Title: Protect your enterprise users from watering hole attacks
1Protect your enterprise users from watering hole
attacks
Never trust a threat level meter that puts a
watering hole attack and a drive-by attack under
the same risk rating. No matter how much it seems
to play out like its indiscriminate cousin (the
drive-by attack), watering hole attacks are
absolutely targeted. Whats worse, these are the
kinds of attacks that use intelligence gathering
and reconnaissance missions to gain strategic
information about key individuals in an
organization. Like phishing, watering hole
attacks are generally used by hackers who are
after much more than just your users
credentials, like your intellectual property and
access to sensitive computer systems.
But the latter can be much more effective. To
understand how, we need to look at reasons why
hackers (often state-sponsored) are increasingly
choosing it as their weapon of choice. Effective
Perhaps users are getting smarter about emails
because hackers are now trying to get malware
into the enterprise using the same strategy that
dominant animals use to catch their prey lying
in wait by a favorite watering-hole, in this case
a trusted, highly-frequented website. Though
targeted, a phishing attack is like sending a
rotten fish to someone and hoping they would have
it for dinner. The danger is real but not
certain. A watering-hole attack on the other hand
compares to poisoning their water supply. It is
only a matter of time. Every senior executive
targeted in the Forbes site compromise in 2015
had only to do so much as load the website in
their browser. All that the Chinese cyber crime
group did was exploit CVE-2015-2502 found in IE 7
through 11 and one other vulnerability in Adobe
Flash Player.
2Protect your enterprise users from watering hole
attacks
Information gathering is relatively simple A
basic automated scan can give hackers enough
information on 0 day vulnerabilities in say, a
web application regularly used by your graphic
design team. What would you choose a Google
search for vulnerable versions of web servers to
infect, or the idea of spending days of
reconnaissance on social networks and forums to
build complex profiles of people and the systems
they use? However, in some cases, attackers may
simultaneously run phishing campaigns. Stealthy
These attacks are known to use an exploit
framework specifically designed for
reconnaissance activities such as Scanbox,
uncovered by AlienVault Labs in an attack on
industrial systems. These tools can sniff out a
wealth of system information of the visitors to
an infected site (including URLs visited, active
services, security tools used) and feed them to a
remote CC server. With the use of covert
software enumeration, malicious JavaScript
injection or keylogging, the attacker collects
all relevant information he needs to plan attack
vectors to deceive the victims defenses or
leverage the absence of one. And then, all there
is left to do is inject a malware on the
compromised site and wait for the
victim. Stopping a watering-hole attack in its
tracks Watering hole campaigns targeting your
users can be quite tricky to detect because the
attack is carried out within an allowed session
and it doesnt leave trails in the system logs.
It is even harder to train employees to dodge it
than in the case of phishing. So what will do the
trick? An Intrusion Detection System with
intensive correlation The most logical way to
stop waterholing from getting the best of your
web-facing endpoint users is to enable concurrent
tracking of malware infiltration. Complementing
endpoint web filtering data sources with a
host-based threat monitoring system seems to be
most effective in achieving this. An ideal
solution is one that is equipped with constantly
updated correlation directives and
cross-correlation rules (knowledge-based or
signature-based) that can be customized for
specific needs as well as anomaly-based threat
detection capability to identify new variants of
malicious files that show abnormal behavior
assessed against baselines fixed by you.
3Protect your enterprise users from watering hole
attacks
Log management gives you a major advantage when
it comes to preventing malicious outbound traffic
in data exfiltration attempts. Stopping
self-updating malware from connecting to an
external command and control unit is crucial and
can only be effectively done when intrusions are
closely watched and contained. There isnt an
easy way to sort through a list of events to find
those that really matter, unless you have an
automated alerting system in place that analyzes
raw logs and preserves them for audit trails. It
is equally important to ensure with the use of
digital signatures that logs stored are not
tampered with. Every organization needs a unique
set of strategies to keep cyber attacks at
bay. We are helping them take conscious steps
with the 247 Managed Security Suite. Ask us
anythingengage_at_alephtavtech.com Our services
include Ethical Hacking, Managed Security
Services, Application Security, Network Security,
Security Testing, Enterprise Security, Security
for IoT, SCADA Security, Digital Forensics