Avoiding A Watering Hole Attack

It’s the water that brings them in. They stand around getting their fill. They sip quickly, nudge those close by for a little more. They stand together, band together.

And then, when they least expect it, the predator attacks. He lurks unseen, camouflaged from view. He watches for the perfect opportunity. And then feasts.

Nope, I’m not talking about the latest documentary on the nature channel. Instead, I’m talking about something that is very real in the business world.

A watering hole attack is a security exploit in which an attacker seeks out a specific group of end users by infecting websites the group is known to frequent. The goal is to create as many holes as possible within a particular area to provide ample opportunity for gaining access to the network they desire.

Watering hole attacks aren’t fringe websites where your employees shouldn’t be. Instead, watering hole attacks stem from legitimate, popular websites they not only frequent regularly, but you also encourage it.

The attacker profiles his targets, learning who they are, what functions they serve, what they have access to. Then they look at what websites they frequent. Their goal is to find weak sites where vulnerabilities exist. They want to easily slip in and out, injecting malicious JavaScript or HTML code that redirects the target to a separate site where malware resides. Then the compromised site simply sits and waits.

They typically choose well-known well-regarded websites that carry a lot of clout within an industry.

For example, The Council on Foreign Relations, a Washington DC based think tank that provides foreign affairs resources to government officials, journalists, and business and education leaders was hit by a watering hole attack and hosted malware for several days that it installed on unknowing visitors to the site.

 

In another instance, a Forbes ad server was hacked, and from there, visitors from government and bank networks were compromised and used to infect target networks.

While watering hole attacks aren’t the most common form of gaining access to information, they do pose a considerable threat when initiated because they are difficult to detect. They usually target organizations with valuable information and a lot to lose.

And training an employee is difficult at best. You can teach someone to recognize a phishing scam, but how do you teach an employee to identify if a legitimate website has been compromised?

Anticipate Updates

In most cases, the software and programs you use throughout your business announce when updates are coming. Watch for updates and make it mandatory that every department installs patches and upgrade systems immediately when they become available.

Monitor Traffic

If you understand what a normal day looks like, spikes in traffic will stand out. If your security solution inspects all network traffic, you can quickly see when oddities occur.

Analyze Behavior

Selecting a behavioral analysis software to add even more protection. It can detect when unusual user behavior occurs, such as a laptop sending confidential documents outside peak hours.

Watch Popular Websites

Sometimes the best way to stay safe is to watch what others are doing. What are the top sites your employees visit? What’s your relationship with their management and security team? While it’s not imperative to have friends on the inside, just visiting their sites and monitoring their traffic and news can help you stay on top of what’s happening on their sites. If you detect malware on a site, block traffic immediately and contact the owner.

Yes, watering hole attacks are just one more item for an IT department to watch for to ensure a data breach doesn’t occur. But by being aware of its occurrence, it gives you a better chance of finding threats early in the game.