The Watering Hole: Is it Safe to Drink?

Posted by on May 7, 2013

How many times have you been told you have a vulnerability that you just don’t understand  its relevancy?  Cross-Site scripting comes to mind for many people.   Sure, they get the fact that you can execute script in the user’s browser, but often times they really don’t fully understand the impact.  Of course, we determine that impact through risk analysis.  What is the true impact and how much risk does it pose to the affected parties?

Over the years, I have heard numerous companies and previous employers state that no one would attack them because they are too small or that they didn’t have anything that the attackers would want.  I have always disagreed with this statement or theory.  Maybe you are a company that doesn’t contain financial data, or health information.  Maybe you don’t deal with sensitive information at all.  So what is the risk? 

We have to start thinking about more than just the type of data that we hold.  We have to look at the bigger picture.  Who are our clients or users?  Who do we do business with that may have something of interest to an attacker.  Of of the big concerns that have been directed toward these smaller companies is the idea of pivoting.   If I wanted to attack a major bank, would it make sense to attack the bank directly?  Very large banks usually have bigger budgets and theoretically would have stronger security controls in place.  That could be a lot of work to get through that entry point.   But what about that small company, that has a smaller budget, and probably (not always) fewer security controls that does business with that big bank?   Is there an opportunity to compromise the small company and pivot into the larger bank through a B2B channel they have set up?   This is certainly a possibility.

Something newer we are seeing is this idea of a Watering Hole attack.  This focuses more on the “WHO” visits your site.  The idea behind a watering hole attack is that it is a targeted drive by malware type of attack.  Rather than put a malicious payload on a site that EVERYONE accesses, why not target a site that the victim you are tracking frequents.  Think of this as similar to the difference between phishing and spear phishing.  In a phishing attack we send out the attack email in mass, but in spear phishing, we are much more refined in who receives the message.   The same goes for this watering hole attack.

As always, we are witnessing the evolution of these attacks.   Migrating from a broad spreading mechanism to a more targeted one has a lot of benefits.  One is that your specific target is more likely to fall prey.  Two, there is less chance of the attack getting noticed if fewer users actually see it.  We have seen other situations where the attackers have actually built their delivery mechanism to not deliver to know security professionals or researchers based on their IP address to avoid getting noticed as quickly. 

The watering hole is just another example of why security does matter to every website, no matter what your content may be.  Even if the attack isn’t against our servers, but against our users, that can have a serious effect on our businesses.   The next time you hear someone say that they are too small or don’t have any data that attackers may want, think about the watering hole concept and see if you are still a nobody in this world.


Comments are closed.