We already know that cybercriminals exploit the weakest link in your IT networks. The best defense against these exploits comes down to safeguarding the most vulnerable entry points.
But what if the weakest link in your cybersecurity defense lies beyond your IT network itself? You can set up impenetrable defense systems for your enterprise IT network, but that doesn’t stop cybercriminals from compromising a secondary target that just so happens to be a frequently used gateway entry point to your network.
This is precisely what a watering hole attack does. Let’s take a look!
Watering hole attacks are any attacks that identify an external, trusted but vulnerable service frequently accessed by users of a given organization. Bad actors exploit these vulnerabilities to deliver a malicious payload to the organization’s network. This technique can look just like a zero-day attack, exploiting an unknown or unpublicized vulnerability.
Let’s illustrate. This is what a Watering Hole looks like: you have your own IT network that you can fully control and protect against network intrusions and exploits.
Next, there’s an IT service, an app, a tool, a website or technology that is frequently used by your employees. These services may be integrated with your network or interact directly with your employees, accessing data and communicating a variety of legitimate traffic requests.
These services are controlled by a third party, which of course are vulnerable to cyberattacks. By exploiting the vulnerabilities, these third-party services can act as a “watering hole” to deliver a malicious payload to your organization.
The watering hole attack includes the following stages:
The attack is targeted in a certain sense: the idea is that users belonging to a particular organization or industry vertical are likely to visit a target service frequently. The idea behind choosing a frequently visited site as a target is to launch an Advanced Persistent Threat (APT) that would eventually help the adversaries bypass your network security systems.
Once the target service is identified and compromised, the attackers obtain intelligence into:
Multiple tools and techniques may be used to identify and exploit vulnerabilities in the target service.
At this stage, the chosen attack is launched on the target service. Common attacks here include SQL injections, cross-site scripting (XSS) and zero-day exploitation.
When the watering hole is ready to launch the attack on the target network of the organization, the malware payload is delivered first from the compromised service to the user and then to the IT network of the organization. At this stage, the malware may propagate and gain more intel into network behavior as any APT attack.
Many organizations build multiple layers of security around their IT networks. The deceptive nature of watering hole attacks, however, make clever use of recent trends in the enterprise IT landscape — like Bring Your Own Device (BYOD) and remote working models.
During the Analysis phase of the attack, adversaries gain information into repetitive user behavior. They use the predictability and common behavioral patterns of the victims, combined with vulnerabilities in the watering hole service, to deliver the malware payload across secure enterprise IT networks.
Here are a few notable examples:
These are all high-profile attacks, successfully executed not by compromising target IT networks itself, but by a different website or service frequently accessed by the users of those networks. This threat vector highlights a pressing reality: while security teams are only responsible and able to secure their own IT networks, there can always be a secondary target that can act as a hidden gateway into your own secure networks.
To defend against this threat, business organizations must reevaluate their support for third-party services and network access mechanisms facing risks of watering hole attacks.
Since remote working models and BYOD are here to stay, organizations can establish policies to better control and govern remote access to their own data and services. An important strategy in this regard, is to rely on advanced Identity and Access Management (IAM) models that provide granular access controls over all data and resources shared to remote devices.
For instance, the Attribute Based Access Control (ABAC) can be designed to evaluate every request based on dynamic environment parameters and attributes. Instead of using fixed predefined rules, the ABAC model can be trained to identify patterns of anomalous behavior, such that any deviation from a predictable user behavior and traffic request can be identified as a potential network intrusion.
Since watering hole attacks precisely use repetitive user behavior to deliver ATP and malware payload to your network, the ABAC model is well suited to prevent such attacks.
See an error or have a suggestion? Please let us know by emailing [email protected].
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.