Although modern cyberattacks are growing in voracity and sophistication, some of the most effective methods still rely on traditional techniques. The “man in the middle attack”—also known as the “monster-in-the-middle,” “monkey-in-the-middle,” or just MITM attack—relies on one of the oldest tricks in the book: eavesdropping. MITM attacks are used to hijack your system, disrupt communications, or access restricted data. Read on to learn what these attacks comprise and how to stop them.
Tradition Meets Next-Gen
Most man in the middle attacks aren’t just meant to eavesdrop or spy on web traffic. Instead, they usually serve as precursors to larger, more advanced attacks. Since they’re often used to steal login credentials, provide misinformation, or breach confidential databases, MITM attacks can be devastating.
To protect your organization from MITM, you need to fully understand:
- What Common MITM tactics comprise
- How MITM attacks have evolved over time
- What similar and related attacks look like
- How to detect and prevent a MITM attack
Common Man in the Middle Tactics
Traditional Man in the middle attacks always involve at least three parties: the sender, the recipient, and the attacker (or the “eavesdropper”). In many MITM scenarios, the two unsuspecting parties take turns playing the roles of sender and recipient. However, it is possible for the MITM to occur swiftly enough that one or a few messages are intercepted, and roles stay the same.
By intercepting their communications, the hacker can reroute, alter, or delete messages, web page requests, individual files, and more. Some man in the middle attacks can even circumvent encryption and other forms of advanced security, complicating your incident response protocols.
The History and Evolution of MITM
One of the earliest and most notable man in the middle attack examples dates back to 2003. IT manufacturer Belkin programmed their wireless network routers to periodically reroute internet traffic to an advertisement page for Belkin products, effectively launching a large-scale man in the middle attack. WiFi users eventually complained, and the feature was disabled in a later firmware update. All told, this was a relatively harmless attack—unlike many other uses since.
Belkin’s MITM initiative ended years ago, but others have used similar techniques to inject banner ads and collect user data since then. Motivated hackers also use MITM attacks for even more nefarious purposes, such as the direct theft of credentials or data used for extortion.
Notable MITM Case Studies
Some of the most notable man in the middle attack examples to learn from include:
- DSniff – A set of hacking tools composed primarily of password sniffers and traffic monitors, DSniff marked the first time MITM attacks were used successfully against SSL and SSH (Secure Socket Shell) protocols.
- DigiNotar – A Dutch digital notarization service, DigiNotar, suffered a security breach that spurred the issue of numerous fraudulent certificates, ultimately leading to a wave of man in the middle cyber attacks against customers.
- Superfish – A former online advertising company, Superfish pioneered a visual search engine that was bundled with new Lenovo laptops starting in 2014. Unfortunately, since the same private key existed across all laptops, hackers could easily launch large-scale MITM attacks.
Attacks Similar or Related to MITM
Different variations have been made to the standard man in the middle attack, primarily to increase the hacker’s odds against one specific target demographic:
- Man in the browser – A form of Trojan horse, this attack takes over a web browser to modify traffic per the attacker’s desire. These attacks bypass many advanced security measures like Secure Sockets Layer (SSL) and multifactor authentication (MFA). Resultantly, they are of particular concern, but robust antivirus software can be used to mitigate them.
- Man on the side – An active cyberattack that only grants the hacker access to the communications of one party. While they can monitor traffic and even generate new, outgoing traffic, the hacker cannot modify, erase, or prevent incoming traffic. Strong firewalls and identity and access management, along with encryption, are needed.
MITM Detection and Prevention
Since they don’t match the standard definition and look of most viruses or malware, man in the middle attacks are difficult for vCISOs and IT professionals to detect with common IT security tools. Advanced methods are usually necessary.
The following approaches are most effective:
- User and traffic authentication – Verifying and authenticating the messages sent between two parties remains one of the most effective ways to detect and prevent MITM attacks. Advanced authentication methods like HTTP Public Key Pinning (HPKP) and Domain Name System Security Extensions (DNSSEC) are amongst the strongest.
- Network forensics – Advanced data and network forensics are tools that generally detect attacks after they’ve occurred. By examining the latency between the response times of two parties, for example, IT teams can identify and diagnose abnormalities indicating a MITM attack.
Overcoming and Preventing MITM Cyberattacks
If you’re worried about man in the middle attacks disrupting your network, or if you’ve already fallen victim to an MITM attack, you’ll need to take a proactive approach to fully protect your system. Expertise provided via vCISO services will advise your efforts.
For more information or to get started right away, contact RSI Security today.