How to Detect and Mitigate a Man-in-the-Middle Attack

How to Detect and Mitigate a Man-in-the-Middle Attack

man-in-the-middle

The criminals used malware and social engineering to access corporate email accounts and, according to the Europol press release, “monitored communications to detect payment requests.” The investigation found that the victims had been defrauded for almost $7 million dollars. Man-in-the-middle attacks are some of the most common and dangerous breaches. The worst part – you won’t even know your traffic is being intercepted unless the attacker does something to give him or herself away.

But what is a man-in-the-middle attack, how can you detect and prevent your company from being victimized, and – if hacked – how can you mitigate the damages?

Man-in-the-Middle Attack

A man-in-the-middle attack occurs when an intruder inserts him or herself between two parties, impersonating at least one, and passing information back and forth, gaining access to data, money, or other sensitive information. The attacker will act as the intermediary for systems and gateways and the attacks can occur over wireless or wired systems (intranets are particularly vulnerable).

A man-in-the-middle attack is a form of eavesdropping, where the attacker impersonates both victims in order to gain access to the “conversation,” which may simply be data or confidential information. The victims of a man-in-the-middle attack do not realize they aren’t actually communicating with the 2nd-party, but instead with the malevolent and passive 3rd.

A common form of these attacks occur via unsecured wireless connections or vulnerable servers where data can be intercepted without mutual authentication. Many security protocols involve endpoint authentications such as security certificates to thwart man-in-the-middle attacks.

How to Detect a Man-in-the-Middle Attack

Detecting these attacks can be extremely difficult, especially if the attacker has the expertise to mimic both parties’ security safeguards. Commonly malware will provide an entry to a victim’s browser so that data can be intercepted. With control over a victim’s browser, the attacker can create fake sites that mirror the looks of legitimate banking or retail pages so that sensitive user credentials and information can be stolen.

Perpetrators often use sophisticated man-in-the-middle attack tools, especially in intranet environments with arp spoof capabilities (when an attacker sends false Address Resolution Protocol messages to link their MAC address with a legitimate IP address on the network), so that communications between hosts can be intercepted. Other man-in-the-middle attack tools include:

  • Cain e Abel

  • Dsniff

  • Ettercap

  • PacketCreator

Another vulnerability occurs via unsecure tags for marketing and analytics. Though many site administrators and marketers use tag managers for the deployment of tags, without proper monitoring these 3rd-party tags can add tags of their own that might not be secure. Though most sites are served over HTTPS and are considered secure against sniffers and man-in-the-middle attacks, when these sites have unsecure tags added via these redirects (or piggybacks) – triggering a mixed-content warning – the unencrypted content is vulnerable to malicious actors.

While there are intrusion detection systems, often the best defense against these attacks is to not allow them to occur in the first place.

How to Mitigate a Man-in-the-Middle Attack

Other than avoiding public networks for the transmission of sensitive or confidential data there are several strategies that can be deployed. As mentioned previously, intrusion detection systems (IDS) will monitor network transmissions and provide alerts should a breach occur. However, because of the sophistication of many IT teams there are often false positives, which sometimes leads to these systems being under utilized.

Similarly, there are tools to prevent man-in-the-middle attacks such as advanced address resolution protocols (like XARP and ARPOn). Additionally, one can implement dynamic host configuration protocol (DHCP), which aims to prevent ARP spoofing.

One of the more effective ways to mitigate a man-in-the-middle attack is the use of VPNs (virtual private networks), which create secure and encrypted tunnels for accessing organizational networks over wireless networks.

These strategies are, of course, in addition to good website data governance policies, active tag monitoring, and process auditing.

[Ghostery]

October 10, 2016 / by / in , , , , , , , , ,

Leave a Reply

Show Buttons
Hide Buttons

IMPORTANT MESSAGE: Scooblrinc.com is a website owned and operated by Scooblr, Inc. By accessing this website and any pages thereof, you agree to be bound by the Terms of Use and Privacy Policy, as amended from time to time. Scooblr, Inc. does not verify or assure that information provided by any company offering services is accurate or complete or that the valuation is appropriate. Neither Scooblr nor any of its directors, officers, employees, representatives, affiliates or agents shall have any liability whatsoever arising, for any error or incompleteness of fact or opinion in, or lack of care in the preparation or publication, of the materials posted on this website. Scooblr does not give advice, provide analysis or recommendations regarding any offering, service posted on the website. The information on this website does not constitute an offer of, or the solicitation of an offer to buy or subscribe for, any services to any person in any jurisdiction to whom or in which such offer or solicitation is unlawful.