Man in the Middle

From attackics
Revision as of 23:19, 5 January 2020 by (username removed)
Jump to navigation Jump to search
Man in the Middle
ID T830
Tactic Execution
Data Sources Network device logs, Netflow/Enclave netflow, Packet capture
External Contributors Conrad Layne - GE Digital
Asset Control Server, Field Controller/RTU/PLC/IED, Human-Machine Interface


Adversaries with privileged network access may seek to modify network traffic in real time using man-in-the-middle (MITM) attacks.1 This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a MITM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy.2

A MITM attack may allow an adversary to perform the following attacks:

Block Reporting Message, Modify Parameter, Block Reporting Message, Unauthorized Command Message, Spoof Reporting Message

Procedure Examples

  • HEXANE targeted telecommunication providers in the greater Middle East, Central Asia, and Africa, potentially as a stepping stone to network-focused man-in-the-middle and related attacks.3
  • Stuxnet de-couples all inputs and signals from the legitimate code on a PLC and chooses what is passed to the original code. STUXNET effectively creates a man in the middle attack with the input and output signals and control logic.


  • Encrypt and protect the integrity of wireless device communications, while taking care not to degrade end device performance. OSI Layer 2 encryption, rather than Layer 3, can reduce encryption-based latency. Hardware accelerator solutions for cryptographic functions may also be considered.4
  • Special care should be taken to ensure passwords used with encrypted, as opposed to non-encrypted protocols are not the same. Password lockout policies can be enforced, but take care to balance this with operational needs, that might result in a few failed login attempts in stressful situations.4
  • Implementing Challenge/Response authentication eliminates the risk of discovery or replay that traditional password exchange has.4
  • Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured.4
  • Unauthorized and suspicious media should be avoided and kept away from systems and the network.4
  • Ensure ICS and IT network cables are kept separate and that devices are locked up when possible.4
  • VPNs can be used to provide secure access from an untrusted network to the ICS control network and restrict access to and from host computers.4
  • Depending on how it is deployed, an Intrusion Detection System (IDS) might be able to detect or help with the detection of a MitM attack.4