Targeted attacks in general come with an intent to spy on confidential/sensitive business information such as financial information, proprietary product information and so on. Typically, a highly targeted attack like spear-phishing is targeted at an individual or an organization via emails that contain maliciously crafted executables.
Of late, we hear a lot about “waterholing” attacks which are becoming a preferred form of attack mainly because waterhole attacks are less-labor intensive. They do not socially engineer you into visiting a compromised site, rather they just need a compromised website in your area of interest (a waterhole), and they wait for you to fall prey in normal course of things.
How does the attack happen?
It is not a completely new-kind of attack and may be classified as a new APT-style of attack. Once there is a visitor to the waterhole, they are mostly likely to be redirected to a number of infected sites and thereby attempting to exploit the Microsoft XML Core Services or a Java exploit. In the case of the attack being successful, there are high chances that the visitor, the visitor would be infected with a version of Gh0st RAT. One of the key reasons for the attack being more successful is that most victims choose to visit a site driven by personal interest and in most cases there are no security precautions taken. RSA coined the term “water holing” after the infamous VOHO attack campaign that happened in July 2013.
Waterhole attacks expected to be on the rise
Based on several security reports, it is seen that the number of waterhole attacks has been continuously increasing over the last two years and is expected to increase further in 2014. To be really effective in network defence, and not just from a post-attack forensic analysis standpoint, you need to make sure that the security event data are analysed and correlated in real time. This means that you need to capture threats in real time, correlate them in-memory and respond to the attacks in a timely manner. It is ideal to start monitoring your logs for activities across your servers, firewalls and endpoints.
Organization need to more vigilant and ensure that measures are taken to identify malicious activities on your network. You also need a risk mitigation plan that automates the response the moment an anomaly is identified. You can opt for an SIEM tool that uses automated responses to respond to critical security events, and shuts down threats immediately.
Some key built-in responses that you might need for sure are:
- Send incident alerts, emails, pop-up messages, or SNMP traps
- Add or remove users from groups
- Block an IP address
- Kill processes by ID or name
Stay proactive, stay secure!!