How to Prevent Man-in-the-Middle Attacks

Pen HYPR Team

Clock 7 Min. Read | March 31, 2022

A man-in-the-middle (MitM) attack is a type of cyberattack where a perpetrator positions themself in a conversation between two parties — two users, or a user and an application or server — so that all communications are going to or through the attacker. The attacker can also play both sides, stealing the information a user sends to a server (such as login credentials, account details and credit card numbers) while also sending corrupted packets (such as malware or HTTP requests in a DDoS attack) to an innocent third party.

MitM attacks are becoming increasingly common and increasingly difficult to prevent, especially with the ready availability of sophisticated phishing kits that include tools to launch man-in-the-middle attacks to steal MFA tokens. Remote workers on unsecured networks present a particularly soft target. Knowing how to recognize and how to prevent man-in-the-middle attacks is essential for effective enterprise and personal cybersecurity.

How to Prevent Man-in-the-Middle Attacks

Types of Man-in-the-Middle Attacks

Although the overall concepts are generally the same, the execution and processes of different MitM attacks can vary significantly. These nuances mean that knowing what to look for and how to prevent man-in-the-middle attacks can be difficult. Let’s take a look at the most common tactics.

1. IP Spoofing

In this type of MitM attack, the hacker manipulates its network packet information to present themselves as having the IP address of a legitimate device or application. This allows them access to restricted networks and its resources. The attacker can also spoof the IPs of both user and server to intercept and snoop on all communications between them.

2. ARP Spoofing

The Address Resolution Protocol (ARP) attempts to match IP addresses to MAC addresses where it does not know them. By using a forged ARP message, an attacker can resolve the request with its own MAC address, allowing them to steal important traffic, including session cookies. ARP Spoofing is only possible on 32-bit IP Addresses (IPv4) and not on IPv6, however most of the internet still works on IPv4.

3. Session Hijacking

When you log in to an account, a session token is used to confirm your identity. The session token continues to confirm your identity until you log out or the token expires. If an attacker can hijack or steal the token, they can pass as a legitimate user and bypass all authentication procedures. 

4. Rogue Access Points

An attacker can set up a network access point close to a device by taking advantage of devices set to connect to the strongest open signal. This allows the attacker to manipulate all traffic to and from the user. 

5. Public WiFi Eavesdropping

Like rogue access points, a fake “public” network is a classic MitM attack. The attacker sets up a legitimate-sounding WiFi network in a hotel, restaurant or even inside a workplace. Users connect to it thinking it is the correct one, giving the attacker the ability to eavesdrop on traffic or escalate the attacks, such as forcing users into SSL stripping.

6. DNS Spoofing

This is where the attacker manipulates traffic using the domain name system (DNS) to direct a user to their website instead of the one the user wanted. The user will usually be greeted by a fake version of the legitimate website, such as their online bank, with the details entered visible to the attacker.

7. HTTPS Spoofing

The counter to DNS spoofing is to ensure sites use HTTPS instead of HTTP. HTTPS encrypts the HTTP requests and responses using TLS (SSL), making it far more secure than HTTP. The SSL certificate authenticates the web server identity so an HTTPS-secured site is harder to spoof. However, attackers can get around this by using non-ASCII characters or languages like Cyrillic or Turkish as part of the URL, which are virtually indistinguishable from valid characters. 

8. SSL Stripping

Another way around HTTPS encryption is to force traffic to HTTP sites instead. This can be done if the attacker has already successfully infiltrated a router or controls the WiFi network the user is connected to. The hacker becomes the party communicating directly with the HTTPs site, and connects the user to an HTTP version of the site. They can now see all the user’s communications in plain text, including access credentials. Strategies on how to prevent man-in-the-middle attacks often rely on creating security obstacles for attackers, but this type of attack shows how they can get around them fairly easily.

9. Man-in-the-Browser

If an attacker has successfully installed malware on a user’s device, they can observe all online actions and exfiltrate that data to perform attacks. This attack is referred to as a man-in-the-browser attack

10. Email Hijacking

This is a man-in-the-middle attack where the attacker gains access to a user’s email, usually through a phishing attack. This then allows them to monitor all incoming and outgoing communications. This also allows them to act as the user if they wish, such as to request to change bank details or demand payment of an invoice.

How to Prevent Man-in-the-Middle Attacks: 4 Best Practices 

Once underway, MitM attacks are notoriously difficult to spot since hackers disguise themselves as a legitimate endpoint in a line of communication. However, best practices in how to prevent  man-in-the-middle attacks can go a long way in protecting organizations.

1. Education

Educate employees, particularly remote workers, about the dangers of MitM attacks. Remind them to always check the address of websites they are logging into to ensure that users never exchange data or fill out forms on websites that do not use SSL (HTTPS), always heed network security warning messages, and to look for misspellings, unnecessary capitalization and erroneous number sequences (ex: FreeATLAirport vs. FreeATLairPort123). Employees should be trained on the dangers of connecting to public WiFi networks from any device accessing corporate data, and only use up-to-date, high-security browsers.

2. Intrusion Detection

Firewalls and intrusion detection systems constantly monitor networks for suspicious activity and attempts at infiltration. These systems are effective at blocking external attempts to compromise a network. Unfortunately, remote workers’ devices often live outside these protections.

3. VPN

Enterprises can prevent some types of man-in-the-middle attacks by deploying virtual private networks (VPNs). A VPN encrypts data, helping stop attacks from infiltrating your network attack and if an attack occurs, rendering any data gathered unreadable. They also provide protection for employees connecting to public WiFi. By setting VPNs to “force HTTPS,” all traffic goes through the most secure versions of sites. VPNs themselves, however, are an increasingly popular attack vector

4. Strong Authentication

Most modern cyberattacks stem from compromised passwords and account takeover. Attackers then have complete access to networks and will never show up on intrusion detection systems. The counter to this is to deploy more secure authentication protocols, at a minimum multi-factor authentication (MFA) which requires users to provide two or more proofs of their identity. The highest level of authentication security, mandated as part of the Zero Trust architecture delineated by the federal government, is phishing-resistant multi-factor authentication, thus completely removing one of the most vulnerable points in your security posture.

How Passwordless MFA Prevents Man-in-the-Middle Attacks

MitM attacks are hard to detect and prevent, making them a nightmare scenario for any CISO. VPNs can help, but only if access is protected through strict authentication protocols. This is why any MitM security strategy needs to start with phishing-resistant passwordless MFA (PMFA).

Phishing-resistant PMFA uses public-key cryptography for the authentication process so there are no secrets or credentials that can be intercepted and leveraged in MitM attacks. FIDO-based passwordless MFA is considered the gold standard by the Cybersecurity and Infrastructure Security Agency (CISA) as well as the OMB and other regulatory bodies. Solutions that are FIDO Certified end to end don’t use OTPs, SMS codes, compromisable push notifications or any other phishable factor. 

To Sum Up

MitM attacks come in various forms, but all involve the attacker surreptitiously positioning themselves to monitor data and communication exchanges. Many also allow attackers to pretend to be one or both parties in the exchange. Understanding how to prevent man-in-the-middle attacks requires education and best practice as well as security measures that include intrusion detection, VPNs and secure authentication protocols. 

One of your strongest defense pillars against these attacks is to remove passwords completely by deploying phishing-resistant passwordless MFA. HYPR’s True Passwordless™MFA is fully FIDO Certified in all of its components and provides a seamless, secure login experience from the desktop through to applications, including VPNs and other remote access points. To learn how HYPR helps secure your networks and users against MitM attacks, read more here or talk to our team.

New call-to-action

HYPR Team

Related Content

What Are Push Attacks?

Organizations frequently implement multi-factor authentication (2FA, MFA) that uses push...

How to Prevent Ransomware by Eliminating Passwords

Ransomware had been a growing threat to global cybersecurity even before recent geopolitical events...

The Different Types of Password Attacks: An Overview

Credential attacks have become the main focus of cybersecurity teams and attackers alike. Microsoft...