The Value of Sinkholing: It’s In the Numbers

The Value of Sinkholing: It’s In the Numbers

In 2014, Bitsight acquired AnubisNetworks, a real-time data threat provider based in Portugal. The integration of AnubisNetworks extends Bitsight’s position as the leading provider of cybersecurity ratings for organizations around the world because it fuels Bitsight Security Ratings’ compromised systems risk vectors and gives Bitsight unparalleled visibility into global threat activity. Anubis’ powerful analytics technology was essential in adding to the scope of Bitsight’s solution that provides daily, continuous security ratings on over 110,000 organizations worldwide.

One of the many things that makes Anubis’ research process stand out is their continuous monitoring of worldwide network traffic for the purpose of identifying potentially malicious communications. This covers multiple geographies, industries, and sectors, and uses automated methods that look for patterns and frequency among certain traffic. This continuous monitoring places a special focus on web traffic, DNS traffic and email traffic. In their research process alone, Anubis processes over 141K events per second, 12.2 B events daily, and 4.4T events yearly.

One of the most impressive things about AnubisNetworks is that they have the largest sinkholing infrastructure in the world. But what exactly does that mean? A sinkhole receives communications from an infected machine (i.e. a machine infected with malware and part of a botnet) to the command and control (C&C) server. Rather than the malware connecting to its C&C server, the malware will actually communicate with one of our sinkholing servers.

When we say that Anubis has the largest sinkholing infrastructure in the world, this ties back to the purpose of sinkholing and its importance. Essentially, the primary goal of sinkholing is to collect telemetry on worldwide infections. To measure how large a sinkholing operation is, it is essential to understand how much coverage it has (i.e. number of unique infections that are different from all the families and their variants, as well as the affected geographies, industries, and sectors).

While there are other similar operations in the security industry, Anubis’ approach stands out because their research process leverages vast amounts of real-time global internet traffic in order to preemptively detect and sinkhole emerging botnets. This approach is based on observations of potentially malicious network traffic patterns, and therefore is not dependent on the traditional malware analysis process (which is the method most commonly used by similar operations).

AnubisNetworks’ research process and sinkholing infrastructure cement Bitsight — and its vast data ecosystem — as the best in the security ratings industry by helping users better understand the risk posed by their supply chain and to themselves.