The Value of Sinkholing: It’s In the Numbers

Alex Campanelli | January 19, 2018 | tag: BitSight

In 2014, BitSight acquired AnubisNetworks, a real-time data threat provider based in Portugal. The integration of AnubisNetworks extends BitSight’s position as the leading provider of cybersecurity ratings for organizations around the world because it fuels BitSight Security Ratings’ compromised systems risk vectors and gives BitSight unparalleled visibility into global threat activity. Anubis’ powerful analytics technology was essential in adding to the scope of BitSight’s solution that provides daily, continuous security ratings on over 110,000 organizations worldwide.

One of the many things that makes Anubis’ research process stand out is their continuous monitoring of worldwide network traffic for the purpose of identifying potentially malicious communications. This covers multiple geographies, industries, and sectors, and uses automated methods that look for patterns and frequency among certain traffic. This continuous monitoring places a special focus on web traffic, DNS traffic and email traffic. In their research process alone, Anubis processes over 141K events per second, 12.2 B events daily, and 4.4T events yearly.

One of the most impressive things about AnubisNetworks is that they have the largest sinkholing infrastructure in the world. But what exactly does that mean? A sinkhole receives communications from an infected machine (i.e. a machine infected with malware and part of a  botnet) to the command and control (C&C) server. Rather than the malware connecting to its C&C server, the malware will actually communicate with one of our sinkholing servers.

When we say that Anubis has the largest sinkholing infrastructure in the world, this ties back to the purpose of sinkholing and its importance. Essentially, the primary goal of sinkholing is to collect telemetry on worldwide infections. To measure how large a sinkholing operation is, it is essential to understand how much coverage it has (i.e. number of unique infections that are different from all the families and their variants, as well as the affected geographies, industries, and sectors).

While there are other similar operations in the security industry, Anubis’ approach stands out because their research process leverages vast amounts of real-time global internet traffic in order to preemptively detect and sinkhole emerging botnets. This approach is based on observations of potentially malicious network traffic patterns, and therefore is not dependent on the traditional malware analysis process (which is the method most commonly used by similar operations).

AnubisNetworks’ research process and sinkholing infrastructure cement BitSight — and its vast data ecosystem — as the best in the security ratings industry by helping users better understand the risk posed by their supply chain and to themselves.  

Listen to episode #4 of the BitSight Risk Review podcast to hear Joao Gouveia discuss Anubis’ sinkholing infrastructure. 

botnet sinkholing

Suggested Posts

Celebrating 10 Years of BitSight: A Co-Founder Looks Back

It’s hard to believe, but BitSight is celebrating our 10 year anniversary this week! I co-founded BitSight in 2011 with my friend and grad school classmate, Nagarjuna Venna. When I think back at our original idea of creating a global...


Meet Our Customer Success Team: Ashley Ritrovato

Check out this Q&A with a US-based member of BitSight's Customer Success team to learn about her role as an BitSight Advisor & Customer Success Manager, her experience, and more.


Meet Our Customer Success Team: Alessandra Pilloni

Check out this Q&A with a London-based member of BitSight's Customer Success team to learn about her role as an Customer Success Manager, her experience, and more.


Get the Weekly Cybersecurity Newsletter.