Detecting Malware and Watering Hole Attacks with Splunk UBA

You may be surprised to learn that a particular malware is responsible for data theft in over 20% of financial institutions and other verticals in 2019.

Watering hole attacks involve a web server that hosts files or applications where the website or files on the site become weaponized with malware.

While recent news cycles have shined a spotlight on ransomware and crimeware, malware is not a new concept. In fact, malware has been around for decades, and it is still an effective way for cybercriminals to wreak havoc.

Watering Hole Attacks in the Wild

Watering hole attacks are typically targeted attacks. An attacker will compromise a web server or web service and implant a malware-laden file, in hopes that their intended victim or victims will access it. Once the trap is set, the visitors to the website or service are infected, and often their devices are also compromised. When a device has become compromised, keyloggers, crimeware, and command-and-control (C2) connections can be leveraged to steal data or even control the device remotely.

How Can UBA Help Detect Watering Hole Attacks? 

Splunk User Behavior Analytics (UBA) is able to monitor websites and cloud-based repositories such as Dropbox to look for examples of watering hole attacks.  Splunk UBA can detect files uploaded to these environments from IP addresses outside of the corporate IP blocks, which users and devices were involved in the attack, and which device was responsible for uploading the weaponized content in the first place.  

Watering hole attacks involve a web server that hosts files or applications where the website or files on the site become weaponized with malware. Learn how you can detect and prevent these attacks with Splunk UBA.

Splunk UBA leverages unsupervised machine learning in order to detect anomalies, and then automatically aggregates those anomalies into a threat. This threat is then sent to the Security Operations Center (SOC) to feed into Splunk Enterprise Security as a notable event for security analysts to review and remediate.  

Since Splunk UBA works autonomously, without any human intervention for detecting these threats, the risk of missing these attacks is greatly reduced.  

See It In Action

Check out this guided tour to learn how to:

  • Secure against unknown threats through user and entity behavior analytics
  • Harness the power of UBA to detect insider threats
  • Accelerate threat hunting

Dan has worked in the security field as a Sales Engineer and Security Specialist for over 20 years. Dan specializes in the SIEM, UBA, and SOAR product suite for Splunk, but has previously worked for companies specializing in PKI, SSL VPNs, Mobile Device Management, and Mobile VPNs. Dan spent over six years working with the DoD and Intelligence Community on a variety of satellite, cellular, and WiMax initiatives for the solders on the battlefield. Dan has been at Splunk for 5 years, and currently supports the Public Sector SLED team as a Staff Security Specialist.