A man-in-the-middle (MitM) attack is a type of cyberattack where a perpetrator positions themself in a conversation between two parties — two users, or a user and an application or server — so that all communications are going to or through the attacker. The attacker can also play both sides, stealing the information a user sends to a server (such as login credentials, account details and credit card numbers) while also sending corrupted packets (such as malware or HTTP requests in a DDoS attack) to an innocent third party.
Also known as adversary-in-the-middle (AitM), these attacks are becoming increasingly common and increasingly difficult to prevent. Sophisticated phishing kits that include tools to launch man-in-the-middle attacks to steal MFA tokens are readily available for purchase. Remote workers on unsecured networks present a particularly soft target. Knowing how to recognize and how to prevent man-in-the-middle attacks is essential for effective enterprise and personal cybersecurity.
Although the overall concepts are generally the same, the execution and processes of different MitM attacks can vary significantly. These nuances mean that knowing what to look for and how to prevent man-in-the-middle attacks can be difficult. Let’s take a look at the most common tactics and later we'll provide some tips for man-in-the-middle attack prevention.
In an IP Spoofing attack (a type of MitM), the hacker manipulates its network packet information to present themselves as having the IP address of a legitimate device or application. This allows them access to restricted networks and its resources. The attacker can also spoof the IPs of both user and server to intercept and snoop on all communications between them.
The Address Resolution Protocol (ARP) attempts to match IP addresses to MAC addresses where it does not know them. By using a forged ARP message, an attacker can resolve the request with its own MAC address, allowing them to steal important traffic, including session cookies. ARP Spoofing is only possible on 32-bit IP Addresses (IPv4) and not on IPv6, however most of the internet still works on IPv4.
When you log in to an account, a session token is used to confirm your identity. The session token continues to confirm your identity until you log out or the token expires. If an attacker can hijack or steal the token, they can pass as a legitimate user and bypass all authentication procedures.
An attacker can set up a network access point close to a device by taking advantage of devices set to connect to the strongest open signal. This allows the attacker to manipulate all traffic to and from the user.
Like rogue access points, a fake “public” network is a classic MitM attack. The attacker sets up a legitimate-sounding WiFi network in a hotel, restaurant or even inside a workplace. Users connect to it thinking it is the correct one, giving the attacker the ability to eavesdrop on traffic or escalate the attacks, such as forcing users into SSL stripping. As it is difficult to identify such networks, man-in-the-middle prevention can be tough for these types of attacks.
This is where the attacker manipulates traffic using the domain name system (DNS) to direct a user to their website instead of the one the user wanted. The user will usually be greeted by a fake version of the legitimate website, such as their online bank, with the details entered visible to the attacker.
The counter to DNS spoofing is to ensure sites use HTTPS instead of HTTP. HTTPS encrypts the HTTP requests and responses using TLS (SSL), making it far more secure than HTTP. The SSL certificate authenticates the web server identity so an HTTPS-secured site is harder to spoof. However, attackers can get around this by using non-ASCII characters or languages like Cyrillic or Turkish as part of the URL, which are virtually indistinguishable from valid characters.
Another way around HTTPS encryption is to force traffic to HTTP sites instead. This can be done if the attacker has already successfully infiltrated a router or controls the WiFi network the user is connected to. The hacker becomes the party communicating directly with the HTTPs site, and connects the user to an HTTP version of the site. They can now see all the user’s communications in plain text, including access credentials. Strategies on how to prevent man-in-the-middle attacks often rely on creating security obstacles for attackers, but this type of attack shows how they can get around them fairly easily.
If an attacker has successfully installed a trojan horse on a user’s device, they can observe all online actions and exfiltrate that data to perform attacks. This attack is referred to as a man-in-the-browser attack since it specifically relates to web browser communications. As malware is the culprit here, a good antivirus can be the best man-in-the-middle attack prevention for this type of threat.
This is a man-in-the-middle attack where the attacker gains access to a user’s email, usually through a phishing attack. This then allows them to monitor all incoming and outgoing communications. This also allows them to act as the user if they wish, such as to request to change bank details or demand payment of an invoice.
Once underway, MitM attacks are notoriously difficult to spot since hackers disguise themselves as a legitimate endpoint in a line of communication. However, best practices in how to prevent man-in-the-middle attacks can go a long way in protecting organizations. From education to strong authentication, read on for tips for man-in-the-middle attack prevention.
Educate employees, particularly remote workers, about the dangers of MitM attacks and man-in-the-middle attack prevention techniques. Remind them to always check the address of websites they are logging into to ensure that users never exchange data or fill out forms on websites that do not use SSL (HTTPS), always heed network security warning messages, and to look for misspellings, unnecessary capitalization and erroneous number sequences (ex: FreeATLAirport vs. FreeATLairPort123). Employees should be trained on the dangers of connecting to public WiFi networks from any device accessing corporate data, and only use up-to-date, high-security browsers.
Firewalls and intrusion detection systems constantly monitor networks for suspicious activity and attempts at infiltration. These systems are effective at blocking external attempts to compromise a network. Unfortunately, remote workers’ devices often live outside these protections.
Enterprises can prevent some types of man-in-the-middle attacks by deploying virtual private networks (VPNs). A VPN encrypts data, helping stop attacks from infiltrating your network attack and if an attack occurs, rendering any data gathered unreadable. They also provide protection for employees connecting to public WiFi. By setting VPNs to “force HTTPS,” all traffic goes through the most secure versions of sites. VPNs themselves, however, are an increasingly popular attack vector.
Most modern cyberattacks stem from compromised passwords and account takeover. Attackers then have complete access to networks and will never show up on intrusion detection systems. The counter to this is to deploy more secure authentication protocols, at a minimum multi-factor authentication (MFA) which requires users to provide two or more proofs of their identity. The highest level of authentication security, mandated as part of the Zero Trust architecture delineated by the federal government, is phishing-resistant multi-factor authentication, thus completely removing one of the most vulnerable points in your security posture.
MitM attacks are hard to detect and prevent, making them a nightmare scenario for any CISO. VPNs can help, but only if access is protected through strict authentication protocols. This is why any man-in-the-middle attack prevention strategy needs to start with a phishing-resistant passwordless MFA (PMFA).
Phishing-resistant PMFA uses public-key cryptography for the authentication process so there are no secrets or credentials that can be intercepted and leveraged in MitM attacks. FIDO-based passwordless MFA is considered the gold standard by the Cybersecurity and Infrastructure Security Agency (CISA) as well as the OMB and other regulatory bodies. Solutions that are FIDO Certified end to end don’t use OTPs, SMS codes, compromisable push notifications or any other phishable factor.
MitM attacks come in various forms, but all involve the attacker surreptitiously positioning themselves to monitor data and communication exchanges. Many also allow attackers to pretend to be one or both parties in the exchange. Understanding how to prevent man-in-the-middle attacks requires education and best practice as well as security measures that include intrusion detection, VPNs and secure authentication protocols.
One of your strongest defense pillars against these attacks is to remove passwords completely by deploying phishing-resistant passwordless MFA. HYPR’s Passwordless MFA is fully FIDO Certified in all of its components and provides a seamless, secure login experience from the desktop through to applications, including VPNs and other remote access points To learn how HYPR helps secure your networks and users against MitM attacks, talk to our team.