BitSight Security Research

The Value of Sinkholing: It’s In the Numbers

Alex Campanelli | January 19, 2018

In 2014, BitSight acquired AnubisNetworks, a real-time data threat provider based in Portugal. The integration of AnubisNetworks extends BitSight’s position as the leading provider of cybersecurity ratings for organizations around the world because it fuels BitSight Security Ratings’ compromised systems risk vectors and gives BitSight unparalleled visibility into global threat activity. Anubis’ powerful analytics technology was essential in adding to the scope of BitSight’s solution that provides daily, continuous security ratings on over 110,000 organizations worldwide.

One of the many things that makes Anubis’ research process stand out is their continuous monitoring of worldwide network traffic for the purpose of identifying potentially malicious communications. This covers multiple geographies, industries, and sectors, and uses automated methods that look for patterns and frequency among certain traffic. This continuous monitoring places a special focus on web traffic, DNS traffic and email traffic. In their research process alone, Anubis processes over 141K events per second, 12.2 B events daily, and 4.4T events yearly.

One of the most impressive things about AnubisNetworks is that they have the largest sinkholing infrastructure in the world. But what exactly does that mean? A sinkhole receives communications from an infected machine (i.e. a machine infected with malware and part of a  botnet) to the command and control (C&C) server. Rather than the malware connecting to its C&C server, the malware will actually communicate with one of our sinkholing servers.

When we say that Anubis has the largest sinkholing infrastructure in the world, this ties back to the purpose of sinkholing and its importance. Essentially, the primary goal of sinkholing is to collect telemetry on worldwide infections. To measure how large a sinkholing operation is, it is essential to understand how much coverage it has (i.e. number of unique infections that are different from all the families and their variants, as well as the affected geographies, industries, and sectors).

While there are other similar operations in the security industry, Anubis’ approach stands out because their research process leverages vast amounts of real-time global internet traffic in order to preemptively detect and sinkhole emerging botnets. This approach is based on observations of potentially malicious network traffic patterns, and therefore is not dependent on the traditional malware analysis process (which is the method most commonly used by similar operations).

AnubisNetworks’ research process and sinkholing infrastructure cement BitSight — and its vast data ecosystem — as the best in the security ratings industry by helping users better understand the risk posed by their supply chain and to themselves.  

Listen to episode #4 of the BitSight Risk Review podcast to hear Joao Gouveia discuss Anubis’ sinkholing infrastructure. 

botnet sinkholing

Suggested Posts

Joint Effort with Microsoft to Disrupt Massive Criminal Botnet Necurs

Since 2017 BitSight has been working together with Microsoft’s Digital Crimes Unit (DCU) to understand the inner workings of the Necurs malware, its botnets and command and control infrastructure in order to take disruptive action against...


Third-Party Insight into Triada & Related Families

A few weeks ago Google confirmed that there was malware pre-installed on a number of Android devices due to a supply-chain attack. The latest installment was discovered by security researchers from Dr.Web who have been investigating this...


Data Insights on the BlueKeep Vulnerability

On May 14th, Microsoft issued a warning about the BlueKeep vulnerability (CVE-2019-0708) affecting Remote Desktop Services Protocol (RDP), a component common in most versions of Microsoft Windows that allows remote access to its graphical...


Subscribe to get security news and updates in your inbox.