A watering hole attack is an indirect attack on a victim. Rather than directly attacking the victim’s network, the attacker attacks a web site that the victim’s employees are likely to visit. Then the attacker attacks the victim’s network, via its own workstations, from that web site. A former colleague asked me how you protect against watering hole attacks, and I thought this was a good exercise. So here are some strategies for watering hole attack prevention.
Don’t expect much from your antivirus
If you listen to your antivirus companies, they’ll have you believe they have you protected. Rule #1 is to not expect much from your antivirus when it comes to watering hole attack prevention. Normally, by the time your antivirus sees the attack, it’s too late and it’s not in a position to protect you. The best you can expect is for antivirus alerts to help you find your workstations that sustained an attack.
Antivirus has its uses, and it’s illegal, or at least a breach of contract, not to run it on your corporate PCs. But unless you’re running Cylance, don’t expect it to give you much protection against watering hole attacks. I’m not certain Cylance will protect you either, but it’s the one antivirus product out there right now that might be able to. If I’m defending a network, I’ll take the product that might help over all the others I know won’t.
Filter web content
A good first line of defense is web content filtering, such as Bluecoat or Websense (now Forcepoint). When you limit Internet traffic to a list of sites that the industry has generally agreed are business critical, you really reduce the number of potential watering holes someone can attack from.
Don’t get me wrong. I think being draconian about personal Web use will come back and bite you. But there’s a difference between allowing employees to access banking and bill-paying sites and allowing everything. You do have to find a balance. Most organizations that have been filtering for a few years are probably pretty close to the right balance.
Contrary to reputation, blocking access just to gambling sites and other sites that HR doesn’t approve of isn’t enough. Church web sites are actually more likely to harbor malware than the Web’s red-light district. So, when in doubt, I would encourage you to block a little bit more, rather than a little bit less.
Keep your patches up to date
Use up to date web browsers and keep plugins like Adobe Flash up to date. It works wonders with blocking watering hole attacks. Every attempted watering hole attack I’ve ever seen tried to use a bug that was at least six months old. So if you try to apply all the new patches every month and you have any degree of success, these types of attacks will tend to fail.
The more successful you are at getting your patches deployed, the less likely you are to fall victim to a watering hole attack. If your software is up to date, you force the attacker to use a zero-day exploit. Zero-days are more expensive and frequently less reliable. Once you raise the stakes to that level, chances are the attacker will move on to someone else.
Run an up-to-date operating system
Windows 10 has better security features in it than Windows 7 did. Windows 7, of course, was a big improvement over Windows XP. From a security standpoint, it doesn’t pay to wait until Windows 7’s end of life to start deploying Windows 10.
Unfortunately, even in 2017, being on at least Windows 7 isn’t a given, so I give credit to anyone who’s at least at that level. But still, the sooner you can get on Windows 10, the better.
Whitelist risky web content
I learned the hard way that blocking Flash outright doesn’t go well. But I also found that a surprisingly small number of business-oriented web sites use Flash. At my prior employer, we found about 300.
So look through your proxy server logs. Export anything with an SWF extension. Delete things that obviously aren’t business related. Now you have a list, and I’ll bet you it’s no more than a few hundred domains. Block SWF files from everything but those few hundred domains, and you’ll find most watering hole attacks will fail. The reason for this is because if the site hadn’t been serving up Flash content, you’ll block it if it suddenly starts serving up malicious Flash content.
Use an anti-exploit technology
Putting an anti-exploit technology such as EMET or Malwarebytes Anti-Exploit in place provides extra protection when your goal is watering hole attack prevention. I like the Malwarebytes product because it has an interface to centrally administer it, and it can log to your syslog server for analysis. EMET logs are harder to pull and you administer it through Group Policy.
The idea with anti-exploit technologies is to intercept bad behavior and crash the application before the bad code can run. They aren’t foolproof and they can be bypassed, but they increase the complexity of the attack and they’re cheap. EMET is free, and the Malwarebytes solution was rather affordable the last time I priced it.
If your patching is up to date and the attacker gets through your web filters with an unpatchable zero-day exploit, one of these tools is the cheapest defense against it.
A better solution for watering hole attack prevention that’s harder to bypass is a micro-virtualization solution like Bromium. Bromium doesn’t come cheap and you need relatively high-end hardware to run it. But the idea with Bromium is to run each of your browser tabs in a mini virtual machine that goes away when you close the tab. So if an attacker infects it, the infection is isolated to that VM, and it goes away when you close the tab.
Due to the expense, I would urge you to get the rest of your house in order before bringing in Bromium. But once you have a good security program, Bromium is one of those things you can bring in to take it to the next level.
The last word in watering hole attack prevention
An awful lot depends on your attacker. An opportunistic attacker who’s only looking for someone vulnerable and doesn’t care if it’s you or someone else is easy to deter. Just be more secure than average. On the other hand, if a nation-state is after you, the nation-state will find its way in. Nation-states’ records of keeping other nation-states out is inconsistent at best.
And sometimes nation-states are interested in industry verticals. There’s no shortage of rumors that Russia is interested in electrical utility companies, or at least wants us to think it is. That probably won’t surprise very many people. But here’s another rumor. China is interested in health care companies. Why? I heard that as they adopt a Western lifestyle, the Chinese are developing some of our health problems and want to know how to treat them.
So even if you’re not in the business of building tanks or fighter jets, there may be nation-states interested in getting into your network. Keeping them out won’t be easy.
That means there are no absolute guarantees, but there’s a surprising amount that you can do when it comes to watering hole attack prevention.
If you have more ideas on how to defend against watering hole attacks, or experience with specific products, I’d love to hear about it. Feel free to leave a comment.