Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)
For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials, including access tokens (Steal Application Access Token) and session cookies (Steal Web Session Cookie).(Citation: volexity_0day_sophos_FW)(Citation: Token tactics) Downgrade Attacks can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)
Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in Transmitted Data Manipulation. Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to Impair Defenses and/or in support of a Network Denial of Service.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| I&S-03 | Network Security | mitigates | T1557 | Adversary-in-the-Middle |
Comments
This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level. Ensure that all traffic is encrypted appropriately to mitigate, or at least alleviate, the scope of AiTM activity. Network appliances and security software can be used to block network traffic that is not necessary within the environment, such as legacy protocols that may be leveraged for AiTM conditions.
References
|
| I&S-06 | Segmentation and Segregation | mitigates | T1557 | Adversary-in-the-Middle |
Comments
This control provides for appropriately segmented and segregated cloud environments. Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity.
References
|
| I&S-09 | Network Defense | mitigates | T1557 | Adversary-in-the-Middle |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level. Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity.
References
|
| I&S-07 | Migration to Cloud Environments | mitigates | T1557 | Adversary-in-the-Middle |
Comments
This control provides for the use of secure and encrypted communication
channels when migrating to cloud environments. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. Ensuring that all wireless traffic is encrypted appropriately can safeguard data and mitigate adversary-in-the-middle activities such as information collection.
References
|
| CEK-03 | Data Encryption | mitigates | T1557 | Adversary-in-the-Middle |
Comments
This control provides cryptographic protection for data-in-transit within the cloud environment. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. Ensuring that all wireless traffic is encrypted appropriately can safeguard data and mitigate adversary-in-the-middle activities such as information collection.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1557.002 | ARP Cache Poisoning | 2 |