A layered approach based on a combination of checks and balances, along with various key technologies, is the most comprehensive method of preventing so-called watering hole malware attacks.
South African ICT managed cyber security provider and specialist Ukuvuma Security Solutions says watering hole attacks – a targeted attack utilising legitimate Web sites to infect victims with malware – reflect the level of sophistication that now epitomises cyber-threats and cybercrime.
“It’s called a watering hole due to the fact that the attacker has done extensive intelligence gathering and research on the target, and knows that the target frequently visits certain legitimate websites. The attacker compromises the websites and only alters it by hiding malware on the website to infect the target when they visit the compromised websites,” explains Andrew Chester, Security Officer at Ukuvuma Solutions.
“The websites don’t look or act any differently once compromised, the malware is cleverly hidden within the website and invisible to the target, or any other users.”
An attack is performed to infect a device with malware, or malicious software, in order to gain control. “The attacker can control and perform any action on the targets computer including, but not limited to, stealing information/data and/or utilising the computer as a zombie, as part of a larger botnet to perform any action which the attacker wants,” Chester continues.
As a specialist in ICT security, including security solution development and application, Ukuvuma Security points out that these attacks, while not industry specific, are usually perpetrated with the intention to compromise numerous computers at once and quickly, then use these as a botnet for financial gain.
Chester says reasons include corporate/ industrial espionage, black-market financial gain (botnets and the selling of botnets) to front additional attacks or simply to acquire information.
Malware, as the basis of this attack technique, is distributed quickly and simultaneously to achieve the objective. As Chester explains, phishing emails is also one of the most common and effective ways of targeting and infecting victims.
“Phishing emails are intelligently constructed malicious emails which trick a victim to either click on a malicious web link, or open a malicious attachment or file – once this is done, the malware infects the victim’s computer. If a watering hole attack can be seen as a targeted web attack, then a spear-phishing email is a targeted malicious email attack where the victim is specifically identified and targeted, and ‘phished’.”
He adds that an organisation can implement in-line threat detection, controls and prevention, which can consist of software solutions which can intelligently detect if a website has been compromised and prevent the end-user from being compromised by blocking their access to the websites, or watering-holes.
There are several of these solutions available, from in-line web inspection, to anomaly detection and application firewalls, amongst others.
“We utilise technologies such as reputation analysis, anomaly detection, integrity analysis and in-line real-time and out-of-band inspection, application firewalling, cloud-based intelligence and user education (amongst others) to ensure that these common attacks are prevented,” Chester says.
The Company endorses a layered approach and defensive technique, built on user education and a strong awareness foundation, to help businesses keep up with evolving malicious techniques and threats.