In this episode, Joao Gouveia, CTO of Anubis Networks (a BitSight company), calls in to the show to discuss Anubis’ sinkholing infrastructure. Listen now to learn more about sinkholes, what makes Anubis’ sinkholing infrastructure the largest in the world, and why this matters to the industry at large.
Alex: Welcome to the BitSight Risk Review. During each episode, we'll be discussing current events and technology in the security and risk space. Thanks for tuning in, and let's get started.
Hi everyone. Welcome back to the BitSight Risk Review. I'm your host, Alex Campanelli. Today I have João Gouveia, CTO of AnubisNetworks, which is a BitSight company, calling in from Lisbon, Portugal to talk about Anubis's sinkholing infrastructure and its importance to threat intelligence and the security ratings market. João, thanks for dialing in all the way from Lisbon.
João: Hi Alex, thanks for having me.
Alex: So let's start at the beginning here. BitSight acquired AnubisNetworks, and you are based out of Portugal, in 2014. And we've talked a little bit about this acquisition in a previous episode, but you've been with Anubis since day one. And now as their CTO, you do a lot of technical work with your sinkholing infrastructure. Can you describe what a sinkhole is for those who may not know?
João: Sure. So basically this goes to how a botnet normally operates. A botnet is essentially a group of infected machines that is controlled by a person or a group of persons for any kind of... all forms of different purpose. And what's sinkholing is is basically a technique where we as a security researcher essentially take over this botnet command and control infrastructure in order to intercept and block communications from those infected devices in a way those devices, instead of being communicating with their real command control infrastructure, will basically be talking to our own platform where we are able to log, identify exactly for example which devices and companies are infected. And what kind of malware families are we observing.
Alex: Great. And AnubisNetworks is regarded as having one of the largest sinkholing infrastructures in the world. What exactly does that mean and how is it being measured?
João: So if we go back to the purpose of why we do sinkholing and why anyone that does the same kind of oppressions does it. Basically, the primary goal is to simply collect telemetry of worldwide infections. So the proper way to measure how large a sinkholing operation is is essentially by understanding how much coverage it has in terms of for example number of unique infections different from all the families and their variants as well as what are the effected geographies, and industries, and sectors. In order to properly compare, for example what we do in this area there's other similar operations. What we did was we took an approach where we essentially monitored each different operation from an unbiased external perspective where we looked at things such as how many communications were observed over a period of time, including network flows, DNS requests, and an understanding of how many of families are covered based on an active command control domains. So this was basically a way to... how can you compare different operations, one against the other in an unbiased external perspective so that we understand exactly where we stand.
Alex: So can you explain how we measure traffic with DNS resolutions, and why this is important or why it's relevant?
João: Sure. So an infected device that uses a hostname as a command or control will basically try to reach out to this hostname at the given frequency. In order to do that, it will use DNS to resolve that hostname into an IP address. This is basically, fundamentally how internet works, right? If you go to your browser, type hostname, your computer will trigger a DNS resolution so that it tries to understand what's the IP address of that hostname. With botnets and malwares, it's exactly the same thing. So by observing those DNS resolutions towards the several months' incoming operations, we can then compare how much traffic each operation is likely receiving.
Alex: So how does Anubis measure up to others in the industry?
João: So from the key indicators that we care about, or in the way that we consider that are relevant for sinkhole infrastructure, which is basically those that I mentioned before related to essentially volume and variety. Like for example communications, active malware families, and DNS requests that are a result of those communications. The Anubis operation really stands out very clearly as the largest sinkholing operation currently active.
Alex: So how does the data acquired from the sinkholing infrastructure impact the security ratings product that BitSight pioneered?
João: So basically, the BitSight data science team did a thorough analysis around how compromised systems, including obviously infections collected by the sinkhole infrastructure, relate to actual data breaches. The result of that work was that there was a very clear correlation between those infections and those indicators and actual data breaches. So essentially what this means is that those indicators related to compromised systems are extremely relevant for the purpose of calculating the security ratings. Those ratings can then be used by companies to identify risks from their own infrastructure or their third party networks which then obviously turns into actionable information for risk mitigation. Consider that nowadays 60 percent of the rating comes from compromised system data. Like I said, not only sinkholing, but other vectors as well, that as a result of this work by our data science team, what we can say is that there is a clear correlation between compromised systems and data breaches and that is why it plays a very big role on the calculation of the rating for BitSight products.
Alex: How are sinkholing activities evolving? How do you evolve to keep up with threat actors and criminals in today's age?
João: So first two things, it's important information that ultimately what we're doing is collecting telemetry and indicators around compromised systems and sinkholing is just one tool to do that. So we don't just do sinkholing, we also do other things, like for example, bots, crawlers, and whatever methods we need to develop to try to get this telemetry. Sinkholing is probably one of the oldest methods that there is to do this kind of work and it is still pretty effective and the reason why it is effective is because the groups that are behind these kind of botnets and malware operations, they still employ their traditional command control infrastructure to build their malware, or their networks, or their operations. And the reason why they do that is because it's still very much cost effective to them to do. In terms of telling their infrastructure there will be more complex ways to do it. But normally they still stick with the simple command control structure, because that's really just the most cost effective nowadays. What we are seeing is that things are evolving, as you mentioned, and there is a lot more complexity on the new things that we have been observing over time. Some time ago, there will be, let's just say people just trying to make some money on things like malware and making Trojans, but nowadays what we're seeing is a fairly complexity and these complexities is being driven by very organized criminal groups that are doing these kind of works. This means that they operate pretty much as a company and their work is getting more and more complex and that translates for us into also a bigger investment on our side on how to keep track of the new things and evolves as well as they do.
Alex: Well, that looks like all the time that we've got. João, I want to thank you for speaking with me.
João: Thanks Alex.
Alex: Thanks everyone for listening to today's episode and we'll see you next time on the BitSight Risk Review.
Thanks for tuning into the BitSight Risk Review. Head over to www.bitsighttech.com for more episodes and other great security ratings content. Feel free to connect with us on Twitter, Facebook and LinkedIn. We'll see you next time.