Election Security Spotlight — Adversary in the Middle Attack
What it is
An Adversary in the Middle (AiTM) attack occurs when a cyber threat actor (CTA) inserts themselves into the communication between two or more network devices or parties, such as a user and a web application. The victim believes they are securely communicating with the web application or another user. However, the communication actually goes to (or through) the CTA before being sent to the victim's intended destination, enabling the CTA to monitor, steal, and/or modify the information being communicated. A few examples of AiTM attacks include Wi-Fi eavesdropping, email hijacking, DNS spoofing, and IP spoofing.Why It Matters
AiTM attacks pose a threat because they enable CTAs to steal and/or manipulate transmitted information (i.e., login credentials, credit card information, etc.) in real time. Further, the parties who believe they are communicating directly have no idea their communication has been intercepted. Consider the negative ramifications that could occur in your elections organization if an employee falls victim to an AiTM attack. These include the following:
- Your credentials to log in to your voter registration system are stolen. A CTA now has access to sensitive personal information for voters in your jurisdiction.
- You are a victim of email hijacking. Voters frequently email in absentee applications and other documents. In the event of an AiTM attack, you may never receive those documents, as a CTA might steal them or change the information in the documents before you receive them. Alternatively, the CTA could compromise your email user account and distribute inaccurate or inappropriate communications to your colleagues and voters.
What You Can Do
Mitigating risk is a reasonable approach to combatting potential AiTM attacks. Here are a few recommendations:
- Endpoint protection. You can use endpoint protection to prevent cyber attacks and malware from spreading on devices. The Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®) offers a no-cost Endpoint Detection and Response (EDR) solution, which provides device-level protection by blocking malicious activity and stopping an attack.
- Network Intrusion Detection System (NIDS). An NIDS, like Albert Network Monitoring and Management, can help you identify AiTM attacks by monitoring and analyzing network traffic for unusual patterns and behaviors. When it detects potential AiTM attacks, an NIDS can generate alerts notifying you of an attack so you can respond accordingly.
- Avoid phishing emails. Be cautious of emails from unknown sources. Also, avoid clicking on links in emails, as they may direct you to a malicious website. Go to the source directly instead. And don't forget to avoid opening email attachments from unknown sources, as they may contain malware that could infect your computer or steal your personal information.
- Use multi-factor authentication (MFA). This measure provides an additional layer of security, as it requires more than just entering a password.
- Use a Virtual Private Network (VPN). You should always avoid connections to unsecured public Wi-Fi networks or hotspots. If you must use an unsecured network or hotspot, ensure that you are using a VPN. A VPN encrypts data that is being transferred (i.e., login credentials and credit card information) so that the data cannot be intercepted.
- Provide training. Implement cybersecurity awareness training for all employees to educate them and protect your organization’s data.
Please contact us at [email protected] if you have any questions.