What is a Watering Hole Attack?
The terminology of online security threats continues to change, and the creative naming can be both ambiguous and explanatory. The most recent concern being Watering Hole Attacks, which are an increasing risk with the growing use of personal devices and cloud services.
Quickly evolving internet attacks find creative ways to plant malicious code and malware on a computer or network. The only thing consistent with internet attacks is the goal, i.e. to gain access to more specific information, such as IP, customer information, and financial data. Older and more well-known attacks came in the form of poorly worded emails enticing the user to click a link or download a file. Attacker techniques evolved into more complicated spear phishing, targeting specific individuals. A “watering hole” is where malicious code is inserted into a frequently visited site. Since it is too difficult to get malware on major sites, attackers need to know which smaller, less-secure sites (i.e. watering holes) your employees visit.
Attackers can know which sites are visited, by frequency and know which sites are allowed by the network firewall. All this can be identified with tracking services. These services silently capture all the necessary information, without the users ever being aware that their online activity is being followed. Vulnerable sites include smaller businesses and blogs that don’t have strict security. When a user visits the site, the malicious code redirects the browser to a different site so the user’s machine can be assessed for vulnerabilities. Nothing is downloaded or clicked; this drive-by downloading technique has placed a piece of code in the background. When it runs, the computer is assessed for vulnerabilities. Tracking services are a key part in the effectiveness of watering hole attacks.
Prevention of these malicious attacks requires more than just employee awareness. These prevention steps work best when used collaboratively.
- Disable website tracking. Browser security settings can be adjusted to decrease cookie storage.
- Timely software updating. Maintain the latest software patches and system updates.
- Vulnerability shielding. “Virtual patches” assume that a definable network path will be taken to use a vulnerability. Scanning of suspicious traffic as and identifying deviations from typical protocols can be useful in preventing exploits.
- Network traffic detection. Traffic generated from communicating malware is consistent. Detecting these communications can prevent an attack from further escalating.
Become aware of the activity happening on your business network. Consider documenting previous targeted attacks within the company to spot possible correlations and insights; this would be needed to create an effective action and recovery plan.