Imagine sharing sensitive information online with a trusted recipient, only to find out that it was sent to an impersonator eavesdropping on your seemingly secure internet communications. This information may be login credentials to your personal social media profiles, online banking services or healthcare service providers. Scary, embarrassing or worse.
According to research, you are always at risk of these eavesdropping incidents, known formally as Man in the Middle (MITM) attacks:
- In the 2010s, 35% of all exploits were MITM attacks.
- Only 10% of business organizations have implemented HTTP Strict Transport Security (HSTS) that actively prevents MITM attacks.
In this article, let’s take a look at how MITM attacks work, including common techniques and how to protect against them. We’ll also see why these attacks have decreased in more recent years.
(This article was written by Muhammad Raza. See more of Muhammad’s contributions to Splunk Learn.)
How Man in the Middle Attacks work
A Man in the Middle attack is a common cyberattack that involves a third-party intercommunicating node eavesdropping communications between a client and a server. The scenario involves the client and server communicating in a pseudo-secure network environment, which assumes that data is only transferred between the authorized, trusted and intended parties. Sometimes these attacks are known as “adversary in the middle” attacks.
Consider a simple example of two individuals, Alice and Tony, sharing sensitive documents over the network. After a connection between the two parties is established, a third entity, Eve, hijacks the session. Eve impersonates Tony and asks Alice to send her the documents. Eve then modifies the documents and sends them to Tony, pretending to be Alice.
Both Alice and Tony believe they are communicating with each other — in reality, Eve intercepted the communications channel and leaked and modified the data.
(See how XSS and brute force attacks work.)
Common techniques in MITM attacks
A Man in the Middle attack is accomplished in several ways. Let’s review the most common ways that MITM attacks occur.
Address Resolution Protocol (ARP) spoofing refers to the MITM technique where the MAC address of the attacking server is linked to the IP address of the legitimate recipient. When the URL is resolved to the IP address of this recipient, the traffic is instead routed to the attacking server.
ICMP Packet Spoofing
ICMP is part of the Internet protocol suite that communicates diagnostic information between the client and server. The ICMP MITM attack redirects traffic to a routing device controlled by the attacker, before sending it to a gateway connected to the intended recipient.
Any communications received to the gateway are also routed to the attacker’s MAC address before sending it to the victim client.
DNS Poisoning & Spoofing
The attacker alters the website address record on the DNS server. In this case, a correct website URL resolves to an IP address that belongs to the attacker. Instead of returning the intended website, a fake website impersonating the original one is returned and engages the victim.
- DNS poisoning refers to the practice of replacing legitimate URL-IP address mappings with a fake redirect.
- DNS spoofing is the end-result of the redirected website routed via a poisoned cache.
(Hunt these DNS threats with Splunk.)
This attack is also known as the Evil Twin attack — it tricks users into connecting to a malicious WiFi hotspot that resembles a legitimate WiFi connection.
For example, a WiFi hotspot with a similar name as your organization's WiFi lets you connect and has access to all data transmitted over your network connection.
The attacker swaps the secure HTTPS links between the server and the client, with insecure HTTP links. The attacker then establishes a middle-man HTTPS connection with the server itself, while keeping an HTTP connection with the victim client.
This allows the middleman attack to access sensitive data such as login credentials, while the connection to the server is still presented as a secure HTTPS channel.
SSL Session Hijacking
A fake HTTPS certificate may be forwarded to the victim, which tricks them to believe that the connection is HTTPS secure. The attacker generates and sends fake authentication keys to both the client and the server during a TCP handshake, which sets up an apparently validated HTTPS secure communication channel.
MITM attacks today
Historically easier to execute, MITM attacks have been harder for the average bad actor in the last few years thanks to overall increases in security technologies, including the HTTPS Everywhere collaboration. Importantly, HTTPS Everywhere can only protect users using sites that support HTTPS — which is certainly not every site.
Today, MITM are most likely attempted by advanced hackers and state actors.
Protecting against man in the middle attacks
How can you protect your online communications and activities from the MITM attack? The first layer of defense against MITM attacks is relatively straightforward. All you have to do is to follow the standard best practices when it comes to online security:
- Ensure that the security certificate is valid. This can be checked by hovering over and clicking the lock sign next to the website URL on your browser.
- Avoid using public and open networks, especially for sensitive online activities such as logging in to your bank, healthcare and business services.
- Log out of all applications and services before leaving the Web session.
- Carefully check the website URL. Many MITM attacks impersonate a legitimate website by including a similar URL text that contains an unrecognizable typographical difference from the original URL, like capitalizing an i to spoof a lower-case L.
- Encrypt your data and communications, such that even in a compromised situation your sensitive data remains unreadable to the MITM attackers.
For business organizations, it is important to encourage cybersecurity awareness and best practices, use encryption of sensitive data and keep up to date security certificates. These best practices improve the chance of your Internet security significantly against MITM attacks, which commonly exploit known vulnerabilities in the network to compromise unsuspecting Internet users.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.