Incident Response, TDR

Watering hole attacks: Tracking services leave companies vulnerable

Targeted attacks against the enterprise represent an ongoing threat in today's computing environment, but the methods that attackers are using continue to evolve in terms of sophistication and sheer cleverness.  

One of the newer methods is how attackers are identifying high probability entry points to get into a targeted organization and deliver a malicious payload that enables command-and-control.  

A particularly unique tactic is the use of marketing and ad tracking information. While on the surface, this type of traffic may appear to be seemingly harmless, an astute hacker can leverage the information to enable a high probability attack vector.  

Here's how it works. Whenever a user surfs the internet, tracking methods by marketing and ad tracking services identify traffic patterns. Again, seemingly harmless, and most users have come to expect this level of monitoring in today's world.  In a real world example, who really cares if a user goes to an online store, the New York Times website, or Yahoo. 

Well, obviously the advertisers and marketers care. But what this is really doing is allowing a third party to see what types of internet traffic you let out of your organization.  

This is effectively giving a potential adversary a mapping of what your egress policies are as an organization, and it is exposing the external attack surface for your organization – essentially which windows you've left cracked open or ajar on your house. The method goes a step further in that it also shows the attacker which sites are actually getting higher use from the organization.

This gives the attacker a map of which sites to target for infiltration, so they can lay a trap and wait for a user to come to those sites from the targeted organization. The probability of success is significantly higher given that traffic is allowed to the site and has been observed going there via the tracking mechanisms.  

Once this discovery is complete, attackers can strategically place malware and enable a full breach of an organization when a user returns to one of the identified sites. Obviously, the solution here is not to shut down browsing of the internet, but as malicious attacks continue to grow in complexity and scope, it is imperative that organizations take some key steps to counteract the latest techniques. 

As a first step, organizations should get better visibility into the discovery tracking exposure described above and evaluate the tracking services themselves for risk. By doing this, companies can better assess how much egress mapping is externally visible across their end-users and how much is fed to questionable tracking services. 

Building on this visibility, companies should also look for traffic to known botnet and “command-and-control” networks to identify potential attack points or areas that have already been compromised. Lastly, implementing methods to track data payloads in and out of the organization along with advanced malware detection and heuristics can protect against both inbound malware execution and data exfiltration.

In today's world where information is truly king, it is critical to understand how data and usage tracking can be leveraged beyond business intelligence and optimization and can, in fact, be used against your organization to get on the inside. The frenzy around “intelligence” has led to an environment where the user no longer even needs to click on anything in their browser to have your network discovered – automated tracking services kick into gear as soon as your users venture out onto the internet and visit a site. Given this, it would seem prudent to know who and how much tracking is going on.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.