Investigating and Appealing Sinkhole Findings Erin Conry Bitsight observes most Botnet Infections, Spam Propagation, Potentially Exploited and Insecure Systems event findings through sinkholing.To maximize accuracy, Bitsight only logs events when: A verified TCP 3-way handshake is established. The communication matches specific malware patterns. This requirement for a complete handshake prevents false positives, such as spoofing (packets with faked source IPs).I can’t find the event in my logs.We recommend that you evaluate and review your current logging system. They must be configured to catch malicious activity when these events occur. Resources and Recommendations: Policy and planning guides: NIST SP 800-61 (Incident Response Framework) and NIST SP 800-92 (Log Management Guide) Operational guidance for the MITRE ATTACK&CK framework: Command and Control technique and Application Layer Protocol sub-technique Have centralized logging from platforms that would allow observation of the traffic pattern we identify. Use systems like (but not limited to) Firewall, Proxy/Secure Web Gateway, DNS and/or EDR to observe traffic patterns.Leveraging Forensics for InvestigationsThe Forensics tool offers deeper insights into these events. Because Bitsight detects traffic at the public NAT IP, we cannot see into your internal network directly. Organizations must correlate Bitsight's timestamps with internal logs to identify the specific compromised device. Specific remediation guidance is available in the Finding's Details section once the internal device is identified.The following Forensics fields can be used to correlate your organization’s internal logs: Occurrence Last Seen: The last time the event was seen. Occurrence First Seen: The first time the event was seen. Representative Event Timestamp: The event was observed at this time. GeoIP Location: Country where the IP address involved in this event resides. Source Port: A compromised device was observed sending traffic from this port. Destination Port: A compromised device was observed connecting to this port. Server Name: A device was observed connecting to this server, which is a known command and control, sinkhole, or adware host. Destination IP: Do not block this IP. This formerly malicious IP/domain has been acquired by Bitsight (or a partner) and is now reporting suspicious connections as part of a sinkhole. Observation Count: Number of times the event was observed in a 24-hour period, between midnight UTC one day and midnight UTC the next day. Detection Mechanism: This method was used to detect the infection. For example, a botnet infection could be detected using a sinkhole that tricked a bot into connecting to it instead of the command and control server, and spam propagation could be discovered by analyzing email headers. Request Method: This HTTP request method was used by the infected device to communicate with the command and control server (e.g. POST, GET). User Agent: Malware can use the User Agent HTTP header to transmit information about itself or the compromised system to command and control servers. I want to appeal a finding.While Bitsight maintains high confidence in these findings due to built-in safeguards, you may initiate an appeal if internal log correlation does not reveal the communication. Both customers and Access Request recipients are covered by mutual confidentiality provisions; redacted screenshots are acceptable for submission in an appeal.To begin the process, open a ticket with Bitsight Support and provide the following details from your systems: Date of observation. Type of observation. Your reason for contesting the result. Steps you have taken to troubleshoot the event. Screenshots of logs or other dashboards (vs. spreadsheets or text files) that illustrate the troubleshooting process. These should be contextualized with the timestamp of the finding. Framework and setup of your current logging system Acceptable logging information includes: Screenshot(s) from logging systems or your malware testing environment Dates and times Source and destination ports Source and destination IPs Complementary written documentation about how your organization’s systems are handling the traffic in question and why you believe it does not merit inclusion. Detailed context is vital. As an external observer, Bitsight cannot account for internal tool configurations or filters that might be obscuring the validated detection. Any additional context you can provide will be helpful.Availability of Packet Captures (PCAPs)Bitsight prioritizes retaining Packet Capture (PCAP) files to provide granular transparency into sinkholed traffic. These can serve as critical forensic evidence, enabling security teams to conduct network-level investigations and independently validate findings.PCAPs are not guaranteed for any event and guidelines are subject to change. They will most often show on the event in the product and if it is not present there, you can reach out to our Support Team to see if they can pull it for an event. Frequently Asked QuestionsQ: The connection was terminated by our firewall once it was seen as malicious. Why are we getting penalized for this if no data was transferred?A: Any data transfer or connection with our sinkhole is a valid finding. Even if the connection is terminated upon being registered as malicious, the device still reaches out to a sinkhole which is not expected behavior for a healthy system. Q: We remediated the finding. What happens to my rating?A: These findings are observed passively, so the finding needs to complete its lifetime before it does not affect your rating anymore.Q: Will Bitsight remove the finding while an appeal investigation is occurring?A: No. Findings that are being appealed continue to impact your rating until proven otherwise.Q: What happens to my rating if an appeal succeeds?A: Once an appeal succeeds, the rating impact is removed; please monitor for updates.Q: What risk vectors are associated with sinkholing?A: Botnet Infections, Spam Propagation, Potentially Exploited, Insecure Systems Related to spam_propagation insecure_systems botnet_infections potentially_exploited Related articles Diligence Risk Category TMH: Getting Started with Bitsight Trust Management Hub Risk Vector Grading with Insufficient Data Feedback 0 comments Please sign in to leave a comment.