A “watering hole attack” is one of many techniques used by cybercriminals to breach an organization’s online information system. Network security administrators should understand how watering hole attacks work, and how to guard against them.
Watering hole attacks are neither new or common, but they continually resurface and can cause extensive damage. Earlier this year, according to an article by Reuters, hackers from North Korea used watering hole attacks to infiltrate financial institutions in Poland, Mexico, the U.K, and the United States.
The phrase watering hole attack comes from predators in the natural world who lurk near watering holes, waiting for their desired prey. In a network watering hole attack, cybercriminals set traps in websites that their target victims are known to frequent. Often the booby-trapped websites are smaller, niche sites that tend to have limited security. These sites can include business partner sites or small websites that provide specific products, services, or information to the target company or industry. When visited, the compromised website infects the target end-users computer or device with keyloggers, ransomware, and other types of malware.
How a Watering Hole Attack WorksA watering hole attack is a carefully designed and executed assault, and typically includes the following phases:
Watering Hole Attacks Pose Significant Threats to Network Security
While watering hole attacks are not necessarily common, they do pose a significant threat because they are difficult to detect. Infected websites are generally trusted entities and individuals and organizations may not fully scrutinize them. In some instances, they belong to business partners that don’t have strong security procedures in place. That increases the risk for any organization or individual that interacts with them.
Another problem with watering hole attacks is the difficulty in training employees to avoid infected sites. Organizations can train employees how to recognize and avoid most phishing emails, but there is no way for a user to identify a compromised website without the assistance of a tool specifically designed to do just that.
Fortunately, there are technical solutions available that don’t depend on end users.
Protection from Watering Hole Attacks
There are several things an organization can do to protect themselves from watering hole attacks. To begin with, every company should enforce or at least encourage compliance with the following:
Sophisticated watering hole attacks use previously unseen exploits and tactics commonly referred to as zero-day threats. Because traditional signature-based controls rely on past knowledge of the threat, they do not effectively detect sophisticated watering hole and other attacks. It is therefore imperative that organizations deploy additional layers of advanced threat protection such as network security monitoring and behavioral analysis. These technologies, as reported by infosecurity-magazine.com have a far greater likelihood of detecting so-called zero-day threats.
While watering hole attacks have different payloads and objectives, the malware these attacks use virtually all communicate with command and control servers (C&C). By implementing network security monitoring tools specifically designed to detect these malicious communications, organizations can detect an attack early on and prevent it from escalating. Likewise, by performing deep-content inspection of suspicious website pages or code, advanced malware detection technologies can identify malicious behaviors before they cause additional damage.
Summary – Treat All Third-Party Traffic as Untrusted Until Verified
Watering hole attacks are an effective way for cybercriminals to bypass typical enterprise security controls and target a specific audience. As such, they aren’t likely to go away anytime soon. Network security administrators need to anticipate their presence and take appropriate countermeasures.
If there’s a key takeaway for protection from watering hole attacks it’s that organizations must treat all third-party traffic as untrusted until otherwise verified. It doesn’t matter if the content comes from an obscure partner site or a popular and well-known site, it all needs verification.
That verification is best done by a multi-pronged defense strategy that includes advanced network security monitoring and deep content inspection.
Hãy liên hệ với Việt Nét để nhận những thông tin cập nhật mới nhất:
📩 Email: firstname.lastname@example.org
☎️ Hotline: 1900 6736
💼 Website: Viet Net Homepage
📣 Fanpage: Viet Net Fanpage
🎥 Youtube: Viet Net Youtube Channel