Putting a Watering Hole Tactic in Perspective
In nature, watering holes provide predators with the perfect location to hunt and stalk their prey. Animals congregate around the holes, while the predators lurk and wait for the perfect opportunity to launch an attack.
This same concept has been used by cyber attackers for years. Hackers identify websites that employees of a target business or industry visit frequently to lay a trap. Since these sites are viewed as ‘trusted’ from a security stand point, visitors are generally lulled into a sense of false security.
Case in point, Dennis Fisher of ThreatPost covered LightsOut, the latest example of the watering hole tactic designed to infiltrate energy companies, via a the website of a legal firm that catered to very large energy sector clients. Fisher reported that when users hit the website, they were redirected to a third-party site, which hosted the exploit kit. This kit performed a number of diagnostic tests on the user’s browser to see what sort of exploits should be delivered.
What is important here is not the attack itself, nor that malware evaded defenses (haven’t we heard that story enough already?). This attack is an example of a much bigger, advanced threat roadmap that every company needs to think through. You will be targeted and breached – either via water hole attack or some other sneaky means – however there is a critical point to focus on and defend: privileged accounts.
Let’s follow the pathway laid out in LightsOut. Once the attacker gained access to a device, the next move was to steal privileged or administrative credentials, as a means to elevate access privileges and execute the ‘real’ attack. It’s not clear if LightsOut was meant to exfiltrate data, cause damage to operational systems, or steal IP, however, what is clear is the watering hole was simply one of any number of ways to grab a foothold within targeted company defenses.
Cyber attackers must first steal and exploit privileged credentials before moving very far within an organization’s infrastructure and this is why they’re the number one target of all attacks.
Advanced attacks on energy companies continue to grow. This is why we’ve consistently urged our customers as well as other critical infrastructure-related companies, to build their security from the inside-out, locking down the privileged accounts that can stop advanced attacks before the real damage is done. After all, once malware is found, it can be removed. Once a privileged account has been compromised, your infrastructure might not be yours any longer.