Watering hole attacks detect the undetectable

Click to edit Master title style

STRICTLY PRIVATE & CONFIDENTIAL © 2015

Click to edit Master text styles Second level

Third level

Fourth level

Fifth level

STRICTLY PRIVATE & CONFIDENTIAL © 2015 1

Watering hole Attack – Detect the Undetectable




Third level

Fourth level

Fifth level

2 STRICTLY PRIVATE & CONFIDENTIAL © 2015

What is a watering hole? In the real world, a water hole is a source of water where many animals

gather to quench their thirst. This makes a water hole an ideal spot for a hunter.

The cyber world equivalent is a an attacker leveraging a trusted website which is frequented by potential victims.




Third level

Fourth level

Fifth level


The attack It is an indirect, 2-step attack where the attacker first compromises a

trusted resource (typically by exploiting some vulnerability) and injects a piece of malicious code on the system.

When a potential victim visits the resource, the malicious code infects their system.




Third level

Fourth level

Fifth level


Can be used for ? Infecting the victims with malicious code to achieve an end goal like,

Ransomware

Data exfiltration

adware




Third level

Fourth level

Fifth level


Challenges Indirect attack Difficult to detect Exploit the ‘trust’ placed in the resources which are commonly

frequented (can be social networking sites, forums, sport scores etc.) Might bypass security measures Aimed at more than one victim Can even prove effective against victims resistant to spear phishing




Third level

Fourth level

Fifth level


Story Attacker canvases the victims (a company, a community, government

agency etc.) to identify potential trusted resources Compromises the trusted resource and places malicious code Waits for victims to visit the ‘watering hole’, i.e. the trusted resource Victim visits the compromised resource Victim gets infected by malicious code The malicious code could be an exploit kit or malware or ransomware




Third level

Fourth level

Fifth level


Additional details Can target sections which have less-stringent security to bypass controls Ex. – target common users and infect them to gain entry to internal

network and then leverage it to gain access to more critical resources




Third level

Fourth level

Fifth level


What we do ? A heuristic model comprising of data science and machine learning Monitors and profiles user activity Multiple parameters considered like:

Type of connection

Number of connections

Size of data transferred

Format of data etc.

Based on profiling the platform is able to detect whether a potential watering hole attack occurred in the network.




Third level

Fourth level

Fifth level


Additional details The model is designed to identify the “behavior” of watering hole – due

to this we have seen outcomes where multiple people downloaded the chrome browser update in the same time frame.. this output is not a false positive because the ‘trust’ that was breached could be resource that hosts chrome updates and can only be ignored after proper validation.




Third level

Fourth level

Fifth level


Detection of Watering Hole attack

11 STRICTLY PRIVATE & CONFIDENTIAL © 2015 © 2015 PALADION NETWORKS PRIVATE LIMITED | WWW.PALADION.NET | CONFIDENTIAL11

Watering hole attacks detect the undetectable

Technology