What is a Man in the Middle Attack, and How Do I Prevent It?

March 5, 2019 Eric Dosal Eric Dosal

Modern technologies such as Wi-Fi networks have created enormous convenience for businesses. The ability to connect computers and other assets to a network without having to run data cabling to every workstation simplifies setting up new workers and workstations. However, Wi-Fi access points have also created a new avenue for cyberattacks against corporate networks.

Attackers who can get physically close enough to your company’s Wi-Fi routers can use them to get onto your network—compromising your cybersecurity. Worse yet, “close enough” may be as far from your office as the building’s parking lot, depending on the equipment involved. Savvy attackers have been known to get around the protections on network devices using man in the middle attacks (sometimes abbreviated as MITM attacks).

What are man in the middle attacks, how do they work, and how can your business manage these cyber threats?

A Brief Explanation of Man in the Middle Attacks

The term “man in the middle attack” refers to a type of cyberattack where the attacker intercepts communications made by an organization’s users. As noted by Computer Weekly, man in the middle attacks can occur “at the Intranet and Internet levels,” and are one of the most dangerous cyberattack types because “you may not even realize that you are affected since the attack is more or less passive in nature.”

A common strategy for this kind of cyberattack is for the attacker to attempt to spoof the address resolution protocol (ARP) for a given network. Once the spoofed ARP is ready, the attacker uses it to filter all of the communications between users and the access point. Then, they can simply sit back and collect data passively until they have everything they want.

The alternative MITM attack method—the “internet” attack—hijacks communications between users and an unsecured version of a website that lacks Secure Socket Layer (SSL) or similar protection method (or during the transition from an unsecured version of a site to the secure version). They can then intercept all of the data that the victim shares to the website.

Threat Management Strategies for Man in the Middle Attacks That Hijack Wi-Fi Connections

One of the most terrifying things about MITM attacks is that they can easily bypass many conventional network security measures. For example, many businesses use passwords for their wireless network access points. While this may keep an attacker from simply logging into the network directly, it won’t stop a man in the middle attack.

Why? Because, if the attacker poses as a network connection point and intercepts a legitimate user’s access attempt, they will capture all of the authentication data the user sends—including router passwords and authentication tokens. Or, if they manage to set up as an intermediary between the access point and the network’s users, they can just keep copying whatever data those users are attempting to process.

Some things you can do to thwart MITM attacks that hijack your Wi-Fi network include:

  • Using Data Encryption. While encrypting data won’t stop an attacker from setting up their own fake access point, it can keep them from immediately leveraging that data. So long as the attacker does not acquire the encryption key, they will be unable to interpret the data. Given enough time, the key can be broken, but the delay gives your organization time to identify the breach and act to mitigate the potential damage the breach can cause.

  • Enabling Static ARP Entries. One MITM mitigation strategy is to enable static address resolution protocol (ARP) entries for the local area network to use. This helps to prevent MITM attacks by keeping attackers from being able to send random requests and get replies. Instead, the local network devices will use cached information to connect to the network.

  • Using an IDS Solution. A common symptom of man in the middle attacks is a sudden decrease in network performance as the attacker filters network traffic through their fake access point. Intrusion detection systems (IDSs) can help companies identify potential cyberattacks in progress by monitoring network activity and performance statistics. These alerts can help to apprise the network security team of the cyberattack so they can stop it.

Threat Management for Internet-Based Man in the Middle Attacks

Online man in the middle attacks can be tricky to stop. A few mitigation strategies include:

  • Educating Employees to Verify Secure Connections. Employees may not be aware of the network security risks of connecting to an outside site and entering private information before verifying that it is secure. Providing cybersecurity awareness training to ensure that employees know to check for a “secure connection” verification in their web browser’s address bar can help prevent accidental data leaks.

  • Using Virtual Private Networks. Virtual private networks, or VPNs, can help protect remote connections by encrypting communications and passing them through the VPN’s servers. This can help to prevent attackers from intercepting communications (or at least ensuring that intercepted communications are not immediately decipherable).

  • Limiting User Access Privileges. Part of the goal of a man in the middle attack is to collect the victim’s access credentials. When successful, they can then use those credentials to access any assets on the network that the victim could access. So, a basic strategy for mitigating the effect of a MITM attack is to limit the access privileges of users on the network. In fact, utilizing a policy of least privilege (POLP) is a good idea in general for mitigating network security risks from insider threats.

Need help protecting your business against man in the middle attacks and other cyber threats? Contact the experts at Compuquip to learn more about how you can improve your threat management today!

back-to-cybersecurity-basics

cdo-guide-to-omnichannel-security