ISMS Essentials: MITM/Man-In-The-Middle Signs and Symptoms
MITM or man-in-the-middle is a form of cyber attack involving communications interception. It is a sophisticated threat to consider in your ISMS that can affect any exchange of information or connections between local or remote systems.
This short post will look at vulnerabilities regarding email, Wi-Fi and browsing. It will give a broad understanding of how the attack works and simple measures to reduce the likelihood of compromise.
MITM/Man-in-the-middle attacks and the ISMS context
The ISMS helps the organisation to better understand information assets, identify vulnerabilities and implement controls. Our post on the design, build and maintenance of an ISMS describes how it need not be expensive but will take time.
Many security standards and compliance regimes depend on having a management system in place. For example, an ISMS will help to maintain compliance with the NCSC 10 Steps to Cyber Security or the Australian Signals Directorate Essential 8.
Within this framework, man-in-the-middle attacks threaten organisations that need to exchange data, interconnect systems or provide user access. This includes communications and connectivity such as email, internet and wireless access.
Your ISMS and susceptibility to MITM attack
How susceptible you are to being targetted depends on your ISMS strength and the value of your information and systems to the attacker. Attacks are often sophisticated and can require physical access or proximity. Man-in-the-middle attacks are not as indiscriminate as DDoS attacks. The required effort suggests the victim has been deliberately targeted or has been extremely unlucky.
A man-in-the-middle (MITM) attack is the unauthorised interception and potential alteration of communication between two parties by an unauthorised third party.
Once inserted or embedded into the communications stream the attacker can:
- Listen in, observe and steal information or credentials;
- Alter traffic/message content or order details, impersonating one or both parties;
- Insert false information;
- Maintain a “watching brief” for later use.
Attackers might save compromised communications channels in readiness for significant events such as the payroll run, corporate mergers and takeovers. Attackers with grievance motives will want to cause maximum embarrassment, perhaps taking advantage of regulatory penalties and scrutiny as with EU GDPR.
Other types of attack are covered in our short video briefing that you can access here:
MITM/Man-in-the-middle and Email
Consider the potential damage if an attacker gained access to your email traffic. This could be achieved because they have obtained administrator privilege on the network, visibility or access to messages on a local server or passing between organisations. They might also have stolen the authentication credentials of a user in a targeted department.
The attacker could monitor the emails associated with sensitive information such as finance records. They then have the opportunity to convince email recipients to redirect information to the attacker, rather than the organisation. The attacker could pretend to be the Finance Director and send a dummy invoice to “accounts payable” demanding immediate payment!
As a rule, email is not encrypted in transit, although in today’s Internet it is more common to see TLS security being used. However, being a store-and-forward medium the messages can be exposed and readable at any intermediate point.
Some attackers go a step further. Rather than be “in the middle” they opt for a wholesale impersonation. By creating email accounts similar to those of the organisation, and adding a little research (e.g. website testimonials), they can target your customers and obtain information. This is more akin to “spoofing” and our DMARC post gives you some ideas to prevent this.
MITM/Man-in-the-middle and Wi-Fi
Public facing and “guest” Wi-Fi create further vulnerabilities. It is easy to scan for Wi-Fi networks and probe poor security. Poor security includes guessable passwords, credentials unchanged since manufacture or routers with no protection at all. Think of the times you have visited coffee shops and bars that feel obliged to write passwords on the wall. There are even examples where customer Wi-Fi access leads to user devices being recruited into crypto-currency mining.
A laptop or mobile device that has previously connected to a wifi network will often store this and will try again if it sees a network with the same name (like “guest Wi-Fi”). In addition, if many people spot a network entitled “free public Wi-Fi” they will connect to it immediately through choice. They might do this without considering that this access point will then be able to see all the traffic they send which isn’t encrypted.
Even where organisations do not permit physical access to the public on their guest networks, consider that a good wireless router easily exceeds 40m of range indoors, and 90m outdoors. Attackers could scan “off premise” and away from physical security personnel and controls.
Once inside the network or in between the laptop of a user and the Internet, a skillful attacker can see traffic (e.g. emails and web accesses) and sniff credentials. Credentials could be used in later, more direct and intrusive attacks.
Downloads from supposedly safe websites could be tainted with malware on the journey between the site and the user. This can lead to a compromise that might start out remote in nature, but becomes much more worrying and infectious when the same laptop is reconnected to the corporate LAN later that day or week.
MITM/Man-in-the-middle and the Browser
Malware (malicious software) is nothing new, but the use of it to facilitate a man-in-the-middle attack is more recent. The objective will be to deploy malware to a targeted user or computer that can sit between the user and the network or systems they access. Within an ISMS the “people” considerations become important here due to the risk to users of:
- Clicking on suspicious links within emails;
- Inserting devices into terminals (e.g. USB sticks, smart phones etc.);
- Browsing websites likely to carry malware;
- Introducing “shadow IT” to the network;
- Posting “sensitive” information on social media;
- Unwittingly disclosing authentication credentials (e.g. phishing attacks).
However deployed, malware can detect and scrape information related to the user and internet activities as it happens (e.g. a user typing at a keyboard or as a web session connects to websites to download data). The malware will transmit the captured data to the attacker or insert its own content into the browser session for display on the end system. As an example, some malware tools are designed to identify and harvest credentials for online banking, others simply subvert web content to control what the user sees.
You will also hear this man-in-the-middle attack described as “Man-In-The-Browser”.
ISMS tips to avoid the “man-in-the-middle”
Wherever “data in transit” is a feature of the business, it is key to ensure that risks are addressed in your Information Security Management System (ISMS). Try the following to reduce the likelihood of MITM/man-in-the-middle attacks in your ISMS:
- Deploy DMARC (a DNS security technique) to reduce spoofing and phishing;
- Look for “HTTPS” in website URLs;
- For applications and endpoints check for encryption (e.g. Transport Layer Security) and ensure data sent in transit is protected;
- Use Quad9 to reduce malware deployment via browsers;
- Review Wi-Fi security procedures and strength, and educate users about the risk of free public access points;
- Invest in protected remote access solutions such as VPN or SSL-VPN for remote user access to limit the exposure;
- Ensure protective monitoring includes systems like “guest” Wireless Access Points that could be a route of compromise;
- Check malware detection capability and monitoring across all system types.