T0830 Adversary-in-the-Middle
Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. 2 This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. 1
An AiTM attack may allow an adversary to perform the following attacks:
Block Reporting Message, Spoof Reporting Message, Modify Parameter, Unauthorized Command Message
| Item | Value |
|---|---|
| ID | T0830 |
| Sub-techniques | |
| Tactics | TA0100 |
| Platforms | Control Server, Field Controller/RTU/PLC/IED, Human-Machine Interface |
| Version | 2.0 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1010 | VPNFilter | The VPNFilter‘s ssler module configures the device’s iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected by the ps module and manipulated before being sent to the legitimate HTTP service. 4 3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0947 | Audit | Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions. |
| M0802 | Communication Authenticity | Communication authenticity will ensure that any messages tampered with through AiTM can be detected, but cannot prevent eavesdropping on these. In addition, providing communication authenticity around various discovery protocols, such as DNS, can be used to prevent various AiTM procedures. |
| M0942 | Disable or Remove Feature or Program | Disable unnecessary legacy network protocols that may be used for AiTM if applicable. |
| M0931 | Network Intrusion Prevention | Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level. |
| M0930 | Network Segmentation | Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity. |
| M0810 | Out-of-Band Communications Channel | Utilize out-of-band communication to validate the integrity of data from the primary channel. |
| M0813 | Software Process and Device Authentication | To protect against AiTM, authentication mechanisms should not send credentials across the network in plaintext and should also implement mechanisms to prevent replay attacks (such as nonces or timestamps). Challenge-response based authentication techniques that do not directly send credentials over the network provide better protection from AiTM. |
| M0814 | Static Network Configuration | Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host’s dynamic ARP tables. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0029 | Network Traffic | Network Traffic Content |
| DS0009 | Process | Process Creation |
| DS0019 | Service | Service Creation |
| DS0024 | Windows Registry | Windows Registry Key Modification |
References
-
Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ↩
-
Gabriel Sanchez 2017, October Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark Retrieved. 2020/01/05 ↩
-
Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ↩
-
William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ↩