Security experts are using a tactic called malware sinkholing to analyze and control systems infected with malware....
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
How does malware sinkholing work, and how can it help improve enterprise defenses against advanced threats?
Sinkholing is an evolution of honeypot technology and tools such as the LaBrea Tarpit. It works by taking control of a botnet's command-and-control infrastructure (C&C) or other malware communications, and by using those communications to gather data about how the malware works, disables the botnet -- and potentially even disables the malware on compromised endpoints.
Malware sinkholing can include identifying the external command-and-control server and taking control of it via a security exploit, which generally requires some sort of prior legal approval. Logs and connections can be analyzed to determine compromised systems, if and what kind of data was stolen, and the functionality of the C&C infrastructure. This can be done for internal hosts or potentially for external hosts that might be using your network or DNS.
Sinkholing can help boost enterprise defenses by improving detection of compromised endpoints. The improved detection will help reduce the time it takes for an enterprise to respond to an incident and identify the impact from the incident. This detection could be from outside your enterprise and could allow you to benefit from the work of other organizations in identifying indicators of compromise. This improved detection can also be added to an overall threat intelligence tool -- such as Cisco Advanced Malware Protection, FireEye Threat Intelligence or Threat Connect -- that is then used to feed the intelligence to other security tools in use.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Get help developing a malware defense strategy
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Rakos malware is attempting to build a botnet by attacking embedded Linux systems. Expert Nick Lewis explains how enterprises can prevent attacks on ...continue reading
The Switcher Trojan spreads to Android devices through the wireless router to which they are connected. Expert Nick Lewis explains how this attack is...continue reading
USB Killer devices, with the ability to destroy systems via a USB input, are available and inexpensive. Expert Nick Lewis explains how they work and ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.