What is a MITM attack and how can you protect yourself against it?

The most famous case of a MITM attack dates back to 2015, when Europol dismantled a group of 49 “cyber fraudsters”. Those hackers operated by intercepting communications between certain businesses and their clients across Europe, causing victims to unawarely transfer money to illegitimate bank accounts. In 2021, a year marked by an increase in cyberattacks, there is a need for special vigilance regarding those “Man-in-the-Middle” attacks. How do they take place? How to defend your company against them?

What is a MITM cyberattack?

To effectively protect yourself from cyberattacks, you still need to know how to define them. MITM attacks include a wide variety of cyber attacks. They effectively designate all the situations where a third party intercepts communications between two systems, without their users being aware of the situation.

Definition of “Man-in-the-Middle” attacks

In its online cybersecurity glossary, the US National Institute of Standards and Technology (NIST) defines MITM as a “an attack where the adversary positions himself in between the user and the system so that he can intercept and alter data traveling between them”.

The NIST further specifies that the actors hacked in an MITM attack are not aware of the attack, because the connection between the computer systems is maintained. The attacker replaces the stolen elements with others, or restores them once the theft is complete.

In any case, the hacker takes encrypted exchanges and deciphers them. They also pose as the legitimate interlocutor. This way, the victims think they are communicating with someone they trust. They actually interact, actively or passively, with the hacker.

Man-in-the-Middle attacks: a typology

This same government agency further explains that the most well-known MITM attacks fall under what is called “ARP poisoning”, or “ARP spoofing.” The hacker uses the ARP address resolution protocol to attack a local network – often Ethernet or WiFi. Then, they proceed to hijack the information exchange flow between devices and their gateways, be they internet boxes or routers.

There are several types of MITM attacks:

• ARP poisoning;
• DNS poisoning. Reminder: DNS (Domain Name System) translate website domain names into IP;
• Denial of service (DDoS)
• Mail squatting, during which the hacker intercepts messages using malware installed on the mail server. Those attacks are sometimes led through “packet analyzer” software that reads data from local networks. The hacker then accesses encrypted emails, and deciphers the cryptographic keys.
• Packet sniffing consists in accessing the victim's confidential data, for example by spying on his audio and video devices;
• Packet injection: the hacker injects packets in the form of malware into their victim’s device so as to hack their communication networks.

Which companies are targeted by MITM attacks?

MITMs target all companies, SMEs as well as large groups. Cybercriminals may try to steal sensitive data in order to blackmail the general management, much like with ransomware. They can also try to steal funds, for example through identity theft.

This explains why Man-in-the-Middle attacks rely in particular on professional messaging, instant messaging, banking applications, business software, virtual data rooms and online meetings. Information exchanges around M&A transactions also represent prime targets.

What are the consequences of a MITM attack?

MITMs target your communications in order to hack bank accounts, steal confidential data in exchange for ransom, or sell your data to the highest bidder. The motivations behind a MITM attack often are financially driven.

Man-in-the-Middle attacks can also be part of unfair competition tactics or political sabotage. Indeed, the stakes might be to access a company's client data. This way, a competitor is in capacity to spy on your content, and find a flaw that could expose you publicly.

How does a cyberattack by MITM work?

To fully understand Man-in-the-Middle attacks, here are four simple examples:

• Example 1: You think you are sending emails to your service provider, but a hacker really has infiltrated their email account. Then, you provide them with confidential information about your upcoming projects. At the same time, you are unaware of giving this data to a hacker, who can then resell it to the competition.
• Example 2: You are waiting at a train station and you connect your office computer to a public WiFi network. This actually happens to be a malicious network, despite its legitimate appearances. All the information you send over this network is ultimately intercepted by hackers.
• Example 3: You connect to the website of your company's bank to make a transfer to a service provider. The hackers have made a copy of this website, which you connect to with confidence. The hackers then obtain your company's banking data, as well as its login credentials. This is the typical scenario of MITM attacks of IP spoofing, or ARP / DNS spoofing.
• Example 4: During ordinary web browsing, you have accepted the cookies of several websites. Hackers take them and use them to log into your various online accounts, including your work email account. They are now able to send messages and claim money on your behalf.

What preventive measures should you take?

There are many measures to protect your company against Man-in-the-Middle attacks, from the most basic to the most sophisticated. The first step is to enforce internal good IT practices within your company.

Train your staff to adopt safe IT behaviour

Your teams can apply some basic precautions against MITM attacks:

• A firewall constitutes a good protection when using public WiFi networks. If your employees often use this type of network, the best solution however remains to use a VPN, (Virtual Private Network).
• Accept all updates to your cybersecurity software.
• Make sure that the websites you visit have certificates of authenticity, the “https” protocol and the padlock icon in their URLs.
• If your employees use smartphones a lot in their daily work, get a smartphone antivirus.

Opt for technologies which will fend off Man-in-the-Middle attacks

From a software perspective, the first step is to secure your web connections, for instance, use an encryption solution for your internet browsing. This approach is part of a general logic of adopting “public key infrastructures”, or PKI. These technologies secure networks through authentication, certification and encryption methods.

If this is not yet the case, your company has every interest in upgrading its website from HTTP protocol to HTTPS protocol. This will encrypt the web connection between your server and other user devices. You must use an SSL / TLS certificate for this. Without authentication certificates, access to your terminals and computer networks is rendered impossible.

The cryptography of your digital signatures certify that emails you send genuinely come from you. There are several standards for digital signatures formatting, such as Multipurpose Internet Mail Extensions (MIME). Email signatures protect against email content tampering: it can no longer be modified.

So that the content of emails cannot be modified, or even read, it is advised, in addition to electronic signature, to encrypt your messages. Doing so, your emails can no longer be intercepted. Your official contact needs to be given a key to be able to read them.