What is a Man-in-the-Middle Attack, is it relevant, and how do I protect my network.
A Man-in-the-Middle (MiTM) attack amounts to inserting the computer of an attacker (the MiTM computer) within the network path of a targeted endpoint computer, such that network traffic to and from that target computer now routes through the MiTM computer, available for inspection and manipulation. Once established, the attacker might focus on gathering information, or possibly take over (hijack) an active connection and proceed to act in the place of the victim.
A Man-in-the-Middle (MiTM) attack is as relevant today as it was years ago, and is estimated to occur in about a third of success network attacks. The initial task is to take advantage of an intrinsic and well known vulnerability of the Internet Protocol v4, and in different form, v6, such that traffic to and from a targeted endpoint computer passes through a MiTM computer, where information can be inspected.
Executive summary
- A MiTM attack is as relevant today as it was years ago, and is based upon a fundamental vulnerability of the Internet Protocol, present for IPv4 and, in different form, IPv6.
- Switched networks, in which traffic between a network switch and endpoint computer is filtered to exclude traffic to all other computers, do not solve the problem.
- In the case of a MiTM attack, the hacker is looking for information – credentials, knowledge of the network, access to sensitive information that may be passing over a connection, and potentially the hijacking of an active session – perhaps to a sensitive internal service, a cloud hosted service, an active session with a customer or business partner.
- There are many forms of a MiTM attack, some taking advantage of known defects of particular hardware. All exploit the ARP IP protocol, integral to IP level 2 routing.
- A most basic MiTM attack occurs on the LAN, between the endpoint and the connecting network switch, and is not deterred by the use of switched networking technology, for the reason that the ARP broadcast issued by every network card to initiate a network connection is routed to all computers on the LAN, as part of the basic Internet Protocol.
- There are good ways of mitigating risk – they include network segmentation, comprehensive use of certificates for all connections, monitoring, end-user education to take action on any certificate warning and keeping networking equipment and servers fully patched.
Discussion
A classic example of a man-in-the-middle attack is this:
• A person establishes a secure connection to web-based service – perhaps a financial application located on-premises or cloud hosted.
• An attacker inserts their computer within the network routing path, such that all traffic between the person and the web-based service is now directed through the attacker’s computer, available for inspection.
• For this to work, it is likely necessary for the attacker to decrypt all traffic for inspection, and re-encrypt that data before relaying on.
Certificates play an important role in detecting a MiTM attack, for the reason that the cybercriminal will need to re-encrypt data with a certificate different from that registered to the web-based service. Web browsers today are very good at alerting the end-user to such a mismatch.
How does this pertain to your local network? Because it is not difficult to redirect traffic from any computer on a LAN to MiTM computer for inspection, and then forward on to the original destination. This may be referred to as an ARP attack, ARP spoofing, ARP poisoning – search on any of these terms to find copious and technically specific information. Fundamentally, this comes down to these basics:
• As part of setting up a network connection, every computer / network card sends an ARP broadcast requesting the hardware (MAC) address assigned to the desired destination IP address.
• The ARP broadcast is transmitted by the network switch to every switchport on the same VLAN.
• That computer / network card to which the IP address is bound receives the ARP broadcast and replies with its MAC address.
• The ARP reply is received by the originating computer and listed in its local ARP cache.
The task for a MiTM attack is to receive the ARP broadcast and to reply with the MAC address of the MiTM computer, looking to get that response back before the response of the valid target computer – because the first response received wins. There are any number of ways to achieve this goal – and to detect the attack – and these become the basis of the task of finding and closing vulnerabilities and keeping ahead with detection.
After a successful attack, the MiTM computer can now examine packets from the originating computer, A, and then forward on to the target computer, B. Further, the MiTM computer can behave as a proxy server in the case of an SSL/TLS connection, by creating an encrypted connection to computer B, and generating a false certificate for the TLS connection to computer A. This will result in a certificate error, but end-users typically click through certificate errors. And now the MiTM computer can inspect all traffic between computer A and B, and even encrypt that traffic, inspect, and re-encrypt.
Mitigation
End-point control: a cybercriminal must gain control of an endpoint computer on the same vlan as the target end-user in order to mount an on-premises MiTM attack. This is most commonly achieved through a phishing attack, often requiring clicking on something – a link to a malicious web site or an attachment containing malicious code. Local anti-virus software, a good e-mail gateway service, and a good Internet Web Security service (IWS) are important, if not mandatory at this time.
Network segmentation. The IP vulnerability that forms the basis of an ARP attack is the protocol by which any network device resolves a logical IP address to the physical hardware address (MAC) of the next device – initiated by an ARP broadcast packet that is forwarded to all devices on the same VLAN as the requesting computer or other network device.
Intrusion Detection Systems (IDS) monitor network and device events, and are able to detect an ARP attack. There is the matter that a MiTM attack is not technically breaking any of the rules behind IP networking, and so detection comes down to recognizing the negotiation of the initial ARP mediated resolution of layer 3 IP addressing to the layer 2 MAC address. IDS systems receive input from many network devices and draw on a whole picture view of the network to detect a security breach. The effectiveness of such a system depends greatly on the trained response of IT staff to alerts generated by that system.
Without question end-user training is a very critical part of network security – beginning with evaluation of clickable hyperlinks or attachments presented within e-mail or web-based portals. It is far better to prevent the cyber attack from even starting. With that click taken, next level defenses are anti-malware software on the endpoint device and Internet Web Security to identify and block the attack. And then a certificate error. At each step it makes a difference if the end-user is trained to be suspicious of clicking on any hyperlink or opening any attachment, evaluating whether that attachment or link are expected and/or look to be correct. Many attacks originate from overseas, may have errors in spelling or context, and come from a person who is not known or not expected. And action taken by any end-user in the event of a security alert – requiring diligence to ensure that, in the carrying out of normal business, there are not certificate or other errors.
Frequently Asked Questions
The harvesting of account credentials by cyber-criminals, via phishing techniques and malware has become an important means by which corporate networks have been compromised. One important defense is to ensure that management credentials are never cached on endpoint computers, via implementation of Tiered Logon Protocol (TLP). This may be done by assigning network administrators several user accounts, each restricted to certain management roles ranging from user only privileges to a high level of management rights – tiered accounts. Use of these accounts is typically restricted – for example, logon by an administrator to an endpoint computer would be restricted to an account with user only rights.
Two-Factor Authentication requires an end-user provide a password and a code from a physical device. The term Multi-Factor Authentication (MFA) has taken the place of two-factor authentication, simply because the technology deployed initially for two-factor authentication has evolved, such that the implementation has become much broader than the initial systems for two-factor authentication, while retaining the requirement of authenticating with both something memorized and something obtained from a physical device.
All computers connected to a network are able to communicate directly with each other. That network might be divided into two, with PCs connected to one and servers connected to the other – and now PCs can communicate directly with other PCs but will be unable to reach servers. The network can be viewed as two segments – one for PCs, one for servers. Each of the two network segments might be connected to a firewall, such that traffic between the segments can be inspected and controlled – now adding security. Corporate networks typically have many segments – perhaps including PCs, general servers, VoIP for IP phones, wireless, management cards of network devices, and so on. The tools available to a hacker with access to the PC network are greatly diminished once it becomes necessary to cross a firewall to access central resources.
An endpoint device is taken to be any device that is used by an end-user to connect to a network – a PC, Mac, laptop, netbook, and so on. An endpoint network segment is taken to be a local network to which only endpoint devices are connected. The endpoint network segment will be connected to a firewall, such that access to other networks can be inspected and secured. Company servers and services might be located on a secure server network.
