In short, if the last handful of years were about spearphishing attacks, the next few will be about “Strategic Web Compromises.”
SWCs function completely different from spearphishing attacks.
Spearphishing is essentially an email that looks like it comes from a legit source — a coworker, an Internet company, or a friendly professional. Inside the email is either a link or an attachment.
That attachment/link is often titled something hyper-relevent — like “2014 W2,” or, in the case of a bunch of diplomats attending a G20 in Paris, “Naked Pics Of Nicholas Sarkozy’s Wife.”
An SWC — what IT pros call a “watering hole” attack — is a much more passive attempt at getting malware onto the target computer.
Justin Seitz, senior security researcher at Immunity Inc., equated it to dumping sugar into the underground tanks at the gas stations your target most loves to patronize.
Just like spearphishing attacks, SWCs require the adversary to know their target well. But instead of emailing the targets — heading to the parking lot and trying to dump it right into their car — hackers place the malware on a website they know the target is likely to visit.
“Car drivers inherently trust that the gas stations are providing good fuel to them, and don’t think
twice about filling up,” he concluded.
But the analogy isn’t quite the same, Seitz noted, because a lot of these compromised sites offer subscription PDF downloads or other services that “regular Internet users” are unlikely to frequent.
In the report, Crowdstrike details the advantages to this type of attack:
– Now that it has been thoroughly reported on in the media, employees at these companies are less likely to click on malicious/suspicious links or attachments.
– Increasingly agile email filters block spearphishing attempts.
– Spearphishing leaves more of a trace, so attribution to the attacker is much easier. SWCs don’t leave as many “marks on the tools” that would identify the makers.
Google Chairman Eric Schmidt said at Davos that he suspects 85% of all industry cyber espionage emanates from China. Crowdstrike details an increasing amount of Russian attempts to hack energy companies.
Crowdstrike also predicts that SWCs will become increasingly popular in the next year, which begs the question, is there anything companies can do to protect themselves?
“Short answer? No,” says Seitz. “Stay up to date with your patches and signatures. If they are using Zero Day attacks [previously unseen, unpatched software exploits], then neither will help you unfortunately. This is also why more and more tooling is not looking at prevention, rather, they are looking at detecting a successful compromise as early as possible. The compromise still occurs however.”
The game has officially become how quickly a Chief Technology or Chief Information Officer can detect that his network has been breached.
Business Insider Emails & Alerts
Site highlights each day to your inbox.