You may be surprised to learn that a particular malware is responsible for data theft in over 20% of financial institutions and other verticals in 2019.
Watering hole attacks involve a web server that hosts files or applications where the website or files on the site become weaponized with malware.
While recent news cycles have shined a spotlight on ransomware and crimeware, malware is not a new concept. In fact, malware has been around for decades, and it is still an effective way for cybercriminals to wreak havoc.
Watering Hole Attacks in the Wild
Watering hole attacks are typically targeted attacks. An attacker will compromise a web server or web service and implant a malware-laden file, in hopes that their intended victim or victims will access it. Once the trap is set, the visitors to the website or service are infected, and often their devices are also compromised. When a device has become compromised, keyloggers, crimeware, and command-and-control (C2) connections can be leveraged to steal data or even control the device remotely.
How Can UBA Help Detect Watering Hole Attacks?
Splunk User Behavior Analytics (UBA) is able to monitor websites and cloud-based repositories such as Dropbox to look for examples of watering hole attacks. Splunk UBA can detect files uploaded to these environments from IP addresses outside of the corporate IP blocks, which users and devices were involved in the attack, and which device was responsible for uploading the weaponized content in the first place.
Splunk UBA leverages unsupervised machine learning in order to detect anomalies, and then automatically aggregates those anomalies into a threat. This threat is then sent to the Security Operations Center (SOC) to feed into Splunk Enterprise Security as a notable event for security analysts to review and remediate.
Since Splunk UBA works autonomously, without any human intervention for detecting these threats, the risk of missing these attacks is greatly reduced.
See It In Action
Check out this guided tour to learn how to:
- Secure against unknown threats through user and entity behavior analytics
- Harness the power of UBA to detect insider threats
- Accelerate threat hunting