Man in the Middle

From attackics
Jump to navigation Jump to search
Man in the Middle
ID T0830
Tactic Execution
Data Sources Network device logs, Netflow/Enclave netflow, Packet capture
External Contributors Conrad Layne - GE Digital
Asset Control Server, Field Controller/RTU/PLC/IED, Human-Machine Interface


Adversaries with privileged network access may seek to modify network traffic in real time using man-in-the-middle (MITM) attacks.1 This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a MITM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy.2

A MITM attack may allow an adversary to perform the following attacks:

Block Reporting Message, Spoof Reporting Message, Modify Parameter, Unauthorized Command Message

Procedure Examples

  • HEXANE targeted telecommunication providers in the greater Middle East, Central Asia, and Africa, potentially as a stepping stone to network-focused man-in-the-middle and related attacks.3
  • Stuxnet de-couples all inputs and signals from the legitimate code on a PLC and chooses what is passed to the original code. STUXNET effectively creates a man in the middle attack with the input and output signals and control logic.


  • Communication Authenticity - Communication authenticity will ensure that any messages tampered with through MITM can be detected, but cannot prevent eavesdropping on these. In addition, providing communication authenticity around various discovery protocols, such as DNS, can be used to prevent various MITM procedures.
  • Software Process and Device Authentication - To protect against MITM, authentication mechanisms should not send credentials across the network in plaintext and should also implement mechanisms to prevent replay attacks (such as nonces or timestamps). Challenge-response based authentication techniques that do not directly send credentials over the network provide better protection from MITM.
  • Static Network Configuration - Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some MitM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.
  • Network Intrusion Prevention - Network intrusion detection and prevention systems that can identify traffic patterns indicative of MiTM activity can be used to mitigate activity at the network level.
  • Network Segmentation - Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of MiTM activity.
  • Filter Network Traffic - Use network appliances and host-based security software to block network traffic that is not necessary within the environment, such as legacy protocols that may be leveraged for MiTM.