Adversary-in-the-Middle Defense: Strategies for Security
Uncover the hidden risk to your business’s security – Adversary-in-the-Middle Attacks.
Discover one of the biggest hidden threats to your business’ security measures: Adversary-in-the-Middle Attacks. Learn how to prepare for, identify, and address these threats in real-time from Aaron Walton, threat intel analyst at Expel.
One of the most impactful cybersecurity defenses in recent memory was the advent of multifactor authentication (MFA). Up to that point, an attacker only needed a stolen username and password to access an account. MFA solutions made it possible to demand a second form of identification before granting that access, usually through a text message, push notification, or one-time code. This was revolutionary. After all, these solutions ensured that to break into an account secured by MFA; an attacker would need access to a physical device belonging to the target—right?
Wrong, unfortunately. They don’t need access to the physical device. They can attack other parts of the authentication chain, stealing a One-time Password (OTP) or the session after authentication. MFA solutions make it more difficult for attackers to engage in credential-based attacks, but attackers continue to adapt. “Adversary-in-the-Middle” (AiTM) phishing attacks are becoming an increasingly popular way to circumvent MFA, and organizations need to understand how these attacks work and how to stop them if they want to avoid becoming easy targets.
The Rise of Adversary-in-the-Middle Attacks
AiTM attacks are not dramatically different from traditional phishing attacks. In a traditional phishing attack, an email might direct an unsuspecting user to a fake login page, which attempts to capture and store the user’s credentials for the attacker to use later. AiTM phishing is similar but designed specifically to evade known MFA tactics. Rather than simply setting up a fake login page, AiTM phishing automatically proxies the user’s credentials to the actual login page—and if the account requires MFA, the user is prompted as usual. Since this proxies the information through the attacker’s infrastructure, it gives them easy access to the session cookies that keep the user authenticated. In most instances, we see the attacker also attempting to register an MFA device so that they can re-authenticate once the session expires. AiTM is an innovative technique that can be difficult to detect if defenders don’t know exactly what to look for.
The rapid growth of AiTM phishing is due to criminals recognizing a need to bypass MFA and other criminals cashing in by offering infrastructure and services to facilitate these attacks. Recent research on the Expel customer base indicates that session cookie theft via AiTM phishing accounted for 34% of alerts where successful account compromise was identified. Just one year ago, that number was essentially 0% among Expel customers, underscoring how quickly attackers have latched onto AiTM tactics as a reliable way to evade MFA and compromise user accounts and identities successfully. Businesses looking to keep their authentication process secure cannot simply rely on MFA—they need to recognize the signs of AiTM attacks and be prepared to stop them.
Identifying AiTM Attacks and Limiting Their Effectiveness
Focusing solely on prevention is never a good idea—detection and response are essential for teams to mitigate the risks. Alerts for potential AiTM attacks should trigger activity that commonly occurs after an attacker authenticates. In many cases, the AiTM infrastructure is automated, and the automation will attempt to perform certain actions using the victim account as soon as credentials are received. This automation often attempts to set up persistent access by registering new MFA devices or covering its tracks by deleting the malicious email the user had clicked and setting up inbox rules to hide any malicious emails that are sent. When these detections identify a true positive, the security team must reset credentials, remove new MFA devices, and revoke sessions. Unlike traditional phishing, resetting credentials is insufficient: the user’s existing sessions must be terminated.
It’s also important to consider where (and how) logins occur. If a login is detected from a country where the business has no presence, there’s a good chance something suspicious is going on—and even if it isn’t an AiTM attack, it’s probably worth taking a closer look. Similarly, a login from a non-compliant device or untrusted IP space should set off security alarms and may indicate that an illicit login has occurred. Organizations need solutions that can automatically monitor these warning signs and alert them in real-time, rather than rely on IT and security teams to notice them when combing through logs after an incident.
Only some organizations have the resources or security expertise needed to implement these solutions, and some may instead partner with outside experts to monitor for and report signs of AiTM and other difficult-to-detect attacks. Many organizations now use managed phishing services that can identify credential-harvesting emails or provide warnings of known phishing campaigns. Not only does this give security teams some much-needed support, but it also allows organizations to keep their employees updated on the most current phishing tactics. That means they can be better trained on what to watch for, reducing their likelihood of clicking a suspicious link and unwittingly falling prey to an AiTM attack.
MFA Is Effective, but It Can Be Improved
It’s important to note that MFA is still one of the most effective ways to keep your organization safe from today’s attackers. While AiTM attacks are a worrying development, organizations must be wary of throwing the baby out with the bathwater. Just because a security solution isn’t perfect doesn’t mean it should be abandoned—if it did, you’d quickly have no solutions left. MFA is still highly effective in defending against attacks, which vastly outnumber AiTM incidents.
That said, MFA can be improved by incorporating modern authentication methods: certificate-based authentication using Fast ID Online 2 (FIDO2) security keys has proven highly effective in stopping AiTM attacks. FIDO2 keys use public key cryptography, which requires the credentials to be used on the appropriate website, which means users cannot enter them on a phishing website. Implementing FIDO2 has its challenges, but because these keys are almost entirely immune to phishing attempts, implementing FIDO2-based authentication should be a priority for organizations. Even if they cannot be implemented for the whole organization and every service, consider implementing them for high-risk user roles and sensitive resources.
See More: Your Password’s Expired! – Why Organizations Should Keep Their Options Open
Don’t Wait for AiTM Attackers to Come to You
It can be tricky to confirm whether an organization has been the victim of an AiTM attack—it often involves investigating endpoint detection and response (EDR), network, and cloud logs to trace a breach back to its origin point. But the truth is, organizations shouldn’t wait until they have confirmation of AiTM activity to act. Organizations that want to protect themselves from this increasingly popular tactic should take proactive, preventative steps to limit the potential damage an AiTM attacker can do within their environments. By implementing FIDO2 authentication, building detections from known attacker behavior monitoring for suspicious logins, and working with phishing experts to improve their detection and training capabilities, organizations can put themselves in the best position to stand up to this emerging threat.
How can your business stay ahead of Adversary-in-the-Middle Attacks? Let us know on Facebook, X, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON MFA (MULTI-FACTOR AUTHENTICATION)
