What Is An On-Path Attack and How Does It Work?
Table of Contents
- By Steven
- Published: Apr 05, 2024
- Last Updated: Apr 08, 2024
Suppose someone left their home, got in their car, and drove to the grocery store. Much like data packets that travel over Internet highways, the car will use various pathways to reach its destination; however, once the car gets to the store, a question remains: what happened between the generating point and the destination? If nothing happened, the driver (our data) traveled safely and without incident. On the other hand, what if a new person climbs out of the car, having gotten in at some point between the origin and destination? Moreover, what if this new person is malicious—a car hijacker who happens to need a lift to the same store (although his goal probably isn’t milk and bread)?
On-path attacks in cybersecurity function much the same, but the car is a data packet, and the malicious person is a threat actor. On-path attacks are a growing concern in today’s digital landscape, where attackers can intercept or replace data packets without detection. On-path assault is a significant cybersecurity threat that impacts individuals, communities, corporations, and the Internet environment. This content aims to provide a comprehensive review of on-path attacks, their fundamental aspects, how criminals execute them, and the most likely targets.
What Is an On-Path Attack?
Put more succinctly, an on-path attack is a cybersecurity event in which a threat actor intercepts data before sending it to its destination. When the interception happens, they may view, copy, alter, or spoof the data packet to their liking; subsequently, when that data pack reaches its ultimate location, there may be no indicators that criminals intercepted it. These attacks have associated tools and techniques, from packet sniffing and data manipulation abilities to session hijacking, network takeovers, and invisible malware infections.
On-path attacks are not a violent means of hacking like brute force can be. Instead, the goal of the threat actor often relates to their broader motives. For example, a threat actor may position themselves between two data gateways, looking for particular data packets; the packets may hold sensitive information, including consumer data, or they could hold network traffic data or any other valuables they could leverage. In addition to what is already in the packet, the agent may add discrete malware for future use or to scrape up any “leftover” data from the device interactions. Either way, once the bad actor has a discrete entry point from which to view and interact with the data pathways, they can be challenging—if not impossible—to discover and expel.
By its nature, on-path attacks are challenging for cybersecurity defenses. The actor places themselves between two points, often between vital network gates, allowing them to avoid most detections (which occur most often at the data gates). In particular, devices with previous interactions have an increased risk of on-path attackers because they are already familiar with each other; this familiarity can make locating bad actors challenging when they get inside. The nuances of an on-path assault are determinable based on the attack’s mechanics and the assailant’s ultimate goals.
The Mechanics of On-Path Attacks
On path, attackers are particularly prevalent threats on public access connections, including free wifi (like from your favorite coffee place) and basic Hypertext Transfer Protocol (HTTP) connections. Wifi is made secure in many ways; however, an on-path attacker can manipulate a vulnerable connection, mainly when the connection is not password-protected or weak. The possibility of an on-path attacker is a primary reason why experts suggest that consumers avoid using sensitive apps with unsecured connections. When Wi-Fi is not secured, an on-path attacker may execute their schemes using various techniques adapted to avoid detection and harvest data to further their goals.
- Some assailants may use active or passive packet sniffing. When multiple devices get on the same network, a “switch” may be necessary for the data to arrive in the intended location. In an active packet sniffing attack, a malicious actor could flood the network with additional connections, searching for information within the legitimate traffic. In comparison, passive packet sniffing attacks can hide inside almost any connection, as they don’t rely on legitimate traffic to view the data as it passes. Active sniffing is far easier to detect, as it requires making oneself known.
- Other attackers may manipulate address resolution protocols, also called “ARP” poisoning; this on-path attack vector allows actors to manipulate the data within a network, modifying the information while in transmission. These techniques require an existing connection between devices on the same local IP subnet. Essentially, because the devices already recognize each other, the devices will accept information without checking that the sender’s address is from the correct device because the familiar address remains stored in the recipient's ARP cache.
- A malicious actor may launch a session hijacking scheme. These attacks involve an agent overtaking a device’s “session” token, which is how they connect to a particular web server. A threat actor might hijack these connections in two primary ways: the assailant could use session sniffing to learn and copy the session token to access the server, or the agent could predict the token (after sniffing out the format). Such attacks allow for unauthorized access to otherwise secure web servers.
- An assailant may exploit network vulnerabilities to further their plots. Networks can have many weaknesses, ranging from misconfigured permissions to operations with outdated or unpatched software. The older the network, the more likely modern tech can breach and take data from it. Weak passwords, single-factor authentication, incomplete firewalls, removable media devices, and lacking data backup options all contribute to these manipulatable vulnerabilities.
Real-World Scenarios and Case Studies
On-path attacks have always been a threat in our digital world. They allow malicious actors to gather or access information without attracting attention, which makes them dangerous to the public. Despite this, on-path technology is also usable as a tool from reputable agencies. Moreover, there have been numerous occasions where on-path attack techniques have been used in historical cybersecurity incidents.
- The most notable of these historical incidents may have happened in 2013 when the NSA used an on-path attack to impersonate Google. The event included a fake security token that allowed the NSA to act as Google, bypassing browser security settings and intercepting data. The NSA never commented on the event, significantly contributing to the public’s misgivings about the agency.
- In December 2013, Nokia admitted that they decrypted their device’s HTTPS data. Initially, the company justified these actions by saying the decryption was necessary for faster loading and user experience; however, they are also opening it up to threat actors by decrypting and moving the data. The threat potential did not go unnoticed by the public and significantly contributed to the eventual downfall of the communications giant.
- Another significant incident happened in 2017 when Equifax discovered HTTP protocols within their applications. The bureau immediately removed their mobile applications from the public, but the swift response was met with annoyance. If a threat actor had accessed their application, they could have manipulated users into revealing private data, from financial accounts to personal identifiers.
Tools and Methods Used by On-Path Attackers
On-path assailants, like many other types of cyber attacks, have a vast variety of options to choose from for tools and software. Some software is SaaS, where a consumer can purchase everything they need to spy on a network pathway, while other tools are more nuanced—needing the assistance of skilled assailants or the dark web to access. The most common tools used by on-path attackers include:
- Cain & Abel: a powerful password recovery tool for Windows operating systems
- SSLsplit: a tool meant for attacking networks with SSL/TLS encryptions
- Metasploit: a penetration testing framework that tests for vulnerabilities
- Nessus: a network scanning tool used to identify potential targets and their vulnerabilities
When it comes down to it, the tools an on-path attacker uses depend on their skills and their target’s defenses. Tools like Nessus allow threat actors to scan networks for possible targets and vulnerabilities; however, the real work begins once they’ve decided on a target.
After obtaining access to a pathway, they have various options, from lateral movement within the network to complex data exfiltration. However, the tools they use (even if they build a tool from scratch to manipulate a specific environment) usually come with some indicators—and if a cybersecurity expert can identify these threats, they can detect an on-path attacker before they sniff out vital information.
Detection and Indicators of On-Path Attacks
There are many ways to detect an on-path attacker, although each environment (and attack) has unique aspects to consider. Most often, attackers are discovered following significant changes in network data when there are unusual behaviors or unexpected changes to the system. Some of the most common indicators of an on-path attacker may include:
- Network monitoring tools most commonly discover changes in unusual network traffic. Spikes and anomalies in this data may suggest an unauthorized actor is perusing the environment.
- Deep packet inspection tools most commonly diagnose abnormalities or data packet loss. An increased packet loss rate could indicate an on-path attacker intercepting the packets.
- Strange or abnormal user behavior is most commonly detected through behavioral analytics, log analysis, or unauthorized access attempts. A threat may have taken their profile if basic user accounts access restricted areas.
Upon detection of a threat, an employee or official can launch an “incident response” plan. These plans are highly nuanced and contain a comprehensive list of information during a cyber assault. Incident response frameworks display many essential elements of an organization’s reactive defenses, including:
- Communications lists, which may include stakeholders, professionals, or regulators
- Detection of the threat, using the methods above or another manner
- Containment of the threat, most commonly isolating the impacted systems
- Analysis of the event, usually an analysis of the scope, impact, and methods used
- Exposure of the threat, removing the actor and their malicious tools
- Recovery from the event, which allows operations to normalize
- Post-event reviews, allowing professionals to identify lessons learned
- Follow-up documentation, a comprehensive history of the changes made to the document following any system updates or threat events
Preventive Measures and Best Practices
Preventative measures to avoid falling victim to an on-path attack start with cybersecurity. For example, many on-path attacks are preventable by implementing HTTPS—the secure version of the protocol that Equifax struggled with in 2017—and E2EE, or end-to-end encryption, which houses all communicative data with encryption the moment a device generates it. In addition, secure protocols and network security can mitigate many potential threats before they ever gain access to an IT environment. Some of the most popular mitigating methods include:
- Password-protected virtual private networks: also called VPNs, these tools create a secure tunnel through which data can freely travel (don’t give out the password).
- Secure shell encryptions: also called SSH, these tools offer secure remote access for file mobility within a network, creating encryptions between devices and servers.
- Network segmentation: network design should include options for dividing the operating network into segments with different security levels; this will prevent a threat actor from moving laterally in a digital environment.
- Strong access controls: access controls are highly valuable in preventing successful threats. These include multi-factor authentications and role-based access control.
- Regular security audits: when scheduled, these may include regular network and environmental patch management, security awareness and training, and comprehensive network scouring (performed by employees or experts).
On-path attacks are part of our digital world, but that doesn’t mean the public should suffer for them. An on-path attack can happen to any organization at any time, and those without a clear understanding of them can easily fall victim to invisible threats. Vigilance and proactive measures are the best defenses an organization, consumer, or agency has to avoid these incidents.
Want to know more about the threats we all face online? Check out our other blogs to learn about side-channel attacks, social engineering, incident response plans, breaches, fraud, scams, and more.