Problem solve Get help with specific problems with your technologies, process and projects.

How can malware sinkholing improve advanced threat defense?

Learn how malware sinkholing is helping security experts analyze infected devices and even disable malware in compromised endpoints.

Security experts are using a tactic called malware sinkholing to analyze and control systems infected with malware. How does malware sinkholing work, and how can it help improve enterprise defenses against advanced threats?

Sinkholing is an evolution of honeypot technology and tools such as the LaBrea Tarpit. It works by taking control of a botnet's command-and-control infrastructure (C&C) or other malware communications, and by using those communications to gather data about how the malware works, disables the botnet -- and potentially even disables the malware on compromised endpoints.

Malware sinkholing can include identifying the external command-and-control server and taking control of it via a security exploit, which generally requires some sort of prior legal approval. Logs and connections can be analyzed to determine compromised systems, if and what kind of data was stolen, and the functionality of the C&C infrastructure. This can be done for internal hosts or potentially for external hosts that might be using your network or DNS.

Sinkholing can help boost enterprise defenses by improving detection of compromised endpoints. The improved detection will help reduce the time it takes for an enterprise to respond to an incident and identify the impact from the incident. This detection could be from outside your enterprise and could allow you to benefit from the work of other organizations in identifying indicators of compromise. This improved detection can also be added to an overall threat intelligence tool -- such as Cisco Advanced Malware Protection, FireEye Threat Intelligence or Threat Connect -- that is then used to feed the intelligence to other security tools in use.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Learn more about how honeypots can help improve network security

Get help developing a malware defense strategy

This was last published in November 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal