watering hole attacks detect the undetectable
TRANSCRIPT
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
STRICTLY PRIVATE & CONFIDENTIAL © 2015 1
Watering hole Attack – Detect the Undetectable
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
2 STRICTLY PRIVATE & CONFIDENTIAL © 2015
What is a watering hole? In the real world, a water hole is a source of water where many animals
gather to quench their thirst. This makes a water hole an ideal spot for a hunter.
The cyber world equivalent is a an attacker leveraging a trusted website which is frequented by potential victims.
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
3 STRICTLY PRIVATE & CONFIDENTIAL © 2015
The attack It is an indirect, 2-step attack where the attacker first compromises a
trusted resource (typically by exploiting some vulnerability) and injects a piece of malicious code on the system.
When a potential victim visits the resource, the malicious code infects their system.
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
4 STRICTLY PRIVATE & CONFIDENTIAL © 2015
Can be used for ? Infecting the victims with malicious code to achieve an end goal like,
Ransomware
Data exfiltration
adware
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
5 STRICTLY PRIVATE & CONFIDENTIAL © 2015
Challenges Indirect attack Difficult to detect Exploit the ‘trust’ placed in the resources which are commonly
frequented (can be social networking sites, forums, sport scores etc.) Might bypass security measures Aimed at more than one victim Can even prove effective against victims resistant to spear phishing
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
6 STRICTLY PRIVATE & CONFIDENTIAL © 2015
Story Attacker canvases the victims (a company, a community, government
agency etc.) to identify potential trusted resources Compromises the trusted resource and places malicious code Waits for victims to visit the ‘watering hole’, i.e. the trusted resource Victim visits the compromised resource Victim gets infected by malicious code The malicious code could be an exploit kit or malware or ransomware
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
7 STRICTLY PRIVATE & CONFIDENTIAL © 2015
Additional details Can target sections which have less-stringent security to bypass controls Ex. – target common users and infect them to gain entry to internal
network and then leverage it to gain access to more critical resources
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
8 STRICTLY PRIVATE & CONFIDENTIAL © 2015
What we do ? A heuristic model comprising of data science and machine learning Monitors and profiles user activity Multiple parameters considered like:
Type of connection
Number of connections
Size of data transferred
Format of data etc.
Based on profiling the platform is able to detect whether a potential watering hole attack occurred in the network.
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
9 STRICTLY PRIVATE & CONFIDENTIAL © 2015
Additional details The model is designed to identify the “behavior” of watering hole – due
to this we have seen outcomes where multiple people downloaded the chrome browser update in the same time frame.. this output is not a false positive because the ‘trust’ that was breached could be resource that hosts chrome updates and can only be ignored after proper validation.
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
10 STRICTLY PRIVATE & CONFIDENTIAL © 2015
Detection of Watering Hole attack
11 STRICTLY PRIVATE & CONFIDENTIAL © 2015 © 2015 PALADION NETWORKS PRIVATE LIMITED | WWW.PALADION.NET | CONFIDENTIAL11