Security experts are using a tactic called malware sinkholing to analyze and control systems infected with malware. How does malware sinkholing work, and how can it help improve enterprise defenses against advanced threats?
Sinkholing is an evolution of honeypot technology and tools such as the LaBrea Tarpit. It works by taking control of a botnet's command-and-control infrastructure (C&C) or other malware communications, and by using those communications to gather data about how the malware works, disables the botnet -- and potentially even disables the malware on compromised endpoints.
Malware sinkholing can include identifying the external command-and-control server and taking control of it via a security exploit, which generally requires some sort of prior legal approval. Logs and connections can be analyzed to determine compromised systems, if and what kind of data was stolen, and the functionality of the C&C infrastructure. This can be done for internal hosts or potentially for external hosts that might be using your network or DNS.
Sinkholing can help boost enterprise defenses by improving detection of compromised endpoints. The improved detection will help reduce the time it takes for an enterprise to respond to an incident and identify the impact from the incident. This detection could be from outside your enterprise and could allow you to benefit from the work of other organizations in identifying indicators of compromise. This improved detection can also be added to an overall threat intelligence tool -- such as Cisco Advanced Malware Protection, FireEye Threat Intelligence or Threat Connect -- that is then used to feed the intelligence to other security tools in use.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Get help developing a malware defense strategy
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading