In dealing with the possibilities of Man in the Middle scenarios that are found in the wild. How can ExtraHop expose or detect when these are occurring?
At a high level and the most common scenarios to be considered would be:
SSL/SSH - TLS attack or substitutions
L3 MitM - route redirection and potentially DNS hijacking.
L2 MitM - Arp spoofing and MAC insertion
Any insights would be appreciated.
A MiTM box uses trickery (dns hijacking, mac spoofing, etc) to get in between client and server traffic. Depending on how it is doing its work here are some things I’d expect to see:
- the machine is doing a lot of both SSL server and SSL client traffic - most machines do mostly just one or the other
- the machine is presenting SSL server certificates for domains you do not control such as yahoo.com. (Either the victim is clicking through the security warnings, or the certificates are signed by a cert trusted by the victim - perhaps they accepted the malicious cert via phishing or other means.)
- the amount of traffic in and out look roughly the same by protocol
- is acting as a DNS server, replying with its own IP address for multiple unrelated hosts (thus getting folks to send traffic to/through it)
These are some of the first things for which I’d look.