Stopping AiTM attacks: The defenses that actually work after authentication succeeds
Summary
Adversary-in-the-middle (AiTM) phishing bypasses traditional authentication by intercepting real-time session tokens after a user has successfully authenticated. Current defenses often focus on strengthening authentication itself, but attackers now target the session tokens directly, which are often treated as inherently trustworthy once issued. This article discusses controls that can mitigate AiTM attacks by focusing on session security after authentication.
IFF Assessment
AiTM attacks represent an evolving threat that bypasses conventional security measures, making it harder for defenders to protect against them.
Defender Context
Defenders need to move beyond just strengthening authentication methods and implement controls that focus on the security of session tokens. This includes binding sessions to managed and compliant devices and implementing continuous verification mechanisms to detect anomalies in session behavior.