Everything you need to know about a Man in the Middle Attack
A man in the middle attack occurs when a third party intercepts a digital conversation without any knowledge of that interception from the legitimate participants. This conversation can occur between two human users, a human user and a computer system or two computer systems.
In any of these cases, the attacker might simply eavesdrop on the conversation to obtain information (think login credentials, private account information, etc.) or they might impersonate the other user to manipulate the conversation. In the latter instance, the attacker might send false information or share malicious links that can crash systems or open the door for additional cyberattacks. Typically the legitimate users are unaware they are actually communicating with an illegitimate third party until well after the fact when damage has already been done.
A man in the middle attack is an example of session hijacking. Other types of session hijacking attacks include cross-site scripting, session side-jacking, session fixation and brute force attacks.
How Does a Man in the Middle Attack Work?
Executing a man in the middle attack requires a hacker to gain access to a user’s connection. One of the most common ways to do this is by creating a public wifi hotspot that anyone nearby can join, no password required. Once users join this network, the hacker can access all of their digital communications and even log keystrokes to act as a man in the middle.
The public wifi example is the most common and simplest way to launch a man in the middle attack, but it’s not the only way to do so. Other common approaches include:
• Sending users to a fake website: Hackers can send users to a fake website instead of their intended destination by engaging in IP spoofing or DNS spoofing. IP spoofing occurs when the hacker alters packet headers in an IP address, while DNS spoofing occurs when the hacker gains access to a DNS server and changes the website’s DNS record. In either case, the user ends up on a fake website owned by the hacker (where they can then capture all information) despite it appearing completely real.
• Rerouting data transfers: Hackers can reroute the destination of communications by engaging in ARP spoofing. This occurs when the hacker connects their MAC address to the IP address belonging to one of the legitimate users involved in the communications. Once they make that connection, the hacker can receive any data intended for the legitimate user’s IP address.
In some cases, communications may be openly exposed, but in cases where the data is encrypted, man in the middle attacks involve yet another step to make that information readable to hackers. Hackers can attempt to decrypt any encrypted information through approaches like:
• SSL hijacking: Hackers fake authentication keys to establish what seems like a legitimate, secure session. However, since the hacker owns these keys, they can actually control the entire conversation.
• SSL BEAST: Hackers target a vulnerability in SSL to install malware on a user’s device that can intercept encrypted cookies intended to keep digital communications private and secure.
• SSL stripping: Hackers can turn a more secure HTTPS connection into a less secure HTTP connection, which removes encryption from web sessions and exposes all of the communications during those sessions.
How Can You Protect Against a Man in the Middle Attack?
Man in the middle attacks remain far too common and pose a serious threat to user and organizational security as a result. Despite the high threat of these attacks, there are several steps your organization’s security team and your users alike can take to protect against these risks. The best protection measures include:
1) Be careful with connection points
One of the most common ways hackers gain access to execute a man in the middle attack is through unsecured connection points, such as public wifi. As a result, it’s important for users to be extremely careful with connection points. This means avoiding public wifi (and certainly not logging in to any systems if they are connected to a public network) and using a VPN to encrypt network connections.
2) Educate users about phishing attempts
Phishing attempts are another common entry point for man in the middle attacks, and the best ones can be very convincing. Educating users about these attacks and how they’re evolving can go a long way toward helping them spot attempts and avoid falling victim to them.
3) Navigate to websites by typing the URL vs. clicking a link
Navigating to a website by typing the URL rather than clicking a link is one best practice to help prevent successful phishing and other common tactics that initiate man in the middle attacks by sending users to a fake website or embedding malware. Doing so avoids cases where hackers send a slightly modified link that can open the door for an attack.
4) Always verify site legitimacy and security through the use of HTTPS
As users type in the URL address for a website, they should also include HTTPS and ensure that any website they visit has this level of security. Checking for HTTPS protocol might seem simple, but it can go a long way toward verifying site legitimacy and security before ever sharing sensitive information.
5) Educate users on normal login processes
Several recent man in the middle attacks have asked users to go through steps to log in to a website that are not actually part of the normal login process, even though they seemed completely legitimate. Educating users on what normal login processes do and do not entail can help them more easily identify situations that are out of the ordinary.
6) Get to know your users’ normal login habits
On the security team side, getting to know users’ normal login habits can help more easily flag any unusual patterns. For example, if the majority of users tend to log in on weekdays but all of a sudden there’s a spike in activity on the weekends, that might be concerning and require further investigation.
7) Use multi-factor authentication where possible
Requiring users to log in with multi-factor authentication can provide another layer of protection against man in the middle attacks, this way even if hackers manage to obtain a username/password combination, they can’t get into accounts without another form of verification (e.g. a code sent by text message).
While this two-layer approach is not airtight, as some recent man in the middle attacks have gotten through both layers, it does provide significantly more protection.
8) Log out of secured sessions once complete
Forcing users to log out of secured sessions once they’re complete is an important practice, since closing the session ends any access to it from both legitimate and illegitimate sources. In other words, the longer a session is open, the greater the risk becomes that a hacker can gain access to it in any number of ways.
9) Prioritize PKI, particularly for the growing number of machine identities
Finally, a strong PKI program is critical to authenticating connections between users (both humans and machines) and encrypting their communications. A best practice approach to PKI requires a highly agile system that can keep up with the rapidly growing number of identities, apply security standards consistently across the board and regularly update encryption keys to avoid risks like key sprawl.
This is an excerpt from the “What is a man in the middle attack? Article, written by Toby Gaff, Director of Solutions Engineering at Keyfactor.
Read the whole article here to find out more about
• What are different types of a man in the middle attack?
• What are the potential risks of a man in the middle attack?
• How are man in the middle attacks evolving?
• What are real life examples of a man in the middle attack?