A watering hole attack is a type of cyberattack in which the attacker targets a website or online service that is known to be frequented by the victim’s target audience. The attacker then compromises the website or service and injects malicious code into it. When the victim visits the website or uses the service, they are infected with malware.
Watering hole attacks are a more sophisticated type of attack than phishing attacks. They are also more difficult to defend against, as the victim is not actively tricked into clicking on a malicious link.
The skill of attack: How watering hole attacks work
There are two broad categories for watering hole attacks.
Opportunistic watering hole
In one case, there is the opportunistic watering hole attack. In the opportunistic case, the attacker has discovered a vulnerable web site, compromises the web site, and waits for any victim to happen by.
An opportunistic watering hole attack typically follows these steps:
- The attacker identifies a website or service that can be compromised.
- The attacker compromises the website or service and injects malicious code into it.
- Any victim visits the website or uses the service.
- The malicious code is executed and the victim is infected with malware.
Targeted watering hole
In a different attack, the watering hole is known to be used by a specific targeted victim. This is a more sophisticated attack against a known specific target.
A targeted watering hole attack typically follows these steps:
- The attacker enumerates websites and online services that are known to be frequented by the targeted victim.
- The attacker enumerates vulnerabilities on the websites and online services.
- The attacker compromises the websites or services and injects malicious code into them.
- The victim visits the website or uses the service. In order to evade detection, the attacker may include exemption code to prevent the malware from running on any targets other than the identified target.
- The malicious code is executed and the victim is infected with malware.
The malware can then be used to gain access to the victim’s computer or network, or to steal data.
How to defend against watering hole attacks
There are a number of ways to defend against watering hole attacks, including:
- Educating users: Educating user is almost always included as the “go to” solution for all things cyber. Novice defenders believe that “ISO Layer 8” is the easiest attack modal to compromise — and this is true, that the user is the easiest operating system to attack. That said, watering holes are a unique technique in that the end user often has to use the watering hole in their normal course of business. That being the case, how can users be educated to avoid watering holes if these watering holes are otherwise “trusted sites”? The answer is, the end user can’t be taught that basic tenant of “avoid untrusted sites”. Instead, the user needs to be made aware of anomalies that might occur when visiting otherwise known trusted sites, a much more complicated endeavor, although one that must be explored.
- Maintain updated systems: Updates and patches must be maintained on the enterprise systems. Maintaining updated and patched software reduces the opportunity for exploits to successfully land on the enterprise.
- URL filtering: Use URL filtering software that tests the URL destination for malware before it loads into a potential victim’s browser.
- Continuous website monitoring: Organizations should monitor websites that are frequented by their employees or customers for signs of compromise. This can be done using web application firewalls or other security tools. When compromise is identified, block access to the web site and proactively contact the web provider.
- Using security software: Security software can help to detect and block malicious code. Security software should be kept up to date with the latest virus definitions.
- Using intrusion detection systems: Intrusion detection systems (IDSs) can help to detect malicious activity on a network. IDSs should be configured to detect watering hole attacks.
Conclusion
Watering hole attacks are a serious threat to organizations and individuals. By taking steps to educate users, use security software, monitor websites, and use intrusion detection systems, organizations can help to protect themselves from these attacks.