Computing devices connect to a variety of networks, are turned on most of the time, and automatically roam between various wireless networks and cell towers without user notification or interaction. This presents the potential opportunity for data to leak from these devices if the network connection from the device is compromised and encryption is not properly implemented. As more data goes mobile, attackers are finding more sophisticated ways to get access to it. Data in transit is increasingly becoming an enterprise risk, as employees tend to be careless about connecting to public Wi-Fi or installing proxies that can decrypt data. According to a recent report, 48% of organizations don't know if their mobile devices have connected to a malicious Wi-Fi, while 24% have confirmed such an exposure. Encrypted traffic mitigates many of the threats associated with connecting to the internet through untrusted access points or proxies, but does not solve all problems. This is in part because users are being trained to install configuration profiles (on iOS, for example) with root Certificate Authorities (CAs) as part of the connection process. For example, New York City is actually requiring users to do this for their new free Wi-Fi program “LinkNYC.” The most common scenario described by the media is that of an attacker sitting in the same coffee shop as you, capturing or modifying your data as it is sent out over the free Wi-Fi. These methods can allow an attacker to view encrypted enterprise data, such as corporate login credentials. As attacks on the network increase in sophistication and prevalence, organizations need to have visibility and protection into this emerging risk.
It would be desirable to be able to ensure that a computing device is configured according to a policy that prevents or reduces the threat of a Man in The Middle (MITM) attack. There is a need to be able to detect the possibility or actuality of a MITM attacker, and to respond with warnings to a computing device or user or enterprise console or administrator, or to block insecure communications. There is a need to prevent SSL downgrade attacks. There is a need to protect applications that do not properly validate certificates. There is a need to report instances of attempted MITM attacks to an enterprise console or security data store. There is a need to have policies that can protect applications that improperly validate certificates or certificate chains or related information; or policies to disallow the usage of inappropriate certificates or configuration profiles in a computing device's trusted certificate store for particular applications or destination hosts or services (DESTHOSTs). There is a need to prevent MITM attacks.
Threat Profiles
Active network man-in-the-middle attacks can take any of several forms. The following presents a summary of the problem space of threat profiles related to MITM attacks.
Hostile Network: an attacker sets up a hostile Access Point that mimics a network a user reasonably trusts, either through previous association, or common known usage. When a computing device attaches to the network, the AP has in-line agency to intercept and modify traffic at will.
ARP Man-in-the-middle: an attacker uses gratuitous Address Resolution Protocol (ARP) to advertise its own hardware address in place of a gateway, proxy, or host on the victim's connection path.
SSLBump: an attacker subverts Dynamic Host Configuration Protocol (DHCP), or uses a malicious application, configuration profile, or other attack vector to introduce a proxy under attacker control into the configuration of the victim's network stack.
SSLStrip: an attacker subverts un-encrypted connections made by the victim, rewriting URLs in plain text documents that would normally be specified as HTTPS (Hyper Text Transfer Protocol Secure) to use plaintext HTTP (Hyper Text Transfer Protocol).
Host Certificate Hijacking: an attacker introduces a malicious certificate under attacker control into the trusted certificate store of the victim device, allowing the attacker to masquerade as one or more hosts that the victim intends to communicate with securely. An enterprise uses essentially the same technique to perform what is called “SSL intercept” or “SSL Interception,” for the purpose of providing Data Loss Prevention (DLP) or other services. SSL intercept is a process to decipher and inspect the content of data being transmitted via Secure Sockets Layer (SSL) or Transport Layer Security (TLS), and is possible because certificates can be created that are associated with a particular hostname, or common name, in SSL nomenclature. In Host Certificate Hijacking there is a certificate that is provisioned into the trusted certificate store of a device used by an employee of the enterprise. The malicious certificate in this instance chains up to the enterprise's certificate that is stored in the trusted certificate store of a device used by an employee of the enterprise.
TLS Protocol Downgrade: an attacker manipulates the negotiated connection to downgrade the protocol or negotiated cipher suites, and lower the security guarantees of the connection.
TLS Exploit: an attacker exploits a vulnerable client or server TLS implementation to compromise the security of the transport (e.g. heartbleed vulnerability in TLS).