Diving Deeper into Man-in-the-Middle and Brute Force Attacks

There is no shortage of ways for attackers to try to compromise an organization’s IT environment or an individual’s computer. From cross-site scripting to social engineering, the tactics of today’s attackers will sound familiar to cybersecurity researchers and victims alike. However, the most effective cyberattacks are often not the most sophisticated, as capturing low-hanging fruit does not require that threat actors use the sharpest tools in their toolbox.

Today, we will discuss 2 of those not-so-sharp tools: brute force and man-in-the-middle (MiTM) attacks. Both techniques have a long history in cybersecurity, so let’s dive deeper into each and look at how your organization can defend against them.

Brute Force Attacks—and Their Cousins

Brute force attacks are used to crack encryption or passwords, with automated tools and botnets running all the possible passwords against a targeted system or service until the correct username + password combination is found. Depending on how complex the password or how extensive the character set used, performing this type of attack can be time-consuming and require extensive computing resources. For this reason, automating the attacks is important, and there are several tools for penetration testers and cybercriminals alike to choose from.

A dictionary attack is a very common brute force attack methodology, where the threat actor leverages a list of likely passwords in an attempt to find one that works. These attacks are effective because people often use common passwords (e.g. “1,2,3,4”, or “password”) and ordinary words that can be found in a dictionary—hence, the attacks name.

Another variant of brute force attacks is what is known as a password spray, which is when a single password is tested against a large number of usernames. This is done in part to avoid the account lockdowns that can be triggered if a single account has multiple failed login attempts in a short period of time. In all three cases, the stronger the password, the harder it is for the attacker to crack.

Besides compromising everything from Internet of things (IoT) devices to online accounts, brute force attacks also can place a burden on targeted websites due to the spike in traffic caused by repeated login requests. That same spike in traffic, however, can help make these attacks easier to detect. One step a website owner can take is to use captchas and two-factor authentication, both of which require human interaction to complete the login process. In addition, as mentioned above, website owners can limit the number of failed login attempts that can occur before an account is temporarily locked. This will slow down attempts by botnets endlessly trying different combinations, and can be applied to not only online accounts, but to systems throughout your environment.

Man-in-the-middle Attacks:

Similar brute force attacks, MiTM attacks have a long history in cybersecurity. In a MiTM attack, the threat actor gets in the middle of communication between two parties, which allows them to eavesdrop and relay traffic. These attacks take many forms, including:

  • DNS spoofing: Domain Name System (DNS) spoofing occurs when a DNS server’s records are altered to redirect traffic to a website controlled by the attacker. This is achieved through cache poisoning attacks.
  • Wi-Fi MiTM: In these attacks, a threat actor establishes a Wi-Fi access point with a name that sounds similar to a legitimate one in the hopes of duping victims into connecting to their network. If the victim does so, the attacker will be able to eavesdrop on all their online communications and potentially steal logins and other information.
  • ARP poisoning: This attack occurs when a threat actor sends spoofed Address Resolution Protocol (ARP) messages on a network and alters the target’s ARP cache. The goal of this attack is to modify the Media Access Control (MAC) address of the targeted system, such as a default gateway, to an address controlled by the attacker, enabling the threat actor to intercept traffic on the local area network.
  • SSL Stripping: This takes place when a MiTM threat actor intercepts SSL/TLS negotiation between the victim and a target establishing a secure connection with the target while communicating with the victim in plaintext. This allows the threat actor to intercept would-be encrypted data.

As is the case with brute force attacks, there are automated tools available that can be used to launch these attacks. Once an attacker is able to intercept traffic, they can sniff and inject packets, as well as engage in actions such as session hijacking.

Unlike brute force attacks, MiTM attacks can appear invisible to the user. Protecting against these attacks starts with authentication and cryptography. Network protocols like Transport Layer Security (TLS) and HTTP Secure (HTTPS) adds a layer of security that can sometimes mitigate spoofing attacks. In addition, implementing encryption on Wi-Fi access points prevents unauthorized users from joining the network just because of their physical proximity to it. As for ARP poisoning, organizations should consider software that enables anti-ARP spoofing features, which can thwart malicious ARP messages. Once of the easiest and most effective MiTM mitigations is using a secure VPN service on untrusted networks. VPNs encapsulate and encrypt all network data to a trusted third party system where data can be “unwrapped” and sent across the internet as normal preventing the possibility of MiTM on the network being used.

Through penetration testing, your organization can determine if it is vulnerable to either of these types of attacks. Be proactive; catching vulnerabilities before attackers do will help keep customers, systems, and data safe, and avoid the reputational damage that follows a successful attack.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals