Detecting Man in the Middle Attacks With Canary Requests

Wednesday 5 October 14:30 - 15:00, Green room

Brian Wallace (Cylance)

Man-in-the-middle attacks are troublesome when maintaining security. An attacker in a man-in-the-middle position gains powerful levels of leverage, both increasing attack surface while decreasing the ability to defend against attacks. Some dismiss man-in-the-middle attacks as corner cases as they supposedly rarely occur, but how can one claim rarity without a detection method? Introducing MITM Canary, a cross-platform/device open source tool which utilizes remote servers serving static content to launch a battery of tests to detect a variety of man-in-the-middle attacks.

Many of the tests are simple. They download files they already know the contents of over insecure channels and verify the results. Other methods leverage existing techniques in secure communication methods to detect attackers. More specific cases emulate network activity from vulnerable software in order to detect attacks. There are even some local network checks allowing for further protection on commonly used networks.

By observing MITM attacks in an external application, we can enable protective measures, such as disabling network connectivity, alerting the user, or enabling a VPN if one is not already enabled.

Click here for more details about the conference.


Brian Wallace

Brian Wallace is a security researcher at Cylance with experience in software engineering, reverse engineering, malware analysis, vulnerability research, machine learning, and more. As the primary researcher responsible for exposing the threat actor behind Operation Cleaver, he also has experience as a threat actor investigator. Brian additionally works on non-traditional methods to dissuade threat actors from their targets. He regularly builds tools to solve problems and automate solutions, which are commonly published as open source tools. One of these tools, bamfdetect, statically identifies botnet malware samples, and attempts to extract their configuration details from them, allowing for quick and clean identification of command and control servers.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.