Detecting Man in the Middle Attacks With Canary Requests

Presented at VB2016, Oct. 5, 2016, 2:30 p.m. (30 minutes)

Man-in-the-middle attacks are troublesome when maintaining security. An attacker in a man-in-the-middle position gains powerful levels of leverage, both increasing attack surface while decreasing the ability to defend against attacks. Some dismiss man-in-the-middle attacks as corner cases as they supposedly rarely occur, but how can one claim rarity without a detection method? Introducing MITM Canary, a cross-platform/device open source tool which utilizes remote servers serving static content to launch a battery of tests to detect a variety of man-in-the-middle attacks.

Many of the tests are simple. They download files they already know the contents of over insecure channels and verify the results. Other methods leverage existing techniques in secure communication methods to detect attackers. More specific cases emulate network activity from vulnerable software in order to detect attacks. There are even some local network checks allowing for further protection on commonly used networks.

By observing MITM attacks in an external application, we can enable protective measures, such as disabling network connectivity, alerting the user, or enabling a VPN if one is not already enabled.


  • Brian Wallace - Cylance
    Brian Wallace Brian Wallace is a security researcher at Cylance with experience in software engineering, reverse engineering, malware analysis, vulnerability research, machine learning, and more. As the primary researcher responsible for exposing the threat actor behind Operation Cleaver, he also has experience as a threat actor investigator. Brian additionally works on non-traditional methods to dissuade threat actors from their targets. He regularly builds tools to solve problems and automate solutions, which are commonly published as open source tools. One of these tools, bamfdetect, statically identifies botnet malware samples, and attempts to extract their configuration details from them, allowing for quick and clean identification of command and control servers.


Similar Presentations: