What is a Watering Hole Attack?

How are watering hole attacks carried out, and how can they be prevented?

Unlike many forms of web-based attacks, these attacks are personalized for the group of users they are designed to attract. The name ‘watering hole’ comes from the way predators in the wild wait near watering holes for a chance to attack their prey.

How hackers carry out watering hole attacks

Setting up a watering hole attack takes a lot of planning on the cybercriminal’s part:

  1. The attacker identifies the group of end-users they wish to target, and observes the group’s online behavior, finding the websites visited often.
  2. The attacker now selects a website, and identifies its security vulnerabilities. These vulnerabilities are used to create and inject an exploit to compromise the site, often using HTML or JavaScript code.
  3. To increase the chances of the attack working, hackers sometimes pair the malicious website with other forms of social engineering, targeting the same end users, such as sending highly specific, personalized emails with links to certain pages on the compromised website, or engaging in other forms of online communication that will encourage interaction with the site.
  4. Once an end user has visited the infected site, the attack is often carried out through a drive-by download – in which a script triggers a silent malware download, compromising the user’s device without their knowledge.


Learn About Remote Browser Isolation


Preventing watering hole attacks

As these attacks are targeted, they are often very difficult to detect. They have been specifically for the targeted end users, often using very sophisticated social engineering techniques that can fool end users who are usually very careful when browsing the web. There are a number of different steps that can be taken to maximize protection against watering hole attacks:

Educate end users

The first crucial step is to make sure all end users are aware of watering hole attacks, and the fact that hackers infect legitimate websites to perform these attacks. Train users to recognize the signs of malicious emails, and to think twice before clicking on any links, even if it seems like they are from a genuine source.

Encourage users to discuss any potential security issues that come up with their colleagues. For example, if multiple people on the same team receive a similar email, directing them to a particular site, this could signal a potential attack attempt. Of course, such information should be brought straight to the security team, who can work on preventing an attack from taking place, or watch out for signs of an existing breach.

Keep all software up-to-date

Many traditional security solutions, such as anti-virus software and firewalls, rely on a database of signatures to detect malware and other threats. These databases are updated frequently to ensure protection against the latest threats. Make sure to run these updates promptly.

Also, any other software that connects to the Internet should be kept up-to-date. This is especially important for web browsers and browser extensions, as these are usually the channels through which malware from the web infects a user’s device. Often, malicious code relies on vulnerabilities in the user’s web browser or a web-based app to trigger a malware download. Browser vendors often release security patches that resolve these vulnerabilities, minimizing the chances of successful malware infection. Make sure these patches are installed as soon as they are released.

Use a multi-layer cybersecurity strategy

While traditional software, like firewalls and antivirus, protect against many known threats, sometimes a watering hole attack can use a previously unknown zero day threat. These threats can bypass detection.

To ensure security in the face of an unknown threat, another layer of security is required. For example, remote browser isolation (RBI) can be used to ensure no code, malicious or otherwise, is ever run on the end-user’s device, thus preventing a watering hole attack from being effective. When an RBI solution is used, all web content is executed in a virtual container in the cloud. The end-user interacts via their usual browser with safe rendering data, just as they would with the actual web content – only no active content from the website ever reaches their browser. When a browsing session is over, the virtual container is destroyed along with any code inside it, malicious or otherwise.

Use web application isolation to protect websites

To prevent your website from being exploited in a watering hole attack, use web application isolation. Web application isolation uses RBI to cloak web-exposed attack surfaces, such as web application code or exposed APIs. All active code belonging to the application is run in a virtual container.

Hackers who try to explore – and exploit – the source code of a website or application would see only source code related to the web isolation solution. They therefore could not find an entry point for breaching the web site.

Read these related blog posts

Moving to a Zero Trust isolation-based security approach is faster and easier than you think.

Get a 1:1 Demo