Oct 13 2023

How To Detect and Prevent ‘Man in the Middle’ Attacks

MITM attacks have been around for years, but IT leaders and users still must be wary of their hallmarks and practice good cyber hygiene to prevent them.
Cyber GIF


Although “man in the middle” cyberattacks have been around for a long time, they continue to be a scourge to IT leaders and professionals charged with protecting organizations’ cybersecurity.

A survey conducted by consulting firm Enterprise Management Associates on SSL and transport layer security certificate security found that nearly 80 percent of TLS certificates on the internet are vulnerable to MITM attacks, while as many as 25 percent of all certificates are expired at any given time.

With many employees continuing to work hybrid schedules and potentially using public unsecured public Wi-Fi networks to conduct business, they remain vulnerable to MITM attacks. During such attacks, malicious actors intercept communication between two parties; the attackers capture sensitive data and can also alter that data, potentially relaying inaccurate information between the two.

“MITM attacks are as old as time, and are basically the first thing you might think of when you think of hacking: ‘What if I intercept and read or alter these private communications?’” says Christopher Rodriguez, research director at IDC’s security and trust group.

Click the banner to learn about CDW’s identity and access management solutions.

What Are “Man in The Middle” Attacks?

A MITM attack is one in which a “listener” is placed in the communication pathway between two devices or services, says Jon France, CISO of (ISC)², a nonprofit cybersecurity association, typically between a user’s endpoint and an internet service.

The listener captures the traffic (both from the user and service) and stores or forwards it to the attacker; importantly, it passes the traffic on so the ‘conversation’ between devices continues,” France says. “Occasionally, the listener will change information to the attacker’s advantage, such as security information.”

READ MORE: Learn how businesses can keep endpoints secure.

What Are the Signs of a “Man in The Middle” Attack?

MITM is “more of a type of attack than a particular attack,” Rodriguez notes, meaning that there are a few ways of accomplishing a MITM attack.

Depending on the type of attack, IT leaders and professionals might see evidence of a third party intercepting traffic via network logs and analysis. Unfortunately, Rodriguez says, it’s very likely that organizations “would first notice signs of compromise through the discovery of data theft, unauthorized access or a ransom note.”

France says that other hallmarks of a MITM attack include “unexplained information leakage, slow communications — the MITM device may be slow or diverting traffic long distances — or an unusually high number of network hops.”

Cyber TOC


How to Better Prevent “Man in the Middle” Attacks

MITM attacks are not a novel concept even if they persist, Rodriguez says, and some well-known security best practices already exist to prevent them.

“For anyone using the web, you’d want to ensure that any website that involves sensitive information is using HTTPS,” he says. “These days, most serious websites now use HTTPS to protect communications, but it’s always a good idea to keep your eyes open for the lock symbol in the address bar.”

For employee access, Rodriguez says, using a VPN is “a great way to secure your communications against intruders that have already gained network access.”

In both cases, he says, public Wi-Fi is a particularly vulnerable threat vector that should be protected by VPN usage.

Christopher Rodriguez
MITM attacks are as old as time, and are basically the first thing you might think of when you think of hacking: ‘What if I intercept and read or alter these private communications?’”

Christopher Rodriguez Research Director, IDC Security and Trust Group

Today, modern zero-trust network architecture solutions can protect users no matter where they are located. “Since a MITM attack could lead to stolen credentials, it’s important to have a robust identity management practice that includes multiple authentication methods,” he adds.

France notes that end-to-end encryption is a solid prevention method for digital services, “as even a network listening device will not be able to decipher the information flowing through it.”

“Of course, good network management is also vital, as well as endpoint protections, as the listening ‘device’ could also be malware on the endpoint,” France says.

DISCOVER: Find out how to implement a zero trust strategy that wards off cyberattacks.

How Can Your Organization Learn about “Man in the Middle” Attacks?

There are several ways that IT leaders can educate their organization’s employees about MITM attacks. Users should be advised to “be on lookout for slow and unresponsive services” and “know how to raise a concern to the relevant team,” France says.

There should also be efforts to train users on good cyber hygiene around endpoints and educate users about the importance of installing appropriate security software, France says.

“With MITM, the onus has mostly been on the IT organization to provide a baseline level of protection,” Rodriguez adds. “That includes basic security hygiene such as removing default passwords and hardening network infrastructure, active protections such as intrusion prevention systems, and continued monitoring and analysis (security information and event management/security analytics).”

However, Rodriguez says, there are also some things that users should keep in mind, such as the importance of using VPNs and multifactor authentication. “It’s also important to be wary of unsolicited messages, whether email, SMS, or other communications, because malicious links can redirect users to compromised or spoofed websites,” he says.

themacx/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT