Security experts are using a tactic called malware sinkholing to analyze and control systems infected with malware....
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
How does malware sinkholing work, and how can it help improve enterprise defenses against advanced threats?
Sinkholing is an evolution of honeypot technology and tools such as the LaBrea Tarpit. It works by taking control of a botnet's command-and-control infrastructure (C&C) or other malware communications, and by using those communications to gather data about how the malware works, disables the botnet -- and potentially even disables the malware on compromised endpoints.
Malware sinkholing can include identifying the external command-and-control server and taking control of it via a security exploit, which generally requires some sort of prior legal approval. Logs and connections can be analyzed to determine compromised systems, if and what kind of data was stolen, and the functionality of the C&C infrastructure. This can be done for internal hosts or potentially for external hosts that might be using your network or DNS.
Sinkholing can help boost enterprise defenses by improving detection of compromised endpoints. The improved detection will help reduce the time it takes for an enterprise to respond to an incident and identify the impact from the incident. This detection could be from outside your enterprise and could allow you to benefit from the work of other organizations in identifying indicators of compromise. This improved detection can also be added to an overall threat intelligence tool -- such as Cisco Advanced Malware Protection, FireEye Threat Intelligence or Threat Connect -- that is then used to feed the intelligence to other security tools in use.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Get help developing a malware defense strategy
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
The Fruitfly Mac malware has decades-old code, but has been conducting surveillance attacks for over two years without detection. Expert Nick Lewis ...continue reading
A Gmail phishing attack brought users to fake login pages designed to look like Google's. Expert Nick Lewis explains how users can prevent similar ...continue reading
A HummingBad malware variant, HummingWhale, was discovered being spread through 20 apps on the Google Play Store. Expert Nick Lewis explains the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.