Watering Holes in a CyberSecurity Emergency

Disclaimer: This content is the result of my having survived several emergencies of varying effect sizes. Most of these ideas are rules of thumb, and not canned answers. As in any emergency your best outcome will be if you keep calm, consider many options, and flow from plan to backup plan as required.

Recall that the internet is an un-mapped and un-mappable network. Nobody knows the configuration of the entire internet. Furthermore, the network is constantly in flux as local administrators address changing technology needs and changing security situations.

Due to this, an attacker, whether an individual or a political entity, must solve the incredibly difficult problem of locating the machines that it wishes to attack. These machines could be infrastructure critical machines. These machines may belong to particular targeted individuals. In any case, the attacker must first locate the target.

This suggests an immediate way to change or improve security, provided that the OS of your machine is secure enough. Get a new IP address. For dynamically obtained IP addresses, this can be done easily. For static IP addresses that are in listed in DNS servers all over the world, this can be incredibly difficult. Oddly enough, this is what automatically happens with mobile computers as they move from network to network. This means that mobile computers are not necessarily less secure from fixed machines, only that the security situations are different.

Attackers get around this problem by making use of 'watering holes'. A watering hole is an old term for a body of water that livestock visit routinely. The usage of this term in cyberspace refers to a website or network that a user or computer visits routinely.

If an attacker wants to target a group of individuals, such as the employees of a particular company, then the attacker needs to find a vulnerable watering hole that the employees visit. If the company's security is strong at their office location, the attacker might find a coffee shop that is frequented by the employees.

Due to social network phenomena, employees are likely to socialize outside of work in an off-work location. Yet the security of these locations will also be pertinent to the security of the company, even if the company does not have direct responsibility for security at those locations.

If you are the administrator of a local network, the same applies for you. Is there a web site or network that many of your users access? The security or lack there of for those locations will strongly influence your network security measures.


  1. Make a list of all the web sites that you routinely visit. These could constitute watering holes, if they come under attack by a dedicated attacker.
  2. Make a list of all the networks that your portable machines routinely attach to. These could constitute watering holes.
  3. If you are a network administrator, do you need to know the watering holes of your users? Or can you design a security set-up that will be safe enough regardless of what other watering holes your users access?
  4. If you are a manger responsible for security, can you positively influence the individuals responsible for security at the watering holes that your employees visit?
  5. If you are a user and trying to improve your security, are there any watering holes that you should cut out of your routine? Are there any places you visit that seem to disproportionately effect your security in a negative fashion?

© 2015-2021 Intrepid Net Computing. All rights reserved.