Our Blog

Top four best practices to avoid man-in-the-middle attacks

Share

Tuesday, Feb 04, 2014


It seems like only a few years ago man-in-the-middle (MITM), or man-in-the-browser (MITB) attacks were the big security news. This attack vector spurred changes how financial services organizations approached cyber security. In 2005, the Federal Financial Institution Examination Council (FFIEC) mandated two-factor authentication for online banking platforms and transactions. In 2011, the FFIEC once again updated its guidance as many other verticals began to experience MITM challenges. While this attack vector has not quite received mainstream notoriety, I suspect it will flourish in a multitude of industries in 2014 and beyond.

As a refresher, MITM attacks occur when malicious actors insert themselves into a conversation between two parties and intercept data through a compromised but trusted system. They are essentially eavesdropping and disrupting a communication session between individuals or systems. For example, Alice believes she is speaking with Bob, but Chris is listening in and manipulating the conversation.

Many times businesses are unaware their session and/or data has been tampered with until it is much too late. The actors will also use targeted malware attacks to open the communications channel with the hopes of creating zombie machines or building vast networks of comprised systems. Cybercriminals are often targeting intellectual property and fiduciary information (credit cards etc.). If a MITM attack is successful, organizations experience negative brand perception, reduced customers’ confidence and ultimately their bottom line.

Information security professionals will see the MITM attack trend grow in the coming years as it becomes more widely favored by cybercriminals. One of the reasons for the increase in criminal popularity is that once the users’ sessions have been hijacked, the cybercriminal then has direct access to all of the data being transmitted within the message(s). This can be detrimental for a business as many employees send critical information via email and through the network. To make matters worse, MITM attacks are becoming more pernicious via IM, SMS and other forms of communication.

Email is definitely a spot where MITM fraud is really increasing and manipulation of attacks through the SSL channel is a fast follow. In December 2013, the Federal Bureau of Investigation (FBI) issued a press release warning about MITM attacks in an attempt to educate the public on how to protect themselves against this increasingly popular threat. The alert stated that no fewer than three U.S. companies in a single region fell victim to this attack with estimated losses at approximately $1.65 million.

To further complicate matters, not only are general employees often unaware of the danger, but many IT staff members simply do not have the expertise necessary to identify and thwart these advanced attacks. Specialized security professionals are needed to detect these threats early on and report them to the appropriate parties internally. Companies with limited resources are often unable to provide threat intelligence to executive management until the data has left the building.

In addition, as more organizations rely on mobile devices to conduct daily business operations, MITM attacks will broaden to encompass mobile as well. Just last October, the Apple iMessage protocol was found vulnerable to MITM and spoofing attacks. The nomadic businessperson is a prime target for those looking to intercept valuable data that can turn a lucrative profit.

To help organizations avoid becoming the most recent headline and falling victim to a MITM attack, I have prepared the following four best practices:

  1. Implement a comprehensive email security solution with the ability to detect malicious activity in real time. As previously mentioned, many organizations are not adequately equipped with the security staff necessary to monitor and detect MITM attacks. As such, it is imperative that you have technology embedded into your security architecture that minimizes the risk associated with MITM breaches, with minimal human involvement.
  2. Implement a web security solution with the ability to detect malicious and anomalous activity in real-time. This implementation will provide you with visibility to web traffic generated by both the system and end user community at protocol and port layers. Many organizations lack security intelligence organizations and forensics teams. Embedding this tool into your architecture provides deep and wide visibility into your organization. 
  3. Educate employees is a tip we use frequently for many types of attacks, and is definitely valid in this case as well. Prepare your workforce for these advanced attacks by educating them on the dynamics, patterns, samples and frequency of attack methods attempted on other organizations. Case studies are a valuable resource when putting together educational materials and awareness programs. Making training relevant to the employee is key to training effectiveness. 
  4. Check your user credentials often. Make sure your passwords are secure, complex and updated every three months at a minimum. This will aid in your company’s protection by keeping credentials fresh and more difficult to crack.

Modern cyberattacks are becoming increasingly sophisticated and difficult to detect. Arming yourself with the most current email security solutions, web traffic visibility solutions, educating your workforce on the existence of this threat and checking your credentials often will definitely help safeguard your data. Do your IT team a favor and speak to your company’s decision makers about implementing these tips in the near future.

Has your company witnessed a MITM attack? If so, we would love to hear your story. Please feel free to leave us a comment below. And as the FBI advises, please report incidents to the Internet Crime Complaint Center (IC3) at www.ic3.gov. For additional questions/concerns, you may also reach out to one of our expert security professionals at the Websense Office of the CSO by sending an email to CSOs@websense.com.