Adversary-in-the-Middle

Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. [1] This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. [2]

An AiTM attack may allow an adversary to perform the following attacks:
Block Reporting Message, Spoof Reporting Message, Modify Parameter, Unauthorized Command Message

ID: T0830
Sub-techniques:  No sub-techniques
Tactic: Collection
Platforms: None
Contributors: Conrad Layne - GE Digital
Version: 2.0
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
S1010 VPNFilter

The VPNFilter's ssler module configures the device's iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected by the ps module and manipulated before being sent to the legitimate HTTP service. [3] [4]

Targeted Assets

ID Asset
A0008 Application Server
A0007 Control Server
A0009 Data Gateway
A0006 Data Historian
A0013 Field I/O
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0012 Jump Host
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0014 Routers
A0010 Safety Controller
A0011 Virtual Private Network (VPN) Server
A0001 Workstation

Mitigations

ID Mitigation Description
M0947 Audit

Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions.

M0802 Communication Authenticity

Communication authenticity will ensure that any messages tampered with through AiTM can be detected, but cannot prevent eavesdropping on these. In addition, providing communication authenticity around various discovery protocols, such as DNS, can be used to prevent various AiTM procedures.

M0942 Disable or Remove Feature or Program

Disable unnecessary legacy network protocols that may be used for AiTM if applicable.

M0931 Network Intrusion Prevention

Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level.

M0930 Network Segmentation

Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity.

M0810 Out-of-Band Communications Channel

Utilize out-of-band communication to validate the integrity of data from the primary channel.

M0813 Software Process and Device Authentication

To protect against AiTM, authentication mechanisms should not send credentials across the network in plaintext and should also implement mechanisms to prevent replay attacks (such as nonces or timestamps). Challenge-response based authentication techniques that do not directly send credentials over the network provide better protection from AiTM.

M0814 Static Network Configuration

Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.

DS0029 Network Traffic Network Traffic Content

Monitor network traffic for anomalies associated with known AiTM behavior. For Collection activity where transmitted data is not manipulated, anomalies may be present in network management protocols (e.g., ARP, DHCP).

Network Traffic Flow

Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware. For added context on adversary procedures and background see Adversary-in-the-Middle and applicable sub-techniques.

DS0009 Process Process Creation

Host-based implementations of this technique may utilize networking-based system calls or network utility commands (e.g., iptables) to locally intercept traffic. Monitor for relevant process creation events.

DS0019 Service Service Creation

Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045.

DS0024 Windows Registry Windows Registry Key Modification

Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of "0" indicates LLMNR is disabled.

References