
CERT, CSIRT, and PSIRT teams: key for cybersecurity incident management in companies
7 de October de 2024
Critical assets in companies: What are they and how to protect them?
7 de October de 2024Man-in-the-Middle (MITM) attacks are part of a lesser-known group of attacks directed at both companies and end-users, with the primary goal of stealing sensitive information. They mainly involve attackers intercepting communication between two or more devices using deception techniques. As a result, users connect to compromised networks, allowing criminals to view all the information circulating between the two points.
These attacks target both users and companies of all sizes. The objectives are varied, but they mainly focus on stealing access credentials or personal information, spying on individuals, altering data…
The phases of a Man-in-the-Middle (MITM) attack

MITM attacks consist of different phases:
1.- INTERCEPTION
It involves how the attacker manages to place themselves ‘in the middle’ of the connection. To achieve this, they use techniques such as:
- ARP Spoofing (Address Resolution Protocol Spoofing): This involves sending falsified ARP messages on a local network to associate the attacker’s MAC address with the IP address of another device (such as the gateway). This causes traffic intended for the original device to be redirected to the attacker, allowing them to intercept and modify the data.
- DNS Spoofing (Domain Name System Spoofing): Corrupted information is inserted into the cache of a DNS server by manipulating its responses. As a result, the victim’s DNS queries are resolved to IP addresses controlled by the attacker instead of the legitimate ones, redirecting web traffic and allowing access to sensitive information.
- IP Spoofing (Internet Protocol Spoofing): In this case, the attacker falsifies the source IP address of data packets. This can be used to impersonate a trusted machine within a network, allowing the attacker to send and receive data that appears to be legitimate.
- HTTPS Spoofing: A website is created that looks identical to a legitimate site and uses fake or compromised SSL/TLS certificates to deceive users into believing they are on a secure connection. This can be particularly effective when combined with other types of spoofing, such as DNS spoofing.
2.- DECRYPTION (optional)
If the intercepted communication is encrypted, it is necessary to decrypt it to access the content. Some techniques include:
- SSL Stripping: The attacker downgrades an HTTPS connection to HTTP, causing the information to be transmitted in plaintext.
- SSL/TLS Attacks: Exploiting vulnerabilities in encryption protocols to decrypt the communication.
3.- MONITORING
Communication can be monitored, obtaining sensitive information such as login credentials, personal data, credit card numbers, etc. This phase can be passive (simply listening) or active (modifying the information in transit).
4.- MANIPULATION (optional)
In some cases, the cybercriminal not only listens to the communication but also modifies it. This can include:
- Data Insertion: Adding malicious content, such as links to phishing websites or malware.
- Data Alteration: Changing the content of messages to deceive one of the parties (for example, altering the recipient of a bank transfer).
- Data Blocking: Preventing certain messages from reaching their destination, affecting communication.
5.- CLOSURE
The attack can be concluded by ending the intercepted session, erasing traces of the intrusion, or even launching another type of attack using the information obtained.
Cosmikal Endurance: Shield Against MITM Attacks
There are numerous preventive measures we can implement to avoid becoming victims of a MITM attack. It is essential to keep in mind that, in general, the way to infiltrate these network connections is through deception or carelessness on the part of individuals. When attacks are directed at companies, employees represent the easiest entry point, making them the perfect target. Although raising awareness among individuals is crucial to make them the first line of defense, it is often not enough to ensure the company’s protection.
At this point, Cosmikal Endurance is the perfect ally to ensure protection against any attempt at a MITM attack. It is a privileged access manager that secures the organization’s assets by providing a hardened desktop, protecting access to those assets, and enforcing strict management of access credentials.
Furthermore, the network segment where the assets are located is only accessible through Cosmikal Endurance, thereby preventing MITM attacks.
Thus, Cosmikal Endurance allows for centralized management of remote access to all organizational resources and is also key to complying with various mandatory European regulations, such as NIS2 and GDPR, among others.