six

I work at a small-to-medium business. Most of my coworkers were born in the 1960s and do not have a background in computer science. I have a background in computer science, but I specialize in artificial intelligence, as opposed to information security.

To address this, my supervisor wants me to prepare reports on a number of topics, including Man-in-the-Middle (MitM) attacks.

I have a good idea what an MitM attack is, how it works, and how to prevent it, but not on how to report it. My supervisor wants me to explain to my coworkers how to report it to IT, and what IT will do about it.

The thing is that my research goes into the details of MitM attacks, how they work, and how to prevent them, but there seems to be nothing on how to report it. I think it is because the hackers behind these attacks are practically invisible. How do you report something that you cannot even see?

To put this another way, if my workplace was experiencing an MitM attack, what are the signs so that I can report it? Furthermore, what can IT do to get rid of it? I notice that there is a lot of information on preventing it, but not on curing it.

Improve this question
New contributor
Micheal Gignac is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct .
three
  • five
    Generic "man in the middle" is a pretty broad topic. There are man in the middle attacks on protected connections which might be visible to the end user, like MITM on TLS causing certificate errors. But MITM on unprotected connections are not even visible. So you would first need to narrow down what you are even talking about.
    –  Steffen Ullrich
    Commented Jun 21 at 5:41
  • nine
    "My supervisor wants me to explain to my coworkers how to report it to IT, and what IT will do about it." Why doesn't IT explain that? Is IT actually prepared to receive reports and to act on them?
    –  MisterMiyagi
    Commented Jun 21 at 13:21
  • @SteffenUllrich I think that alone is a really good argument for requiring all TLS for all traffic regardless of origin or destination. Explaining why that could be the main thrust of a report on MitM attacks/risks.
    –  JimmyJames
    Commented Jun 21 at 15:33

2 Answers two

Reset to default
eighteen

MitM is a great topic for awareness . But as you say, it is difficult to detect.

In short, "how to report" is simple: any anomaly that appears to impact security should be reported. You are not going to feasibly train people how to analyse the hallmarks of mitm. If they run across something specific, then follow the general rule. Don't try to codify this.

Improve this answer
seven
  • ten
    @user1067003 that's only an indication of one type of one category of mitm ... and even so, cert errors are not all mitm problems. Trying to teach non-techs to interpret cert errors is not a good use of time or training.
    –  schroeder
    Commented Jun 21 at 10:45
  • seven
    You do not need to teach the users to interpret SSL errors, but to stop using the service when the error shows up and to report it.
    –  pabouk - Ukraine stay strong
    Commented Jun 21 at 12:00
  • three
    @user1067003 It is a sign but often in a work environment, the MitM attack you detect this way is being executed by the company. That is, it's common to setup proxies and install custom CA certs on user workstations. Sometimes applications don't use the OS truststore and user encounter SSL errors about self-signed certificates. It looks just like an MitM because it basically is one, but it usually isn't a security issue.
    –  JimmyJames
    Commented Jun 21 at 15:22
  • three
    @user1067003: In order to get SSL certificate errors on MITM you would have to use SSL in the first place. MITM could address lots of unencrypted traffic: plain HTTP, DNS, mail (forcing plain by a MITM by removing advertised STARTTLS), ...
    –  Steffen Ullrich
    Commented Jun 21 at 16:09
  • three
    @user1067003, I ran an MITM attack on a VoIP phone for a few weeks to try and troubleshoot an error producing frequent dropped calls, and the only sign of the MITM attack was an increase in reliability -- I only got one dropped call in the entire period.
    –  Mark
    Commented Jun 21 at 20:25
zero

Work with IT

Talk to your IT department since they’re the experts and they presumably have ultimate authority at your company over security matters. See if they’ll either help you prepare materials or even better partner with you (e.g. be a guest speaker as part of your talk). You shouldn’t have to reinvent the wheel here and since you’re telling your coworkers how to report security concerns, you should involve the department they’ll be reporting those concerns too.

Note: if another department heads up security, then work with that department.

Improve this answer
New contributor
bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct .

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .