Watering Hole Attacks

Internet criminals are being more and more sneaky with their attacks on businesses, and the latest plot to go after companies is known as Watering Hole Attacks. This type of strategy is not meant to target just one specific company, but rather a specific industry, a specific group of victims or the weak link in the security chain. 

Attacks can now infect a trusted and commonly used resource that potential victims will eventually go to use. It is an avenue of attack that bypasses the stronger security controls by instead infecting users machines that than have access to the target network. An example of this sort of attack happened last year when mobile developers from companies such as Apple, Facebook and Twitter were compromised when visiting the popular iPhoneDevSDK forum after it had been infected with a Java zero day. The key component to these attacks is the initial compromise of a trusted third party entity which will lead to the compromise of the larger target. 

Another example of this sort of attack happening is from the UK Energy Sector that was attacked with a LightsOut Exploit Kit (EK). The EK was injected into the website of Thirty Nine Essex Street LLP, which is a UK Law Firm that deals with energy law practice. Anyone who visited the infected website were silently probed to establish a fingerprint of the client machine. If the victim was running a browser or plugin that the EK exploited, such as internet explorer, Java or Adobe Reader, the appropriate payload was delivered. A remote Access Trojan was installed and it gave attackers complete control over the victim’s machine. 

IC3 is currently working on trying to find better solutions to protect businesses from this breach, but the main way all businesses can start to protect themselves is to treat all 3rd party traffic as untrustworthy until proven otherwise. Attackers are also leveraging legitimate resources as a catalyst for attacks. This includes influencing search engine results, posting to popular social networks and hosting malware on trusted file sharing sites. Therefore, businesses need to have security checks on all third party sites. 

Visibility is another challenge for enterprises using multiple offices and lots of security resources from different vendors but it gets worse since employers are more mobile and leverage personal devices for work purposes. This gives attackers more outlets to attack businesses from a third party device. Visibility is also a challenge when websites move to Secure Sockets Layer (SSL), the standard security technology for establishing an encrypted link between a web server and a browser, by default for traffic to protect end users privacy. SSL can benefit attackers because they can hide their attack from security solutions that don't sit inline and are not capable of inspecting traffic in an encrypted tunnel. Attackers are well aware that you cannot protect against what you cannot see, so they take advantage of SSL, and enterprises must find ways to inspect traffic even with SSL encryption, regardless of device or location.

Enterprises should also seek additional layers of advanced threat protection since attackers won't use past tactics but previously unseen exploits and tactics. Having behavioral analysis more likely to detect zero-day threats. 

This type of attack has been connected to criminal enterprises and nation states alike. It is more effective means of bypassing enterprise security controls and selectively targeting a broader audience. Therefore, in order to protect themselves, enterprises should fully inspect all traffic. 

To read the full article, click here.