Protect your enterprise users from watering hole attacks

 Aleph Tav Technologies IDS and SIEMNever trust a threat level meter that puts a watering hole attack and a drive-by attack under the same risk rating. No matter how much it seems to play out like its indiscriminate cousin (the drive-by attack), watering hole attacks are absolutely targeted. What’s worse, these are the kinds of attacks that use intelligence gathering and reconnaissance missions to gain strategic information about key individuals in an organization.

Like phishing, watering hole attacks are generally used by hackers who are after much more than just your users’ credentials, like your intellectual property and access to sensitive computer systems. But the latter can be much more effective. To understand how, we need to look at reasons why hackers (often state-sponsored) are increasingly choosing it as their weapon of choice. 



 Perhaps users are getting smarter about emails because hackers are now trying to get malware into the enterprise using the same strategy that dominant animals use to catch their prey – lying in wait by a favorite watering-hole, in this case a trusted, highly-frequented website. Though targeted, a phishing attack is like sending a rotten fish to someone and hoping they would have it for dinner. The danger is real but not certain. A watering-hole attack on the other hand compares to poisoning their water supply. It is only a matter of time. Every senior executive targeted in the Forbes site compromise in 2015 had only to do so much as load the website in their browser. All that the Chinese cyber crime group did was exploit CVE-2015-2502 found in IE 7 through 11 and one other vulnerability in Adobe Flash Player.

Information gathering is relatively simple

 A basic automated scan can give hackers enough information on 0 day vulnerabilities in say, a web application regularly used by your graphic design team. What would you choose – a Google search for vulnerable versions of web servers to infect, or the idea of spending days of reconnaissance on social networks and forums to build complex profiles of people and the systems they use? However, in some cases, attackers may simultaneously run phishing campaigns. 


 These attacks are known to use an exploit framework specifically designed for reconnaissance activities such as Scanbox, uncovered by AlienVault Labs in an attack on industrial systems. These tools can sniff out a wealth of system information of the visitors to an infected site (including URLs visited, active services, security tools used) and feed them to a remote C&C server. With the use of covert software enumeration, malicious JavaScript injection or keylogging, the attacker collects all relevant information he needs to plan attack vectors to deceive the victim’s defenses or leverage the absence of one. And then, all there is left to do is inject a malware on the compromised site and wait for the victim.

Stopping a watering-hole attack in its tracks

Watering hole campaigns targeting your users can be quite tricky to detect because the attack is carried out within an allowed session and it doesn’t leave trails in the system logs. It is even harder to train employees to dodge it than in the case of phishing. So what will do the trick?

An Intrusion Detection System with intensive correlation – The most logical way to stop waterholing from getting the best of your web-facing endpoint users is to enable concurrent tracking of malware infiltration. Complementing endpoint web filtering data sources with a host-based threat monitoring system seems to be most effective in achieving this. An ideal solution is one that is equipped with constantly updated correlation directives and cross-correlation rules (knowledge-based or signature-based) that can be customized for specific needs as well as anomaly-based threat detection capability to identify new variants of malicious files that show abnormal behavior assessed against baselines fixed by you.

Log management gives you a major advantage when it comes to preventing malicious outbound traffic in data exfiltration attempts. Stopping self-updating malware from connecting to an external command and control unit is crucial and can only be effectively done when intrusions are closely watched and contained. There isn’t an easy way to sort through a list of events to find those that really matter, unless you have an automated alerting system in place that analyzes raw logs and preserves them for audit trails. It is equally important to ensure with the use of digital signatures that logs stored are not tampered with.


Every organization needs a unique set of strategies to keep cyber attacks at bay.

We are helping them take conscious steps with the 24×7 Managed Security Suite.

Ask us anything–

Leave a Reply

Your email address will not be published. Required fields are marked *

* Please enter the Characters - [Case Sensitive]