Security experts are using a tactic called malware sinkholing to analyze and control systems infected with malware....
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
How does malware sinkholing work, and how can it help improve enterprise defenses against advanced threats?
Sinkholing is an evolution of honeypot technology and tools such as the LaBrea Tarpit. It works by taking control of a botnet's command-and-control infrastructure (C&C) or other malware communications, and by using those communications to gather data about how the malware works, disables the botnet -- and potentially even disables the malware on compromised endpoints.
Malware sinkholing can include identifying the external command-and-control server and taking control of it via a security exploit, which generally requires some sort of prior legal approval. Logs and connections can be analyzed to determine compromised systems, if and what kind of data was stolen, and the functionality of the C&C infrastructure. This can be done for internal hosts or potentially for external hosts that might be using your network or DNS.
Sinkholing can help boost enterprise defenses by improving detection of compromised endpoints. The improved detection will help reduce the time it takes for an enterprise to respond to an incident and identify the impact from the incident. This detection could be from outside your enterprise and could allow you to benefit from the work of other organizations in identifying indicators of compromise. This improved detection can also be added to an overall threat intelligence tool -- such as Cisco Advanced Malware Protection, FireEye Threat Intelligence or Threat Connect -- that is then used to feed the intelligence to other security tools in use.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Get help developing a malware defense strategy
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cross-platform malware enables attackers to leverage their attacks using infected Microsoft Word docs. Expert Nick Lewis explains how the attacks ...continue reading
How was the ATMitch malware able to loot cash machines, then delete itself? Expert Nick Lewis explains how the fileless malware works and how it ...continue reading
DoubleAgent malware is a proof of concept for a zero-day vulnerability that can turn antivirus tools into attack vectors. Expert Nick Lewis explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.