<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>Threat actors never stand still and neither do we. Our Security, Intelligence, and Research team just boosted the number of sinkhole indicators in ThreatSTOP’s threat intelligence by <span><strong>over sixty-six percent</strong></span>. Both IP and domain targets for Sinkholes now enjoy deeper, broader coverage across every ThreatSTOP platform — DNS Defense Cloud, DNS Defense, and IP Defense. The result is clearer visibility into compromise, faster containment, and stronger protection for every device that relies on your network.</p> <!--more--><p>&nbsp;</p> <hr> <p>&nbsp;</p> <h4><strong>What exactly is a sinkhole?</strong></h4> <p>A <i>sinkhole</i> is an IP address or domain name that security researchers or law-enforcement agencies have created or sometimes requisitioned from criminals. Instead of resolving to a live command-and-control server, the traffic lands in a controlled environment where bad behavior is safely observed or null-routed.</p> <p>When an endpoint on your network reaches out to a sinkhole, it is waving a red flag: “I was or <i>still am</i> infected.” Catching that traffic lets you:</p> <ul> <li> <p>Identify compromised hosts before data theft or ransomware detonation.</p> </li> <li> <p>Map out lateral movement or botnet scale.</p> </li> <li> <p>Confirm remediation actually worked when the queries disappear.</p> </li> </ul> <h4><strong>Why sinkhole alerts matter</strong></h4> <ul> <li> <p><span><strong>Early warning</strong></span> – Malware often phones home minutes after execution. An immediate block and alert keeps the threat from escalating.</p> </li> <li> <p><span><strong>Silent infections</strong></span> – Many commodity trojans, loaders, or adware kits talk to sinkholes long after an original takedown. They lurk quietly until they fetch a fresh payload.</p> </li> <li> <p><span><strong>Compliance and incident response</strong></span> – Demonstrating that you detect and act on beaconing traffic satisfies auditors and accelerates post-incident forensics.</p> </li> </ul> <p>&nbsp;</p> <h4><strong>How ThreatSTOP turns sinkhole intelligence into active protection</strong></h4> <p>&nbsp;</p> <table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2;"> <thead> <tr> <th> <p><strong>Product</strong></p> </th> <th> <p><strong>What it does</strong></p> </th> <th> <p><strong>Sinkhole advantage</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p><a href="/dns-defense-cloud" rel="noopener" target="_blank"><strong>DNS Defense Cloud</strong></a></p> </td> <td> <p>Routes your resolvers to ThreatSTOP’s cloud DNS platform.</p> </td> <td> <p>Blocks outbound DNS lookups to sinkhole domains in real time, returning safe NXDOMAIN responses and logging the event for instant alerting.</p> </td> </tr> <tr> <td> <p><a href="/solutions/threatstop-dns-firewall-overview" rel="noopener" target="_blank"><strong>DNS Defense</strong></a></p> </td> <td> <p>Runs ThreatSTOP intelligence on your own recursive servers.</p> </td> <td> <p>Keeps sensitive internal DNS traffic on-prem while applying the same sinkhole dataset, protecting even disconnected sites.</p> </td> </tr> <tr> <td> <p><a href="/solutions/ip-firewall-protection" rel="noopener" target="_blank"><strong>IP Defense</strong></a></p> </td> <td> <p>Delivers authoritative block lists to routers, firewalls, web application firewalls, and more.</p> </td> <td> <p>Stops direct IP connections to sinkholes over any protocol, turning every enforcement point into a proactive shield.</p> </td> </tr> </tbody> </table> <p>&nbsp;</p> <p>Behind the scenes, our Security, Intelligence, and Research team analyzes global telemetry, takedown notices, and law-enforcement feeds to curate sinkhole indicators alongside protections for command and control, invalid traffic, peer-to-peer abuse, data exfiltration, phishing, SPAM, DDoS activity, and more. Updates flow automatically to every customer, so today’s two-thirds expansion is already working on your behalf.</p> <p>The two targets you'll want to verify in your policy are:</p> <ul> <li><strong>TS Curated - Sinkholes - IPs</strong></li> <li><strong>TS Curated - Sinkholes - Domains</strong></li> </ul> <p><span>These are both included in the <span style="font-weight: bold;">Command and Control Bundle</span>, customers using the new Command and Control bundle don't have to do anything to receive this new detection. &nbsp;Our platform already took care of that for you,</span></p> <p>&nbsp;</p> <hr> <p>&nbsp;</p> <h4><strong>Ready to see the difference?</strong></h4> <p>For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our <a href="/threatstop-platform" rel="noopener" target="_blank">product page</a>. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers. Get started with a <a href="https://admin.threatstop.com/register?hsLang=en" rel="noopener" target="_blank">Demo today</a>!</p> <p><strong>Connect with Customers, Disconnect from Risks</strong></p> <p>&nbsp;</p> <hr> <p>&nbsp;</p> <h3><strong>MITRE ATT&amp;CK Coverage Matrix</strong></h3> <p>&nbsp;</p> <table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2;"> <thead> <tr> <th> <p><strong>ATT&amp;CK ID</strong></p> </th> <th> <p><strong>Tactic</strong></p> </th> <th> <p><strong>Technique</strong></p> </th> <th> <p><strong>Why it matters</strong></p> </th> <th> <p><strong>ThreatSTOP Protection</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p>T1071.004</p> </td> <td> <p>Command and Control</p> </td> <td> <p><i>Exfiltration over DNS</i></p> </td> <td> <p>Malware uses DNS queries for beaconing or data transfer.</p> </td> <td> <p>DNS Defense Cloud and DNS Defense block sinkhole domains, log attempts, and alert operators.</p> </td> </tr> <tr> <td> <p>T1090.002</p> </td> <td> <p>Command and Control</p> </td> <td> <p><i>External Proxy</i></p> </td> <td> <p>Bots proxy traffic through sinkhole IPs that once served C2.</p> </td> <td> <p>IP Defense distributes IP block lists to firewalls and routers, cutting the path.</p> </td> </tr> <tr> <td> <p>T1041</p> </td> <td> <p>Exfiltration</p> </td> <td> <p><i>Exfiltration over C2 Channel</i></p> </td> <td> <p>Infected hosts attempt to send stolen data to former C2 addresses that are now sinkholes.</p> </td> <td> <p>All three products block the traffic, preventing data loss and generating high-fidelity alerts.</p> </td> </tr> <tr> <td> <p>T0858</p> </td> <td> <p>Discovery</p> </td> <td> <p><i>Remote System Discovery</i></p> </td> <td> <p>Compromised systems look for peers via DNS queries that reveal lateral movement attempts.</p> </td> <td> <p>Protective DNS policies deny the lookups, exposing the reconnaissance for response teams.</p> </td> </tr> <tr> <td> <p>T1568.003</p> </td> <td> <p>Command and Control</p> </td> <td> <p><i>Domain Generation Algorithms</i></p> </td> <td> <p>DGAs sometimes resolve to sinkholed domains after takedown.</p> </td> <td> <p>Continuous updates identify new sinkhole domains generated by DGAs, ensuring blocks stay current.</p> </td> </tr> </tbody> </table></span>
