Watering Hole Attack
Updated: Jul 8, 2018
A “watering hole attack” is one of many techniques used by cyber criminals to breach an organization’s online information system. Network security administrators should understand how watering hole attacks work, and how to guard against them.
Watering hole attacks are neither new or common, but they continually resurface and can cause extensive damage. Earlier this year, according to an article by Reuters, hackers from North Korea used watering hole attacks to infiltrate financial institutions in Poland, Mexico, the U.K, and the United States.
The phrase watering hole attack comes from predators in the natural world who lurk near watering holes, waiting for their desired prey. In a network watering hole attack, cyber criminals set traps in websites that their target victims are known to frequent. Often the booby-trapped websites are smaller, niche sites that tend to have limited security. These sites can include business partner sites or small websites that provide specific products, services, or information to the target company or industry. When visited, the compromised website infects the target end-users computer or device with keyloggers, ransomware, and other types of malware.
How a Watering Hole Attack Works
A watering hole attack is a carefully designed and executed assault, and typically includes the following phases:
The attacker initially profiles its targets to learn which websites they frequently visit.
The attacker then probes those frequently visited websites, identifying any that have weaknesses and vulnerabilities.
When the target user’s browser connects to the malicious site, code running on the website interacts with the victim’s browser and probes the victim’s PC or device for unpatched and vulnerable applications or operating systems.
If vulnerabilities are found on the victim’s device, the malicious website installs malware on the victim’s machine.
Once infected, the malware on the user’s device, depending on the type of malicious code involved, will attempt to undertake a variety of malicious activities. It may scramble the user’s data and request a ransom to recover it, or capture IDs, passwords and payment card data as it’s entered by the user. Alternatively, the malware may steal data from the victim’s employer or perform a host of other malicious activities.
Watering Hole Attacks Pose Significant Threats to Network Security
While watering hole attacks are not necessarily common, they do pose a significant threat because they are difficult to detect. Infected websites are generally trusted entities and individuals and organizations may not fully scrutinize them. In some instances, they belong to business partners that don’t have strong security procedures in place. That increases the risk for any organization or individual that interacts with them.
Another problem with watering hole attacks is the difficulty in training employees to avoid infected sites. Organizations can train employees how to recognize and avoid most phishing emails, but there is no way for a user to identify a compromised website without the assistance of a tool specifically designed to do just that.
Fortunately, there are technical solutions available that don’t depend on end users.
Protection from Watering Hole Attacks
There are several things an organization can do to protect themselves from watering hole attacks. To begin with, every company should enforce or at least encourage compliance with the following:
Keep all commonly used software and operating systems patched and updated to the latest versions
Ensure firewalls and other security products are properly configured
Inspect all popular websites that employees visit and routinely inspect these sites for malware
Immediately block traffic to all compromised sites and notify the site owner
Inspect your own websites, even internal sites to make sure they are malware free
To the extent practical and available, configure browsers or other tools to use website reputation services to notify users of known, bad websites
Educate your employees, especially those with access to critical data and infrastructure, about watering hole attacks
Network Security Monitoring is Essential
In addition to the above basic steps, to prevent sophisticated watering hole attacks organizations must deploy advanced network security monitoring tools.
Sophisticated watering hole attacks use previously unseen exploits and tactics commonly referred to as zero-day threats. Because traditional signature-based controls rely on past knowledge of the threat, they do not effectively detect sophisticated watering hole and other attacks. It is therefore imperative that organizations deploy additional layers of advanced threat protection such as network security monitoring and behavioral analysis. These technologies, as reported by infosecurity-magazine.com have a far greater likelihood of detecting so-called zero-day threats.
While watering hole attacks have different payloads and objectives, the malware these attacks use virtually all communicate with command and control servers (C&C). By implementing network security monitoring tools specifically designed to detect these malicious communications, organizations can detect an attack early on and prevent it from escalating. Likewise, by performing deep-content inspection of suspicious website pages or code, advanced malware detection technologies can identify malicious behaviors before they cause additional damage.
Summary – Treat All Third-Party Traffic as Untrusted Until Verified
Watering hole attacks are an effective way for cyber criminals to bypass typical enterprise security controls and target a specific audience. As such, they aren’t likely to go away anytime soon. Network security administrators need to anticipate their presence and take appropriate countermeasures.
If there’s a key takeaway for protection from watering hole attacks it’s that organizations must treat all third-party traffic as untrusted until otherwise verified. It doesn’t matter if the content comes from an obscure partner site or a popular and well-known site, it all needs verification.
That verification is best done by a multi-pronged defense strategy that includes advanced network security monitoring and deep content inspection.
To know more about this attack watch this video: