AiTM Attack Prevention Strategies: A Challenger’s Perspective

The escalated prevalence of AiTM (Adversary in the Middle) threats in 2023 requires innovative and reliable cybersecurity countermeasures. In this blog we contrast two distinct AiTM mitigation strategies: one from the well-established market leader, Microsoft, and another from us, which is based on a first principles approach of finding a solution for a root cause and preventing AiTM altogether. Our research covers the strengths and weaknesses of each strategy and evaluates their impact on the wider cybersecurity landscape, providing crucial insights for decision-makers tasked with strengthening AiTM threat prevention capabilities.

Key findings:

- Microsoft provides a robust solution for detection but does not prevent.
- The Microsoft solution involves layers of licences which can add complexity and can quickly become expensive per user per year.
- AuthN by IDEE presents a proactive approach that focuses on prevention with one simple solution.

Microsoft's Approach: Comprehensive but Costly

Microsoft's AiTM mitigation strategy is a multi-tiered approach, integrating numerous controls, alerts, and detection systems available in the Premium licensing plans such as Business Premium or E5. It is a convenient way to acquire a comprehensive tooling kit from one source.

The flagship of Microsoft's solution includes risk-based Conditional Access, a capable way of adding controls/policies post-authentication. Microsoft Defender, and alerts generated from Identity Protection implementations complement that with elaborate alerts, datasets, and dashboards. 

However, despite being efficient at identifying potential AiTM threats, these tools don't inherently prevent them, and may even block valid users due to false positive alerts.

Furthermore, in most cases, the Conditional Access Policy, upon blocking a suspicious login, requires completion of MFA to grant access. This means the effectiveness of the Conditional Access Policy is closely tied to the reliability of the MFA method it relies upon to authorize access.

Here, we demonstrate how, it is easily possible to bypass Microsoft’s MFA method in just a few minutes in an Adversary in the Middle (AiTM) attack.

Moreover, the suggestion to exclude some admin accounts from the Conditional Access Policy potentially raises security issues, and the defensive measures do not extend to other enterprise services not managed under Azure AD.

Microsoft's recommended architecture comes at a price, with a significant step up in between regular subscriptions and premium subscriptions, and these additional layers create a complex environment which could also potentially impact services or out-sourcing spend.

Microsoft's MFA: A Weak Link

Microsoft's MFA solution, the Microsoft Authenticator, bears significant weaknesses that make it prone to AiTM attacks. The main drawback lies in its inherent reliance on phishable authentication factors during crucial stages - registration, adding a new device, authentication, and recovery, making the solution highly susceptible to AiTM threats.

Moreover, even the phishing-resistant protocols like FIDO2 and WebAuthN are dependent on Microsoft Authenticator during critical stages of their operation. The problem isn't in the use of FIDO2 and WebAuthN per se, but its dependence on phishable factors at registration, adding a new device and recovery. These weak links can be exploited by attackers, thus undermine the security that protocols like FIDO2 and WebAuthN were designed to provide.

Why not simply focus on prevention from the outset?

AuthN by IDEE's Approach: Transitive Trust & Beyond

In the realm of AiTM attack prevention, AuthN by IDEE charts a unique trajectory, distinct from Microsoft's strategy. Its approach prioritizes pre-emptive AiTM attack prevention, circumventing the necessity for additional detective tools. This focus significantly reduces the administrative overhead traditionally associated with managing tools like Microsoft 365 Defender, Conditional Access Policy, and Identity Protection.

Moreover, AuthN's approach introduces a key differentiating factor: the concept of transitive trust during registration and adding a device. Instead of relying on potentially vulnerable, phishable authentication factors, AuthN establishes a transitive trust model between the user and the device during registration. This trust extends to the process of adding new devices, effectively fortifying these critical stages against AiTM attacks.

By ensuring this continuous, reliable trust chain, AuthN successfully mitigates the inherent vulnerabilities of MFA and circumvents the limitations of Conditional Access Policies. The result is a strategy that is immune to potential internal threats and guarantees robust authentication through the entire identity lifecycle: from registration, to adding a new device, to authentication and recovery. In doing so, it provides an additional layer of protection against the manipulation of access permissions by internal malicious actors such as exploited by ransomware groups like Lapsus$.

Thus, AuthN by IDEE presents a forward-thinking, comprehensive solution to AiTM attack prevention, effectively addressing the vulnerabilities in the traditional approaches and redefining the standards for cybersecurity.

In Conclusion

While Microsoft's guidelines provide a robust foundation for AiTM defense, they come with inherent challenges that could potentially undermine the effectiveness of an organization's cybersecurity strategy. Not to mention a significant price tag per user per month through bundling many products together.

In contrast, AuthN provides a superior, comprehensive approach to cybersecurity. Rather than merely detecting potential threats, AuthN adopts a proactive stance, preventing credential phishing entirely, thereby eliminating the possibility of AiTM attacks altogether.

In addition, AuthN enhances an organization’s cybersecurity posture by improving security while preserving simplicity. With AuthN, organizations can bolster their security defences swiftly, unlike more complex systems that require extensive setup and maintenance.

In summary, AuthN not only delivers superior protection against AiTM attacks but does so with unrivalled speed and simplicity. It's proactive, preventive approach combined with easy implementation makes AuthN a significant disruptor in the cybersecurity landscape.

‍