A man-in-the-middle (MITM) attack is an incredibly dangerous type of cyber attack that involves a hacker infiltrating a private network by impersonating a rogue access point and acquiring login credentials.
According to IBM’s X-Force Threat Intelligence Index, 35% of exploitation activity involves Man-in-the-Middle Attacks. MITM attacks are particularly severe for small to medium sized companies because 6 in 10 businesses will declare bankruptcy in as little as 6 months after a cyber attack. This is due to said businesses losing revenue opportunities because they’re no longer trusted.
MITM attacks are difficult to catch in progress and most victims only realize what happened after the attacker is long gone with private data. The best method is preventing MITM attacks and others from ever occurring in the first place by fortifying your network. In this article, we’ve broken down several prevention strategies, categorizing them by ‘Good’, ‘Better’, and ‘Best’. If you want to learn more, we also have another article with more information on MITM attacks.
Good
Enabling 802.1x Authentication
Devices that attempt to connect to a LAN or WLAN need to be authenticated before accessing the network. 802.1x authentication is a highly-utilized method of authenticating devices because of its strong security measures. 802.1x includes using a RADIUS server to authenticate and authorize devices requesting access. RADIUS servers are integrated with the network’s directory services so it knows who to approve and deny. You can think of the RADIUS server like the security guard of the network.
However, 802.1x can be difficult to set up when left to the end users. Important configuration settings might be missed if an end user has to configure their device, leaving an opportunity for hackers to unleash an MITM attack. Procuring, setting up, and configuring a RADIUS server is no trivial task either. With Cloud RADIUS, it’s a lot easier, but historically this was a large barrier to enabling 802.1x authentication.
There are three well-known 802.1x protocols: EAP-TLS, EAP-TTLS/PAP, and PEAP-MSCHAPv2. EAP-TTLS/PAP and PEAP-MSCHAPv2 are both credential-based protocols, so they rely on passwords to authenticate devices. Credential-based protocols can leave much of the configuration work on the end user, and if configured incorrectly (which is very often done) it puts your network at high risk for credential theft.
EAP-TTLS/PAP is particularly vulnerable to MITM attacks because network data is transmitted via CLEARTEXT and isn’t encrypted in the slightest. All a hacker needs to do is pretend to be an approved AP and the data is delivered unencrypted.
PEAP-MSCHAPv2 is a common protocol used in Microsoft environments as Microsoft created it. However, there is a well-known vulnerability with PEAP-MSCHAPv2’s encryption that can be exploited. The hacker can acquire data packets through a MITM attack and PEAP’s weakness allows the hacker to decrypt the encrypted data.
EAP-TLS is the most secure 802.1x protocol because it’s the only one based on certificates, which prevents credentials from being sent over-the-air entirely. Certificates are themselves encrypted, rendering them useless to anyone outside of the network. They can only be decrypted by approved users with the correct keys. SecureW2’s Managed PKI services come with software that enables every device to be configured for EAP-TLS authentication, by allowing end users to easily self-service their devices for certificates and 802.1x authentication.
WIPS
Wireless Intrusion Prevention System, or WIPS, is a system designed to prevent MITM attacks because the system analyzes all network access points and alerts the network when it finds a rogue access point. Basically if WIPS detects a Rogue AP on the network, it will prevent the SSID from being broadcasted, preventing MITM attacks from happening on your campus. However, we only put WIPS in the Good section because it doesn’t prevent anyone from stealing credentials. Hackers could easily set up their Rogue AP in a car in the parking lot, or nearby cafe and easily harvest credentials. PCI standards recommend using WIPS because it can provide other functions besides security. WIPS is good at pinpointing deficient access points and can monitor network performance.
Three Ways to Deploy WIPS
- Time Slicing: WIPS performs two different tasks, monitoring for rogue access points and providing the admins with network Wi-Fi traffic reports.
- Integrated WIPS: A sensor is integrated into WIPS that routinely scans radio frequencies on the lookout for rogue access points.
- WIPS Overlay: A large-scale version of Integrated WIPS with multiple sensors placed around the building and to monitor network traffic. The sensors transmit their data to a centralized server for admins to view data logs. The most expensive way to deploy WIPS because of infrastructure costs.
Better
Replacing Credentials with Digital Certificates
A major factor for the success of MITM attacks is the failure of passwords. The fatal flaw of passwords is the human element: passwords can be stolen, lost, and shared. This vulnerability makes it difficult for IT admins to clearly identify users on their networks.
Digital certificates eliminate the human element drawback that plagues passwords. A certificate will stay equipped on a device and cannot be shared. Using certificates in a secure manner is the surefire way to protect the network. Simple right? If you stop sending credentials over the air, and authenticate with certificates, then you will eliminate all potential for MITM attacks.
Enterprises can create their own trusted Certificate Authority (CA) that will only authorize and issue approved certificates for users and devices trusted by the enterprise. When a device asks permission for network access, the credentials are securely transmitted to the CA so it can verify that the device has a signed certificate and grant network permissions. Admins can further configure specialized certificates for specific devices based on network policies, such as assigning a certificate to a college student’s device for 4 years or granting executives special security network access.
In order to deploy certificates, enterprises need to implement a Public Key Infrastructure (PKI). There are two main options: on-premise PKI and managed cloud PKI.
On-premise PKI which is time-consuming, labor-intensive, and expensive. They can take months to implement and require a team of trained professionals on staff.
A managed cloud PKI service can be integrated seamlessly with your current infrastructure. SecureW2’s Managed PKI is a turnkey solution with set-and-forget technology that eases the workload for IT admins and doesn’t require a team to manage.
Passpoint and Wi-Fi Hotspots
Passpoint is an incredibly convenient Wi-Fi technology allowing users to securely and automatically connect to Wi-Fi hotspots. With Passpoint, end users are securely and automatically authenticated to Wi-Fi hotspots as they travel to airports, hotels, restaurants, etc.
Hotspots are hotbeds for MITM attacks because many end users who manually configure their devices might accidentally connect to a rogue access point and become a victim. Passpoint solves this, by tying a unique ID to an SSID. Hackers commonly use hotspots and set up rogue APs with a spoofed SSID to trick devices into sending them credentials. Passpoint prevents this from happening because the hacker’s SSID doesn’t have the unique ID, so devices will not connect.
In order for Passpoint to be implemented correctly, devices need to be configured with the unique ID of the SSID, and the owner of the hotspots need an Online Sign-Up (OSU) server. SecureW2 provides OSU servers, as well as the onboarding clients that are required to configure devices for Passpoint. Plus, our PKI Services integrate Passpoint with digital certificates to give the most secure form of device authentication, and ensure that devices aren’t misconfigured since they would be required to go through the onboarding clients in order to obtain their certificate. Passpoint is still being implemented carefully, but there’s a lot to look forward to and SecureW2 is one of the few places that can provide a turnkey solution to implement Passpoint technology.
Best
Pairing Certificates with 802.1x Onboarding Technology
While certificates on their own provide quality security for a network, equipping a certificate on every network device can be a difficult task and a common reason enterprises avoided deploying certificates in the past.
Pairing certificates with onboarding software ensures that devices can enroll and install certificates easily, and their device is configured for 802.1x network authentication using that certificate. Onboarding software makes secure connection a two-way street. Server Certificate Validation equips the server with a certificate so when a device requests network access, it will send the request to the approved network server and not a rogue access point, an imperative part of MITM attacks.
Integrating an onboarding software can streamline the device onboarding process Bring Your Own Devices (BYOD) End users with BYODs can use SecureW2’s JoinNow Suite and after entering their login credentials once, they will immediately be granted network access every time they log on.
Onboarding software can enable admins to create configuration profiles that allow devices to automatically enroll for an approved certificate and access the network. End users can download these profiles and be granted network access in a matter of minutes. All the end user needs to do is click a few buttons and they are enrolled for a certificate and 802.1x Wi-Fi, no need to search for long-winded guidelines on the organization’s website.
SecureW2’s JoinNow Onboarding Technology is set-and-forget, so end user’s only need to log in once and are approved until the certificate is revoked or expires. An easy-to-use landing page auto-detects their operating system, and launches a dissolvable client where they can enter their credentials and get their device configured. With onboarding software, manual configuration is not necessary, thereby eliminating the risk of device misconfiguration, thus preventing any MITM attacks from infiltrating the network.
Organizations with managed devices can use SCEP/WSTEP Gateway APIs that can auto-enroll every managed device for a certificate.. Admins can send out payloads through their MDM (Jamf, G-Suite, Intune) or GPO (for AD-Domain joined devices) and enable every managed device to automatically enroll and install a certificate on their own. The entire process of certificate enrollment and connecting to the network can be automated with SecureW2’s powerful Gateway APIs.
Routine Pentesting
Penetration testing is a valuable practice that, when performed, can expose vulnerabilities in network security. Admins can then go back to those vulnerabilities and fix them to prevent any future exploitation.
Admins can pentest with different types of MITM attacks, including ARP spoofing and DNS Poisoning. Here are a couple links to help admins carry out their own pentesting.
Deploying Certificates with SecureW2 Prevents MITM Attacks
Man-in-the-middle attacks can be severe for any organization, especially one that uses credential-based authentication protocols. Many SMBs aren’t prepared to handle the aftermath of a cyber attack and end up going bankrupt because of too much lost revenue.
The best method in beating a MITM attack, and really any cyber attack, is through prevention. We’ve covered several ways to prevent cyber attacks, including certificates, onboarding software, WIPS, pentesting, and more.
SecureW2’s managed PKI solution provides the highest level of efficiency and security for your organization. The certificate solution is designed to equip any network device with a certificate through a process anyone can complete. Because we eliminate passwords from the authentication process, the risk of MITM attacks and others drops off dramatically. Find out if your organization could benefit from the certificate solutions SecureW2 provides at an affordable price.
