information.
In 1586, Mary, the Queen of Scots, sent coded letters from the prison to a supporter. These letters detailed a plan to assassinate Queen Elizabeth I and enable the Spanish invasion of England. A cipher intercepted these letters and decrypted them. He then modified a letter in Mary’s handwriting asking for details of all the conspirators. He sent it ahead, making sure to erase all traces of tampering. The Queen of Scots and the supporters were eventually executed on the basis of this evidence.
Fast forward to today, a man-in-the-middle attack may look like a fake website that mimics an actual service, such as a bank. This website usually reaches the victim in the form of an email or text message. When users log into this fake website and go about their business, their data is recorded. The attacker uses this information on the actual bank’s website and accesses the target’s account.
The goal of a man-in-the-middle attack is to gather personal information. Both, the sender and the receiver would not have any clue that there’s a third party involved in the middle. This stolen information can be used for anything, from identity theft to corporate espionage. Man-in-the-middle attacks are usually used as reconnaissance for criminal activities, such as ransomware attacks. The objective can be a financial gain or simply the disruption of services.
MITM targets are typically financial institutions, ecommerce websites, or any website where personal information is used for transaction purposes.
Around 4.29 billion people across the world use the internet today, which is roughly 62.5% of the world’s population. The number of devices involved in consuming a basic service such as buying groceries has increased manifold. With so much data flying around in every industry vertical, man-in-the-middle attacks are very attractive for cybercriminals.
Besides, internet-of-things (IoT) is taking over marketplaces in numerous industries, increasing the perimeter of data transfer. Security experts are still coming up with ways to secure IoT devices, many of which are currently lacking update and patching systems. Mobile devices have become a way of business and life.
Security of both IoT and mobile devices leans heavily on end users. There has also been wide adoption of wireless and 5G technology, allowing information to be accessed from anywhere at any time.
Considering these developments, it is prudent for organizations to focus on protection against man-in-the-middle attacks.Â
How man-in-the-middle attacks work
Two steps are involved in carrying out an MITM attack:
1. Interception: The first step is to intercept the information from the target before it reaches the intended destination. One way of doing this is to set up malicious Wi-Fi spots that are free for users to connect to. All transactions made within this Wi-Fi are then recorded.
2. Decryption: With cybercrime rates going through the roof, most network traffic today is encrypted. This means that once intercepted, the information needs to be decrypted to be useful to the attacker. This needs to be done without alerting the user, the application, or the service provider.
Several techniques can be used to intercept and decrypt MITM attacks, with some of the most common ones being:
- IP spoofing
Every application or website is housed on a server. Each server has an IP address that operates exactly like our home addresses. When a user requests a service from an application, they use this IP address to indicate where the request is directed to. The destination IP address is part of the data packets that the request information is broken down into.Â
IP spoofing involves the attacker modifying this IP address. This redirects the user from the legitimate application to the attacker’s website. The user, fooled into thinking that they’re interacting with the actual application, provides information to the man in the middle.
- ARP cache poisoning
The address resolution protocol (ARP) is a low-level protocol that translates the MAC address of the user’s device to the IP address that it needs to connect to a network. The MAC address is like a social security number used to uniquely identify the user’s device as a separate entity.
The IP address can be broken down into two partsâ€“the network address and the local address. The network gateway is the tollbooth that allows the device to communicate with external networks, other than the local area network that it is connected to. It uses the network address.
With ARP cache poisoning, attackers fool the ARP protocol into thinking that the attacker’s device is the network gateway instead of the actual one. This means that all the traffic that flows in and out of the device goes through the attacker. The attacker then notes the information required and passes the traffic along to the actual destination. This keeps the device user in the dark.
- DNS spoofing
Every website on the internet is registered on something called a domain name server (DNS). It contains records that map the IP address of the website to the domain name (Eg: â€œwww.spiceworks.comâ€). Every time a user tries to visit a website, a DNS resolver looks up the DNS records and figures out how to handle the requests to this domain.Â
Some popular examples of DNS servers are Google public DNS, Cisco OpenDNS, and Cloudflare.
For DNS spoofing, attackers exploit known vulnerabilities in DNS servers. DNS resolvers are tricked into mapping the domain name to the attacker’s IP address. This way, the user is actually connecting to the attacker’s mimicked website instead of the actual one.
- HTTPS spoofing
HTTPS is a secure version of HTTP, which is used to connect to various applications from a browser. It uses a secure socket layer (SSL/TLS) to establish encrypted links between the browser and the web server that the application runs on.
When using HTTPS, the website is issued an SSL certificate by a trusted public certificate authority. When a browser visits the website, the certificate is sent with the response. The browser checks for the certificate’s validity and trustworthiness. If valid, the browser uses encryption for all further communication with the website.Â
With HTTPS spoofing, attackers set up legitimate websites with valid certificates. The only difference is that the URL is just different enough to pass scrutiny by the user. For example, the URL may use a Unicode character instead of the alphabet â€˜a’, which looks similar to the human eye.Â
The fake certificate is added to the browser’s trusted websites list, giving the attacker an in with the browser. The attacker then relays the traffic to the actual website to make it seem like nothing is amiss.
- SSL stripping
Here, the attacker sends the user an unencrypted version of the website while maintaining a secure session with the actual website on the side. The user’s session is now visible to the attacker, while the attacker forwards appropriate responses from the service provider.
- Email hijacking
Email hijacking involves the attacker compromising an email account, usually through bad password hygiene or social engineering attacks. The attacker then stays in stealth mode, gathering information as intended.
- Wi-Fi eavesdropping
This man-in-the-middle attack technique involves setting up a legitimate-looking Wi-Fi network that anyone in proximity can connect to. Once connected, all of the users’ online activities are available to the attacker, along with the login credentials for various services.
- Session hijackingÂ
With session hijacking, the MITM attacker steals session cookies and can use them to actively use the service.
Knowing the various techniques used allows security administrators to detect man-in-the-middle attacks sooner. It also allows them to spot and fix any critical security vulnerability in their systems.Â
An obvious symptom of a man-in-the-middle attack is repeated and unexpected disruption of a particular service. Attackers forcefully disconnect user sessions to intercept authentication information when the user tries to reconnect.
Another easy-to-spot symptom is website links accessed in an organization’s network that vary from the actual website. If an administrator spots a device persistently trying to connect to â€˜g00gle.com’ instead of â€˜google.com’ in the logs, it indicates an active man-in-the-middle attack.
Latency examination is one way of detecting an MITM attack. This involves doing something generic but complex, such as the long calculations involved in creating hash functions. Multiple transactions are used to make the same transaction. The response time in each needs to be similar. If one of these transactions takes unusually long to respond, it might be because a third party is manipulating this transfer.
This latency comparison can be done using timestamps in the TCP packet headers.
Man-in-the-middle attacks can also be detected using deep packet inspection (DPI) and deep flow inspection (DFI) during network monitoring. DPI and DFI provide network monitors with information such as packet length and size. They can be used to identify anomalous network traffic.
Most IoT devices use fog computing to ensure the speed of data transfer. Since man-in-the-middle attacks are known to target IoT devices, one way of detecting them is using intrusion detection and prevention systems (IDPS) in the fog layer itself.
Special IDPS nodes are deployed at strategic points in the network. These nodes use anomaly-based intrusion detection to spot deviations from normal traffic behavior.Â
Detecting a man-in-the-middle attack doesn’t stop with finding suspicious traffic and latency issues. The captured network traffic must go through forensic analysis to determine if it is an MITM attack in the first place. If confirmed, the attack needs to be traced to the source, in this case, the compromised user.Â
Important parameters required for forensic analysis include IP address, DNS name, and details of the X.509 certificate of the server. This information also allows for easier compliance auditing in case of an incident.
It is necessary to have MITM detection systems in place that work hand-in-hand with other SIEM tools. It is also, however, necessary to have tools and processes that prevent these attacks in the first place.
Here are the best practices that organizations can follow to prevent man-in-the-middle attacks.
1. Use secure communication protocols
The usage of HTTPS and SSL/TLS has become very common. In fact, according to Google’s transparency report as of January 2022, 95% of websites on Google use HTTPS.
Considering man-in-the-middle techniques such as HTTPS spoofing, it isn’t just enough to enable HTTPS on the pages that require authentication. The tiniest of windows is enough to gain access to important services.
Organizations must also consider configuring HTTP strict transport security (HSTS). HSTS policies mandate the use of SSL across all subdomains. When configured, HSTS enables servers to refuse unsecured connections. This makes attacks such as SSL stripping impossible.
DNS over HTTPS is another implementation that prevents DNS hijacking by encrypting DNS requests.
2. Set up virtual private networks (VPNs)
HTTPS provides encryption only between the browser and the webserver. A virtual private network ensures that all traffic flowing between the device and the VPN servers is encrypted. The VPN is designed to protect the privacy of its users. This makes it less prone to man-in-the-middle attacks.
3. Implement a certificate management system
An automated certificate management system is perhaps one of the best ways to prevent an MITM attack. A certificate management system monitors and maintains the lifecycle of all digital x.509 certificates (SSL certificates) within the system.Â
Enterprise networks can host thousands of certificates, and manual monitoring is susceptible to human error. An automated system discovers all certificates hosted in the system and provides an intuitive way of accessing them all. It analyzes active certificates and sends alerts when they are near expiry. It also takes care of remediation or revocation.
4. Ensure the right tools & processes are in place
Man-in-the-middle attacks, like every other security vulnerability, need an array of tools for prevention. This arsenal of tools includes:
- Intrusion detection and prevention system: This system inspects incoming and outgoing traffic for suspicious-looking payloads.
- Multi-factor authentication (MFA): MFA solutions are deployed as the entry of critical servers and applications. When multifactor authentication is used, the traditional username and password combination is not enough to grant access to a user. The user must also pass through other levels of authentication, such as fingerprint scanning or an OTP sent to a different device.
- Firewalls: They are the gatekeepers of networks.
- Antivirus and antimalware: These are needed across all devices.
5. Make sure all servers & systems are configured (and reconfigured)
It isn’t enough to just configure the TLS at the high level. When a website has mixed content, it is important to figure out if each piece of content is loaded securely. For instance, a single image loading over unencrypted HTTP can be exploited by an MITM attacker. Similarly, all hyperlinks pulled in from other websites need to be secure.Â
All server configurations must follow the latest guidelines for protocols and algorithms. For example, in January 2021, the National Security Agency (NSA) issued that websites must disable all SSL2, SSL3, and TLS1 protocols. Only TLS1.1 and 1.2 must be enabled.
Given the speed at which vulnerabilities are being discovered regularly, these settings and guidelines must be revisited at regular intervals.
6. Set up a robust patch management system
Cybercriminals count on organizations and users not having up-to-date systems in place. Patches are required to ensure that discovered vulnerabilities are plugged.
Since so many servers, applications, and devices are required to make a system work, a patch management system is a necessity.Â
7. Use S/MIME to prevent email hijacking
S/MIME stands for secure/multipurpose internet mail extensions. These encrypt emails, whether at rest or in transit. S/MIME allows senders to use a digital certificate to sign emails. This certificate is unique to every user and is a way of marking the authenticity of the sender.Â
8. Follow appropriate network security practices
A good network security posture is the hallmark of a well-oiled organization. This begins with a well-thought-out network monitoring system that provides maximum visibility to network administrators.Â
Network segmentation ensures that an incident in one segment does not permeate to the other. This makes the system less susceptible to a complete crash. Firewalls and IDPS devices must be placed at strategic entry and exit points, keeping the vulnerability of the server and data in mind.Â
9. Create corporate security policies with MITM mitigation in mind
Corporate security policies must reflect the possibility of man-in-the-middle attacks such as HTTPS spoofing. Employee devices can be mandatorily installed with browser plugins to enforce HTTPS in all connections. Additionally, custom certificates can be created for employee workstations’ browsers.Â
User roles and access policies also play a big role in minimizing data breaches in critical systems.Â
10. Educate users
Man-in-the-middle attacks primarily prey upon the ignorance of users. Regular training for end users and employees can alleviate this threat. Some guidelines that must be part of these training sessions are:
- Avoid unknown or public Wi-Fi networks.
- Always sign out of applications to prevent session hijacking and clear browsing cookies at regular intervals.
- Pay attention to browser warnings that indicate unsecured connections.
- Never directly click on links in emails and texts, even if they’re from valid-looking sources such as a supplier or a bank.Â
- Keep a watch out for different-looking URLs.
It is also necessary to provide employees and users with a documented series of steps that need to be taken if they spot a possible MITM attack.
Man-in-the-middle attacks, by themselves, aren’t as prevalent as cybercrimes such as ransomware in 2022. However, they are used in combination with other forms of cyberattacks since they provide the basic information necessary to infiltrate a system. The loss of data that arises out of this can result in substantial financial and reputational losses, not to mention compliance fines.
Man-in-the-middle attacks can be successfully prevented by a potent combination of tools, processes, and best practices, as discussed above.
Did this article help you understand man-in-the-middle attacks in detail? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!
MORE ON SECURITY
- What Is Password Management? Definition, Components and Best Practices
- What Is Email Security? Definition, Benefits, Examples, and Best Practices
- What Is Intrusion Detection and Prevention System? Definition, Examples, Techniques, and Best Practices
- What Is a Virtual Private Network (VPN)? Definition, Components, Types, Functions, and Best Practices
- Top 10 Multi-Factor Authentication Software Solutions for 2021