Chapter 24 Β· Flashcards

Watering Hole & Supply Chain Flashcards

Click each card to reveal the answer.

0 / 16 flipped
What is a watering hole attack?
Compromising a website frequented by targets, rather than attacking the targets directly. Named after predators who wait at a watering hole for prey rather than hunting. Victims visit a legitimate, trusted site and get infected without clicking anything suspicious β€” simply visiting the page is enough. Bypasses email filtering, security awareness training, and perimeter defenses entirely.
What is a drive-by download?
Malware that executes automatically when a browser renders a compromised webpage β€” no click, no download prompt, no user interaction beyond visiting the site required. Exploits browser or plugin vulnerabilities. The user sees the normal page content while the exploit fires silently in the background. Primary defense: aggressive browser and plugin patching. Browser isolation eliminates the risk by executing the browser in a remote container.
What is an exploit kit?
Automated toolkit that probes visiting browsers for known vulnerabilities and serves appropriate exploits based on the detected configuration. Fingerprints the visitor's browser, OS, and plugins; selects the highest-probability exploit for that specific setup; delivers payload automatically on success. Historical examples: Angler, RIG, Neutrino. Sold and rented on criminal forums, continuously updated as new browser vulnerabilities are discovered. Commodity tools that industrialized watering hole-style attacks.
What is malvertising?
Malicious code embedded in advertisements served through legitimate ad networks. Attackers either compromise an ad network or purchase ad space with malicious creative content. The ad renders on any site in the network's publisher inventory, delivering exploit code to visitors without the website owner's knowledge. Victims need only view the page β€” no interaction required. Ad blockers reduce exposure by preventing third-party ad JavaScript from loading. Even reputable, high-security sites can deliver malvertising through their ad networks.
What is Strategic Web Compromise (SWC)?
Deliberate compromise of a site frequented by a specific target community, as opposed to opportunistic mass exploitation. Used by nation-state APT groups against defense contractors, government agencies, dissident communities. Characterized by: intelligence-driven site selection based on target browsing habits; visitor fingerprinting to serve exploits only to targeted visitors (filtering by corporate IP range, browser profile) while showing clean content to everyone else. This makes the compromise invisible to security researchers and automated scanners.
What is island hopping?
Compromising a less-secure third party to pivot to the actual high-value target. The "island" is the intermediate organization β€” selected for its trusted network access to the primary target combined with weaker security. Classic example: 2013 Target breach β€” attackers compromised HVAC vendor Fazio Mechanical (the island), used Fazio's credentials to reach Target's vendor portal, pivoted through a segmentation failure to POS systems, stole 40M credit cards. The HVAC vendor had nothing the attackers wanted β€” Target did. Fazio was the stepping stone.
What was SolarWinds SUNBURST?
2020 supply chain attack by Russian SVR (APT29/Cozy Bear). Attacker injected SUNBURST backdoor into SolarWinds Orion IT monitoring software during the build process. Trojanized updates were digitally signed with SolarWinds' legitimate certificate and distributed to ~18,000 organizations including US Treasury, State, DHS, and FireEye. Malware dormant 12–14 days post-install; used legitimate Orion protocols for C2 to blend with normal traffic. Every security check passed β€” the compromise occurred upstream of all checks, in the build pipeline itself.
What was the XZ Utils backdoor?
2024 supply chain attack (CVE-2024-3094). Attacker "JiaT75" (Jia Tan) spent ~2.5 years building trust as a contributor to the xz compression library β€” submitting quality fixes, gaining maintainer access. Just before backdoored versions 5.6.0/5.6.1 would have shipped in stable Linux distributions, Microsoft engineer Andres Freund noticed SSH was ~500ms slower than expected on a benchmarking system. Investigation revealed a backdoor that would have allowed remote code execution via SSH on systemd-based Linux systems β€” potentially affecting hundreds of millions of servers. Demonstrated open-source social engineering as a supply chain attack vector.
What is an SBOM?
Software Bill of Materials β€” a machine-readable inventory of all software components, versions, and dependencies in an application or system. Enables organizations to immediately identify their exposure when a component CVE is published. Without SBOM: days/weeks of manual audit to determine if you use the affected component. With SBOM: seconds-long query. Required for software sold to US federal agencies under CISA guidance and Executive Order 14028. Analogy: the ingredient label on food β€” you know exactly what's in the product at what version.
What is SCA (Software Composition Analysis)?
Automated scanning of source code, build manifests, and binaries to identify known-vulnerable open-source components and dependencies. Runs continuously in CI/CD pipelines, flagging dependency CVEs as they are published. Complements SBOM: SCA generates and continuously validates the inventory; SBOM is the output format that documents it. Examples: Snyk, OWASP Dependency-Check, GitHub Dependabot, Black Duck. Catches vulnerable dependencies before they reach production.
What are reproducible builds?
A build process designed so any third party can independently verify that the distributed compiled binary matches the published source code exactly β€” byte for byte. If an attacker injects code into the build pipeline (as in SolarWinds), a reproducible build comparison would reveal a discrepancy between source and distributed binary. Provides independent verification that the distribution mechanism has not been tampered with. Complements code signing: signing proves who signed; reproducible builds prove the signed content matches the source.
What is Remote Browser Isolation (RBI)?
Technology that executes all web browsing in a remote isolated container β€” a cloud or on-premise VM. Only rendered pixel streams are transmitted to the user's screen; no web content executes locally. JavaScript, drive-by exploits, and any malware execute inside the disposable container, which is destroyed after the session ends and has no access to the corporate network. Even a fully successful drive-by download cannot reach the user's endpoint. Most technically robust defense against watering hole attacks.
What is third-party risk management?
Systematic assessment and ongoing monitoring of security risks introduced by vendors, suppliers, partners, and MSPs. Components: security posture assessment before granting access; contractual security requirements; network segmentation limiting vendor access to only required resources; mandatory MFA for vendor remote access; just-in-time provisioning rather than standing access; session logging and activity monitoring. Addresses the island-hopping threat vector by treating every third party with network access as a potential compromise pivot point.
What is a supply chain attack?
What is a supply chain attack?
Compromising the software, hardware, or services distribution mechanism rather than the target organization directly. The attacker inserts malice into a component β€” update package, open-source library, hardware device, managed service β€” that the target trusts and installs. One compromised upstream component can affect thousands of downstream organizations simultaneously. Defeats trust-based security models: "only use trusted software" is the attack vector when the trusted software's supply chain is compromised.
What is DNS filtering?
Blocking access to known malicious domains at the DNS resolution layer, before any TCP connection is established. Even after a successful drive-by download, the deployed malware must reach its command-and-control server β€” DNS filtering severs that communication for known C2 domains. Low-friction control: applies to all devices and applications using the filtered resolver. Examples: Cisco Umbrella, Cloudflare Gateway, Infoblox. Does not require per-device or per-browser configuration. Complements browser isolation and endpoint protection in layered watering hole defense.
What is browser fingerprinting (in the context of watering holes)?
Collecting browser and OS attributes β€” version, installed plugins, fonts, screen resolution, timezone, language settings, IP address β€” to profile each visiting user. In watering hole and SWC attacks, fingerprinting serves two purposes: (1) exploit targeting β€” serve the vulnerability exploit that matches the visitor's specific vulnerable configuration for maximum success rate; (2) victim filtering β€” in SWC, serve exploits only to visitors matching the target profile (corporate IP range, specific browser type) while showing clean content to everyone else, making the compromise invisible to security researchers.