Could This Watering Hole Attack Have Been Avoided?


Dan Ennis CEO


A recent article from caught our eye, being a perfect example of a watering hole attack that might have been avoided by using a fresh approach to Website security.

A Fortune 1000 company which prefers, for obvious reasons, to go unnamed, detected an attack targeting potential viewers of a technology start-up website that had recently been in the news. The Fortune 1000 firm is a customer of Bromium Labs, and both did yeoman’s work untangling the attack, which was referred to as “fairly sophisticated”. See Bromium Labs’ blog post on the incident here, and the SCMagazine article.

A watering hole attack occurs when attackers compromise a site that is likely to be of interest to targeted organizations. These organizations are then exposed to malware infections when visiting this site.

While publicly available details are limited—for example, we don’t know what layer the attack was focused on—we can safely assume that other strategies would have detected and blocked the attack.

One of the key pains of website security is the overwhelming amount of rules, alerts and logs that security admins are forced to process on a daily basis. This noise prevents security teams from focusing on the rules they do write, and alerts that are critical to the business are lost in the flood of information. Watering-hole attackers take advantage of this noise to sneak malware into whitelisted strings, and compromise websites.

Security strategies that focus on minimizing the attack surface and reducing the information flow are highly effective against watering hole attacks. For example: using well defined whitelists as opposed to blacklists means fewer rules to worry about. This allows security teams to focus on what’s important and identify watering hole attacks in advance.

Decoupled Web Architecture and Context Aware Protection are very effective ways to overcome such attacks. With Context-Aware Protection, the site is continuously scanned to understand and verify its functionality and structure. Based on this scan, the site is decoupled and served securely from the cloud. During these ongoing scans, any unusual structural and behavioral changes are immediately identified and reported to the customer’s security team. These red-flag changes caused by the attack will not be replicated to the cloud, which prevents the back end from being compromised.

An immediate benefit of this approach is ease of operation, while another is a dramatically reduced attack surface. Security operators have far fewer rules to worry about.  They are able to focus more effort on the rules they do write; and as a result, watering-hole attackers find it extremely difficult to sneak malware into a whitelisted string.

To summarize: While the approach presented by SCMagazine valid, it is interesting to note that non-traditional protection methods can be highly effective for detecting and disarming watering-hole attacks.