Problem solve Get help with specific problems with your technologies, process and projects.

Defending against watering hole attacks: Consider using a secure VM

Expert Nick Lewis analyzes the techniques employed by watering hole attacks and discusses how to use a secure VM to defend enterprises against them.

As more organizations are heavily filtering or limiting employee email and Internet access to prevent phishing and other Web-based attacks, attackers are identifying other ways to fool their victims into visiting malware-laden websites.

Attacking low-security targets to leverage access to high-security targets is a classic pattern of attackers.

Case in point: The website for the Council on Foreign Relations was recently compromised to serve up an Internet Explorer (IE) zero-day attack, but the ultimate target of the attack wasn't the CFR. Instead, the attackers used a method called the watering hole attack technique to target enterprise users visiting the CFR's website. As attackers seek alternative ways to target enterprises with valuable information, watering hole attacks may prove to be an effective infiltration method.

In this tip, we'll discuss the methods watering hole attacks employ and how enterprises can utilize the security of virtual machines (VMs) to defend against them.

The watering hole technique

Watering hole attacks are a variant of pivot attacks, in which an attacker is able to pivot from one system (the initial victim) to another system (the intended target). These attacks focus on legitimate websites that employees from targeted organizations might visit. Due to widespread usage, these websites might also be whitelisted or preapproved in the targeted enterprises or in their various security tools.

The goal of a watering hole attack is to compromise users from the targeted organizations with malware, gaining a foothold into the enterprise's systems or network. Once the malware is installed, this access is used to attack the rest of the network. The watering hole method has reportedly been used in targeted espionage attacks, with zero-day vulnerabilities in Adobe Reader, the Java Runtime Environment (JRE), Flash and IE being used to install malware.

The watering hole attack method is somewhat uncommon, but attacking low-security targets to leverage access to high-security targets is a classic pattern of attackers and a problem for those in charge of defense. The low-security targets could be business partners, vendors with connections to enterprise networks or even the unsecure wireless network of a local coffee shop near the target.

Watering hole attacks can also be carried out by attacking an ad network that the targeted website uses. This involves inserting malicious website advertisements, or malvertisements (either text or images), into the rotation of ads delivered to various websites.

Are secure VMs the answer?

Standard malware defenses are the starting point for defending against watering hole attacks of all varieties, but there are additional security controls that targeted enterprises can put in place. Perhaps the most compelling defense option is to use a secure VM. Enterprises can run their Web browsers in virtual environments with limited connections to other production systems or use tools like the Invincea virtual containers to limit access to the local system. This would help compartmentalize the tools or systems used to access untrusted content to limit the risk of getting infected from an untrusted system. These virtual environments could be used just for specific interactions with approved untrusted systems, such as browsing to sites that might be used in a watering hole attack, or the virtual environments could be extended into running a full VM for performing untrusted work, such as opening attachments from email. The full VM could be a disposable VM that is rebuilt every time it is used, so malware wouldn't persist in the VM.

From the editors: More on dangerous third-party apps

Evaluate the alternatives to the technical debt-laden Adobe Reader.

Why enterprises should consider disabling Java.

Once malware is in a browser, remember that it can potentially access whatever the browser can access, even if it is in a virtual environment. If an infected system visits an internal or external site, the malware could still capture passwords and sensitive data, or attack other systems from the virtual environment. To prevent these types of attacks, enterprises can remove or disable the most commonly targeted software, including the JRE, Flash, Adobe Reader and IE, from systems at risk.

Enterprises can protect their websites from being used to conduct these types of attacks by implementing processes to ensure their websites are malware-free. Some of the same techniques that can be used to secure Web 2.0 widgets can also be applied when checking an entire website for malware. There are services that will scan websites on a daily basis for potential malware, but with some Web content changing frequently, daily checks may not be often enough. Google Inc. has a service that checks websites for malware to help protect their search engine users; Comodo Group Inc., GeoTrust Inc. and others offer similar services.

RSA has also reported that stolen File Transfer Protocol (FTP) credentials have been used to post malicious content on compromised websites. Using FTP to manage an enterprise website could be high-risk because usernames and passwords are sent across the network unencrypted, where they could be captured to post the malicious content. Enterprises could configure their Web servers to use read-only file systems for Web servers serving up the content, but that would not affect database-driven sites, sites using Web applications that allow posting of content or content that is included from third parties. All of these options require secure Web servers, where an exploit for the Web server can't be used to attack the underlying operating system.


While the general information security risk watering hole attacks pose is low, organizations must still be prepared, because such targeted attacks can be quite effective. To defend against the many different attack methods that can be used to compromise workstations and gain footholds on networks, enterprises need to secure their endpoints and look to instill defense-in-depth principles. At the same time, organizations with websites that can be used as conduits for watering hole attacks should secure their Web presences.

About the author:

Nick Lewis (CISSP) is an information security architect at Saint Louis University. Nick received his master of science in information assurance from Norwich University in 2005, and in telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick previously worked at the University of Michigan and at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.

This was last published in March 2013

Dig Deeper on Web application and API security best practices