Watering hole attacks: Tracking services leave companies vulnerable

Share this article:
Harold Byun, senior director of product management, Skyhigh Networks
Harold Byun, senior director of product management, Skyhigh Networks

Targeted attacks against the enterprise represent an ongoing threat in today's computing environment, but the methods that attackers are using continue to evolve in terms of sophistication and sheer cleverness.  

One of the newer methods is how attackers are identifying high probability entry points to get into a targeted organization and deliver a malicious payload that enables command-and-control.  

A particularly unique tactic is the use of marketing and ad tracking information. While on the surface, this type of traffic may appear to be seemingly harmless, an astute hacker can leverage the information to enable a high probability attack vector.  

Here's how it works. Whenever a user surfs the internet, tracking methods by marketing and ad tracking services identify traffic patterns. Again, seemingly harmless, and most users have come to expect this level of monitoring in today's world.  In a real world example, who really cares if a user goes to an online store, the New York Times website, or Yahoo. 

Well, obviously the advertisers and marketers care. But what this is really doing is allowing a third party to see what types of internet traffic you let out of your organization.  

This is effectively giving a potential adversary a mapping of what your egress policies are as an organization, and it is exposing the external attack surface for your organization – essentially which windows you've left cracked open or ajar on your house. The method goes a step further in that it also shows the attacker which sites are actually getting higher use from the organization.

This gives the attacker a map of which sites to target for infiltration, so they can lay a trap and wait for a user to come to those sites from the targeted organization. The probability of success is significantly higher given that traffic is allowed to the site and has been observed going there via the tracking mechanisms.  

Once this discovery is complete, attackers can strategically place malware and enable a full breach of an organization when a user returns to one of the identified sites. Obviously, the solution here is not to shut down browsing of the internet, but as malicious attacks continue to grow in complexity and scope, it is imperative that organizations take some key steps to counteract the latest techniques. 

As a first step, organizations should get better visibility into the discovery tracking exposure described above and evaluate the tracking services themselves for risk. By doing this, companies can better assess how much egress mapping is externally visible across their end-users and how much is fed to questionable tracking services. 

Building on this visibility, companies should also look for traffic to known botnet and “command-and-control” networks to identify potential attack points or areas that have already been compromised. Lastly, implementing methods to track data payloads in and out of the organization along with advanced malware detection and heuristics can protect against both inbound malware execution and data exfiltration.

In today's world where information is truly king, it is critical to understand how data and usage tracking can be leveraged beyond business intelligence and optimization and can, in fact, be used against your organization to get on the inside. The frenzy around “intelligence” has led to an environment where the user no longer even needs to click on anything in their browser to have your network discovered – automated tracking services kick into gear as soon as your users venture out onto the internet and visit a site. Given this, it would seem prudent to know who and how much tracking is going on.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in Opinions

Beware of the malware walking dead

Beware of the malware walking dead

This Hallows Eve might be a good time to remind ourselves that zombies can be just as deadly, and I'm referring to recycled tools and techniques from years gone by.

Why the Home Depot attack shouldn't have happened

Why the Home Depot attack shouldn't have happened

Major retailers are falling prey to massive credit card information heists, despite spending millions on cyber security systems.

Next-generation malware: Think like the enemy and avoid the car alarm problem

Next-generation malware: Think like the enemy and avoid ...

When it comes to enterprise security, one rule remains constant - attacks will continue to increase in sophistication and attackers will seek to outmaneuver existing defenses.