Blog article

Defending Against Man-in-the-Middle Attacks

Man-in-the-middle attacks are an insidious form of cyberattack that targets sensitive data in transit. Find out who is the likeliest target and what measures are needed to defend against them easily and effectively.

Petr Pecha


Min read

Try the most usable zero trust solution

As technology evolves, and with it the way organizations work, so do the methods cybercriminals use to exploit their vulnerabilities. One such offensive technique is the man-in-the-middle (MITM) attack, a cyber threat that targets the very foundation of secure communication.

The concept of the MITM attack can be likened to a spy intercepting your mail, opening it, putting it back in, and resealing the envelope before sending it on. Except instead of infiltrating your local post office with a steaming kettle, the cybercriminal exploits vulnerabilities in digital systems to gain access to sensitive information.

One of the most notable cases of a man-in-the-middle attack was the Superfish adware that came pre-installed on Lenovo laptops and was capable of SSL spoofing, which potentially exposed usernames, passwords, and other sensitive information.

A curious case of a man-in-the-middle attack was first reported in 2015 where the government of Kazakhstan required citizens to install a root certificate on their devices, which then enabled officials to spy on internet users’ HTTPS traffic.

This article explains the danger of MITM attacks and how they work, identifies the most likely targets, and suggests countermeasures that organizations can take to protect themselves.

Table of contents

Understanding man-in-the-middle attacks

Man-in-the-middle (MITM) attacks are a type of cyberattack where the attacker intercepts, and sometimes alters, communication between two parties (typically a user and a server) without them knowing.

Once the connection has been spoofed, the attacker relays the communication between the sender and receiver (hence “man-in-the-middle”), which allows them to eavesdrop on the communication, manipulate data, and impersonate one of the parties.

Note that the “attacker” in a MITM attack refers to a script carrying out the attack rather than a human actually performing the attack step by step.

Why are man-in-the-middle attacks dangerous?

The danger of MITM attacks stems from the fact that they can bypass SSL/TLS encryption, such as used by the HTTPS protocol. In a successful MITM attack, both parties consider the middleman the legitimate sender/receiver.

This allows the attacker to carry out a number of nefarious activities, including:

  • Data interception—The attacker can read sensitive data, including logins and passwords, financial information, or other private information.
  • Data manipulation—The attacker may tamper with the data before relaying it, manipulating financial transactions or weaponizing packets with malware.

Who is a likely target of man-in-the-middle attacks?

MITM attacks are a danger for anyone sending sensitive data over the internet, but somewhere the risk is particularly present.

Financial institutions are at risk because black-hat hackers like to spoof connections to get at the banking details of users.

Social media networks are also a likely target because they handle a large number of user accounts, whose access credentials and private user data can be either sold directly or exploited in another way.

Lastly, government agencies are also at risk, often from state-sponsored hacker groups that conduct MITM attacks as part of cyber espionage or direct acts of cyber warfare.

How man-in-the-middle attacks work

A MITM attack can bypass SSL/TLS encryption by exploiting the transition from unencrypted to encrypted connection. In general, a MITM attack progresses as follows:

  1. First, the cybercriminal first intercepts the communication between a user and a server.
  2. Next, they relay the communication to the intended receiver, asking for the encryption key.
  3. The server has no means of knowing the request is illegitimate, so they send the attacker the key.
  4. An encrypted connection is then established between the attacker and the server.
  5. The attacker then sends their own encryption key to the victim.
  6. The user accepts it, again having no reason to believe it didn’t come from the server, and a secure connection is established between the attacker and the user.
  7. The user and server now communicate with the attacker via the spoofed connections, while the attacker decrypts and re-encrypts the communication with the agreed encryption keys each time, with full access to the data in between.

The above-described attack is also known as HTTPS spoofing.

Fig.1 – Mechanism of a man-in-the-middle attack

However, there are other variations of the attack. Common techniques used in MITM attacks include:

  • SSL/TLS stripping—The attacker intercepts the certificate sent from the application server to the user, and feeds them an unencrypted version of the web application, which allows them to see everything the user sends out.
  • ARP spoofing—The attacker sends fake ARP messages on a LAN. The network switch then associates the victim’s IP address with the MAC address of the attacker’s device, which results in the switch addressing the victim’s traffic to the attacker.
  • DNS spoofing—The attacker infiltrates the DNS server and modifies its address record. The server then redirects users to the attacker’s own fraudulent websites instead of the original ones.
  • Network eavesdropping—A broad concept that includes techniques like packet sniffing or Wi-Fi eavesdropping. An eavesdropping (sniffing) attack involves an attacker lurking on a network (such as public Wi-Fi), observing devices that connect, and intercepting their communication.
  • Evil-twin attack—Similar to a sniffing attack, the evil-twin attack targets public Wi-Fi users. The attacker sets up a public Wi-Fi hotspot near a legitimate public network (e.g. a café or hotel) under the same name. Regular users, who have enabled “Connect automatically when in range” on their devices connect to the fraudulent network, allowing the attacker to execute other techniques, like SSL/TLS stripping, DNS spoofing, and others.

How to defend against man-in-the-middle attacks

There are a number of techniques that you or your business can use to defend against MITM attacks. If you have the expertise, you can enforce server authentication or use DNSSEC for domain resolution to make it harder to tamper with DNS records.

However, businesses that don’t have trained security experts on staff can still deploy effective MITM-attack countermeasures.

Multi-factor authentication

Multi-factor authentication (MFA) provides a secondary layer of protection to user accounts. If a user’s login credentials get stolen as a result of a MITM attack, the cybercriminal will not gain access to private data, as they do not possess the additional authentication factor.

End-to-end encryption

End-to-end encryption, such as tunneled connections established by a VPN, mask user activity on unsecured and public networks, hiding them from the eyes of the attacker lurking on these networks.

Zero-trust network access (ZTNA)

ZTNA is a network-based security approach that emphasizes continuous verification of both users and devices, as well as the context of the connection. It provides good protection against MITM attacks by making it very difficult to hijack user connections and intercept their traffic. As soon as an anomalous connection attempt is made, and the user fails to satisfy the strict authentication conditions, access is denied and/or reported for investigation.

Note that users with admin privileges should not use their admin account for ordinary work to prevent the attacker from spoofing this account and installing their own root certificates.

Read this article for more information on the key principles and architecture of ZTNA.

Wrapping up on man-in-the-middle attacks

MITM attacks are a dangerous type of cyberattack that targets data in transit. Cybercriminals use MITM attacks either to steal sensitive information or tamper with data, most often for financial gain.

MITM attacks are dangerous because they can bypass SSL/TLS encryption.

Organizations that are at an elevated risk of a MITM attack include:

  • Financial institutions
  • Social media networks
  • Government institutions.

Defensive and mitigating strategies against this attack are multi-factor authentication, end-to-end encryption, and zero-trust network access with least-privilege access, and never using an admin account for normal work to prevent the attacker from spoofing an admin account.

How does GoodAccess help defend against man-in-the-middle attacks?

GoodAccess is a ZTNA security platform that employs the latest network encryption with unbroken ciphers to protect data during transit and reduce the risk of a MITM attack.

It includes user pre-authentication reinforced by MFA, and authenticates users both on the network and application level to minimize the risk of unlawful entry.

Furthermore, GoodAccess features intuitive least-privilege access controls that further minimize risk and reduce impact of cyberattacks, including man-in-the middle.

Sign up for our full-featured 14-day trial, and start your zero-trust transformation today.

Let’s get started

See why your peers choose GoodAccess. Create your free account today and enjoy all premium features for 14 days, hassle-free.
Trusted by 1300+ customers