Clever Geek Handbook

Man-in-the-Middle: Tips for Detection and Prevention





A Man-in-the-Middle attack is a form of cyberattack that uses methods to intercept data to infiltrate an existing connection or communication process. An attacker can be a passive listener in your conversation, stealthily stealing information, or an active participant, altering the content of your messages, or impersonating the person or system you think you are talking to.



Think back to the 20th century, when many had landlines with multiple handsets, and one family member could pick up while another was talking. You might not even suspect that someone else is listening to you until they begin to wedge in the conversation. This is the principle of a man-in-the-middle attack.



How does a man-in-the-middle attack work?







Most man-in-the-middle attacks, regardless of the methods used, have a simple sequence of actions. Let's consider it using the example of three characters: Alice, Bob and Chuck (the attacker).



  1. Chuck secretly overhears the channel on which Alice and Bob communicate
  2. Alice sends a message to Bob
  3. Chuck intercepts and reads Alice's message without Alice or Bob's knowledge.
  4. Chuck alters messages between Alice and Bob, creating unwanted or dangerous responses


Man-in-the-middle attacks are commonly used early in the kill chain — during reconnaissance, invasion, and infection. Attackers often use man-in-the-middle attacks to collect credentials and information about their targets.



Multi-factor authentication can be an effective defense against credential theft. Even if an attacker finds out your username and password, they will need your second authentication factor in order to use them. Unfortunately, in some cases, multi-factor protection can be bypassed .



Here is a practical example of a real-life man-in-the-middle attack on Microsoft Office 365, where an attacker bypassed multi-factor authentication:



  1. , Microsoft, .
  2. - .
  3. Microsoft, .
  4. Microsoft .
  5. -.
  6. - .
  7. Evilginx cookie- .
  8. Microsoft, cookie- Office 365 . .


You can watch a live demo of this attack during our weekly cyber attacks seminars .



Methods and types of man-in-the-middle attacks







Here are some common tactics used by attackers to become the “man in the middle”.



  1. ARP-



    (ARP) — , (MAC) IP- .



    , . , ( ) . , . , .



    • ( ) ().
    • , .
    • ARP, , .
    • « » (DoS), , ARP.
    • , , , « » .


  2. DNS



    DNS , DNS, . Google, Google, , , :





  3. HTTPS



    HTTPS , «». S secure — . , , . - HTTPS, , URL- . , - , «» «», . example.com: URL www.exmple.com, «» example . , , «», -.





  4. Wi-Fi



    Wi-Fi Wi-Fi . — , , , .




  5. — « », , - (, ), cookie- . Live Cyber Attack, .



    cookie- , - , . ( ) , , .



How common are man-in-the-middle attacks?



Man-in-the-middle attacks have been around for a long time, and while they are not as prevalent as phishing, malware, or even ransomware, they are usually part of a complex targeted attack where the attacker has clear intentions. For example, an attacker who wants to steal a bank card number can find this data by intercepting Wi-Fi traffic in a cafe. Another attacker could use man-in-the-middle attacks as part of a larger plan to penetrate a large company’s network. Our man-in-the-middle attack lab demonstrates how an attacker can use malware to intercept network traffic and infiltrate corporate email.



How to detect a man-in-the-middle attack







Man-in-the-middle attacks are subtle, but their presence still leaves traces in normal network activity, and cybersecurity professionals and end users can find these traces. It is generally accepted that it is better to prevent than to detect.



Signs of a man-in-the-middle attack



Here are some signs that you may have uninvited listeners on your networks:



  • Unexpected or repeated disconnection: Attackers force users to disconnect in order to intercept the username and password when they try to reconnect. By monitoring unexpected or recurring trips, you can anticipate such dangerous behavior in advance.
  • : - , . , DNS. , www.go0gle.com www.google.com.
  • Wi-Fi: , , Wi-Fi. , « » , . Wi-Fi , , Wi-Fi.


« »







Here are some guidelines for protecting you and your networks from man-in-the-middle attacks. However, none of them guarantees 100% reliability.



General best practices



Compliance with general cybersecurity rules will help you defend against man-in-the-middle attacks:



  • Connect only to secured Wi-Fi routers, or use your wireless carrier's encrypted connection. Connect to routers that use WPA2 security protocol. It doesn't provide absolute security, but it's still better than nothing.
  • Use a VPN to encrypt traffic between endpoints and the VPN server (on your corporate network or on the Internet). If the traffic is encrypted, it is more difficult for the “man in the middle” to intercept or modify it.
  • , (Zoom, Teams . .)
  • , .
  • HTTPS-, .
  • , .
  • DNS HTTPS — , DNS DNS-.
  • « », , , .
  • « » (, ).


« »?



End-to-end encryption will help prevent an attacker from reading your network messages, even if they are listening on your traffic. With encryption, the sender and recipient use a shared key to encrypt and decrypt the messages in transit. Without this key, your messages will look like just a bunch of random characters, and the "man in the middle" will not be able to benefit from them.



Encryption makes it difficult for an attacker to intercept and read network data, but it is still possible and does not provide complete protection against disclosure of your information, since attackers have developed methods to bypass encryption.



For example, in our laboratory studying man-in-the-middle attacks, we demonstrate how an attacker can steal an authentication token containing a username, password, and multi-factor authentication information to log into an email account. Once the session cookie is hijacked, it doesn't matter if the communication between the client and the server is encrypted - the hacker simply logs in as an end user and can access the same information as that user.



The future of man-in-the-middle attacks



Man-in-the-middle attacks will remain an effective tool for attackers as long as they can intercept sensitive data such as passwords and bank card numbers. There is a constant arms race between software developers and network service providers on the one hand and cybercriminals on the other to eliminate vulnerabilities that attackers use to launch their attacks.



Take, for example, the massive expansion of the Internet of Things (IoT)for the last few year s. IoT devices do not yet meet security standards and do not have the same capabilities as other devices, which makes them more vulnerable to man-in-the-middle attacks. Attackers use them to enter an organization's network and then move on to other methods. Who would have thought that a refrigerator with Internet access is not just a new fashionable device, but also a hole in the security system? Cybercriminals know this!



Widespread wireless networks such as 5G, Is another opportunity for attackers to use man-in-the-middle attacks to steal data and infiltrate organizations. This was amply demonstrated at the BlackHat 2019 computer security conference. Wireless technology companies have a responsibility to address vulnerabilities like the ones shown on BlackHat and provide a secure backbone for users and devices.



Current trends are such that the number of networks and devices connected to them is growing, which means that attackers have more opportunities to use man-in-the-middle methods. Knowing the telltale signs of a man-in-the-middle attack and applying detection techniques can help you detect attacks before they cause damage.



Visit ourLive Cyber ​​Attack Workshop , in which we demonstrate how a man-in-the-middle attacker can intercept a user's authentication token in order to infiltrate and steal sensitive data. We will also show how Varonis can detect this type of attack.


More articles:


All Articles