AiTM Attacks | Cyber Security Training & Best Practice – Technologist

For all businesses in all industries, it is crucial to address the growing threat posed by Adversary-in-the-Middle (AiTM) attacks. While various phishing platforms may grab headlines, AiTM is the most talked-about concern currently, as it effectively renders multi-factor authentication (MFA) less reliable by enabling token theft and replay attacks.

Why is this an issue for Companies?

AiTM attacks intercept authentication tokens through well-crafted phishing pages that mimic legitimate login portals. Once attackers capture these tokens, they can use them to gain unauthorised access to systems without needing the original credentials or MFA prompt. This method can compromise MFA-protected accounts, creating significant risks for organisations.

To mitigate the impact of AiTM attacks, organisations should implement a multi-layered approach:

User Awareness Training

Human error remains one of the most significant vulnerabilities in any security strategy. Regular and comprehensive user awareness training can empower employees to recognise phishing attempts, scrutinise unusual login prompts, and report suspicious activity. Educating users on the signs of phishing can dramatically reduce the success rate of these attacks.

Phishing-Resistant MFA Solutions

Though MFA is a critical defence, certain types, like SMS or app-based codes, can be exploited in AiTM attacks. Organisations can dramatically increase protection by transitioning to hardware-based security options, such as Yubikeys. These devices add an additional layer of cyber security that is difficult for attackers to bypass, even in the event of a token interception.

Leveraging Security Monitoring and Response Capabilities

Taking full advantage of available security monitoring and response tools is crucial, particularly for detecting suspicious activities such as unexpected logins or token replays. Although Microsoft 365 does offer advanced monitoring, these features are often included in higher-tier licenses, meaning it will be more expensive and required to factor into your budget. For help with understanding what tools to use and what is recommended, speak to your MSP or cyber security expert. For companies operating without premium licenses, third-party monitoring solutions or managed services can offer additional layers of protection.

Geo-Blocking and IP Allowlisting

Though not a foolproof method, implementing geo-blocking is effective at blocking bots and can help mitigate initial phishing attempts tried by cyber criminals. By restricting access to known or trusted regions and networks, organisations can add a helpful barrier that prevents certain types of malicious traffic from reaching user accounts.

Token Lifespan Management

Reducing the lifespan of authentication tokens is another way to limit the window of opportunity for attackers to exploit stolen credentials. However, this must be balanced with user experience, as shortening token validity may lead to more frequent authentication requests, which could frustrate users. Organisations should assess risk tolerance and user environment to find the right balance.

How to defend against this Cyber Threat

AiTM attacks are a sophisticated method for evading traditional cyber security measures, but they aren’t insurmountable. Businesses can significantly enhance their security posture by implementing robust, multi-layered defences.