Of all of the methods used by hackers, one of the most common and perhaps least understood, is the watering hole attack.
The name of this hacking technique describes the practice: Predators stalk places frequented by prey, and when the time is right they pounce. The digital version of a watering hole attack doesn’t target an organization or individual directly. Instead, hackers infect a website or another online resource used by the target organization or individuals who work there and then wait till someone compromises themselves.
One of the most famous examples of a watering hole attack was the 2015 hack of Forbes.com. Chinese threat actors compromised the website’s “Thought of the Day” popup with a form of malware that exploited two vulnerabilities in the Internet Explorer web browser and the Adobe Flash plugin. The target wasn’t Forbes.com itself or its millions of daily users, but rather key figures in the defense and financial sectors who were likely to be regular visitors to the site.
Details about the results are vague, and with good reason: hackers seeking to exfiltrate data seldom advertise what they manage to acquire. The two cybersecurity firms that investigated the “Thought of the Day” hack didn’t name their clients. Any data compromised went unreported.
Why Watering Hole Attacks Are Effective
This method works because it goes around a target organization’s defenses rather than straight at them. Companies can spend massive amounts of time and money on securing their networks and resources, but they can’t do anything about lax cybersecurity on websites and apps commonly used by their employees.
By identifying an easier, less secure target where an organization’s employees will likely visit and infecting them with malware, a hacker needs only to exercise patience. Access to a targeted organization’s network, data, and resources is only a click away.
Watering hole attacks are harder to detect as well. Security software and trained IT teams can usually detect an attempt to gain access to a network from an outside source in real time, but networks are significantly more vulnerable to a compromised device that is known and trusted within their network.
Protecting Against Watering Hole Attacks
While watering hole attacks are usually carried out by sophisticated hacking collectives, they tend to rely on many of the same vulnerabilities exploited by more common methods: Devices that run outdated and unpatched software, human error and poorly secured networks.
Organizations should invest in robust cybersecurity training for all employees from the mailroom to the board room. Recognizing potentially suspicious websites and emails is crucial to the battle against hackers. Implementing a zero-trust architecture to mitigate unnecessary risks is another way to protect an organization.
At a minimum, employees should be regularly reminded to keep their devices and software updated, and to install and maintain reliable security software. Humans are fallible, but they are also trainable and they are the best protection against this threat.
