Watering Hole Attacks: Stages, Examples, Risk Factors & Defense Mechanisms

We already know that cybercriminals exploit the weakest link in your IT networks. The best defense against these exploits comes down to safeguarding the most vulnerable entry points.

But what if the weakest link in your cybersecurity defense lies beyond your IT network itself? You can set up impenetrable defense systems for your enterprise IT network, but that doesn’t stop cybercriminals from compromising a secondary target that just so happens to be a frequently used gateway entry point to your network.

This is precisely what a watering hole attack does. Let’s take a look!

How watering hole attacks work

Watering hole attacks are any attacks that identify an external, trusted but vulnerable service frequently accessed by users of a given organization. Bad actors exploit these vulnerabilities to deliver a malicious payload to the organization’s network. This technique can look just like a zero-day attack, exploiting an unknown or unpublicized vulnerability.

Let’s illustrate. This is what a Watering Hole looks like: you have your own IT network that you can fully control and protect against network intrusions and exploits.

Next, there’s an IT service, an app, a tool, a website or technology that is frequently used by your employees. These services may be integrated with your network or interact directly with your employees, accessing data and communicating a variety of legitimate traffic requests.

These services are controlled by a third party, which of course are vulnerable to cyberattacks. By exploiting the vulnerabilities, these third-party services can act as a “watering hole” to deliver a malicious payload to your organization. 

Stages in watering hole attacks

The watering hole attack includes the following stages:

  1. Gathering intelligence
  2. Analyzing the intel
  3. Preparing the attack
  4. Executing the attack

Intelligence gathering

The attack is targeted in a certain sense: the idea is that users belonging to a particular organization or industry vertical are likely to visit a target service frequently. The idea behind choosing a frequently visited site as a target is to launch an Advanced Persistent Threat (APT) that would eventually help the adversaries bypass your network security systems.


Once the target service is identified and compromised, the attackers obtain intelligence into:

  • User behavior
  • The network response to traffic requests

Multiple tools and techniques may be used to identify and exploit vulnerabilities in the target service.

Attack preparation

At this stage, the chosen attack is launched on the target service. Common attacks here include SQL injections, cross-site scripting (XSS) and zero-day exploitation

Attack execution

When the watering hole is ready to launch the attack on the target network of the organization, the malware payload is delivered first from the compromised service to the user and then to the IT network of the organization. At this stage, the malware may propagate and gain more intel into network behavior as any APT attack.

Watering holes use open windows instead of doors

Many organizations build multiple layers of security around their IT networks. The deceptive nature of watering hole attacks, however, make clever use of recent trends in the enterprise IT landscape — like Bring Your Own Device (BYOD) and remote working models.

During the Analysis phase of the attack, adversaries gain information into repetitive user behavior. They use the predictability and common behavioral patterns of the victims, combined with vulnerabilities in the watering hole service, to deliver the malware payload across secure enterprise IT networks.

Examples of watering hole attacks

Here are a few notable examples:

  • In 2013, the U.S. Department of Labor website was attacked to gain intel into users accessing nuclear-related content on the website.
  • In 2016, Polish banks discovered malware that originated from the Financial Supervision Authority servers. 
  • In 2017, the popular NotPetya ransomware attack that wiped data from major public institutions, energy companies and banks used the watering hole attack through a Ukrainian accounting software website, MeDoc.

These are all high-profile attacks, successfully executed not by compromising target IT networks itself, but by a different website or service frequently accessed by the users of those networks. This threat vector highlights a pressing reality: while security teams are only responsible and able to secure their own IT networks, there can always be a secondary target that can act as a hidden gateway into your own secure networks.

Protecting against third-party risk

To defend against this threat, business organizations must reevaluate their support for third-party services and network access mechanisms facing risks of watering hole attacks.

Since remote working models and BYOD are here to stay, organizations can establish policies to better control and govern remote access to their own data and services. An important strategy in this regard, is to rely on advanced Identity and Access Management (IAM) models that provide granular access controls over all data and resources shared to remote devices.

For instance, the Attribute Based Access Control (ABAC) can be designed to evaluate every request based on dynamic environment parameters and attributes. Instead of using fixed predefined rules, the ABAC model can be trained to identify patterns of anomalous behavior, such that any deviation from a predictable user behavior and traffic request can be identified as a potential network intrusion.

Since watering hole attacks precisely use repetitive user behavior to deliver ATP and malware payload to your network, the ABAC model is well suited to prevent such attacks.

What is Splunk?

This posting does not necessarily represent Splunk's position, strategies or opinion.

Muhammad Raza
Posted by

Muhammad Raza

Muhammad Raza is a technology writer who specializes in cybersecurity, software development and machine learning and AI.