Exclusive Tips: Hardening your Active Directory with Advanced Strategies

Close this search box.

Sinkholes: How to Use Deception Technology to Serve as an Intelligent Sinkhole

Table of Contents

A sinkhole is a system used by security teams to fight, block, and collect information about adversaries infiltrated the organization. It is also used by security researchers to collect information about botnets activities and the adversaries’ PPTs.

Most common to security professionals is a DNS sinkhole[1]. This provides the prevention of malicious and unwanted activity occurring between organization computers system and the Internet. This blog focuses on how deception technology can serve as an intelligent sinkhole.

Deception technology can assist in collecting information about the adversaries’ goals of already infected assets inside the organization and how they tried to reach those goals.

Deception collects vital intel on attackers

Organizations use Threat Intelligence to block the communication of attackers that infiltrated the organization with Command and Control (C&C) servers on the Internet. Such blocking can be done using a FW, IPS, and other security gateways based on TI. Blocking prevents the operations of the adversaries when they try to connect with C&C or when they try to access assets that they should not be accessing. However, by “just” blocking the attackers, the defenders cannot learn about the adversaries’ goals, PPTs, etc. For example, what protocols the attackers are using, what they are looking for, which tools they use, etc. Using deception, the defenders can gather all this information and more.

The method of using deception as an intelligent sinkhole

Using deception technology as an intelligent sinkhole relies on rerouting the suspicious traffic and the unidentified traffic to a Decoy Server. This can be done through the organization’s DNS server, the FW or the IPS. The traffic that will be directed to the Decoy Server might include any ports or protocols the adversary is using to carry the attacks or to connect with the C&C server. The Decoy Server itself is configured to have relevant ports open and, with applications running on these ports, capable of interacting with the adversary. It should include HTTP(S) application, FTP application, database servers, DNS server and more. A Concurrently local services like shared folders and RDP should be configured.

The decoys services can be on the same IP address or running on different IP addresses (by using the DNS server on the Decoy Server itself). This configuration should follow the configuration used by the organization.

DNS Decoy

When a DNS is used to redirect the adversaries’ traffic to the decoy server, the DNS decoy should be configured on the Decoy Server. The organization’s DNS server should then forward the DNS request to the decoy DNS server which returns the IP addresses of the decoys. You can have multiple decoys running on multiple IP addresses. Each can run multiple services and the decoy DNS can round robin among these decoy servers. Security teams also have the option to use the decoys as part of their incident response strategy. You can feed attackers with false information leading them in the wrong direction.

When an attacker interacts with one of the decoys, the interactions can progress for quite a while. For example, when the attacker connects to an FTP server, he goes through the login process, then traverses the file system of the decoy, and writes or reads a file.

Forensic information collected in the Decoy Server

Deception technology can collect all the activities of the attacker with the decoy system. It can then present it in a graphical manner, allowing the security team to inspect all activities. At the same time, a PCAP file for these activities can be captured. If the deception solution is integrated with other systems that are inspecting traffic (e.g., Network Detection & Response), then the entire traffic of the infected asset can be captured in a PCAP file.

Note that when Fidelis Deception is integrated with EDR tool, the decoy can inform the EDR about the activities taking place with the decoy. Then, the EDR can start tracing the process and the activities of the adversary communicating with the decoy.


To summarize, using deception as an intelligent sinkhole in the organization is easy to configure and yield a lot of information about the adversaries’ activities. You can gather intelligence and information about the goals of the attacker and learn how to detect and prevent the current and future attacks.



Picture of Doron Kolton
Doron Kolton

Doron held executive and management roles in cyber security and software development for over 25 years. He serves now as the CTO for the Deception at Fidelis Security. Doron founded TopSpin Security in 2013 building an enhanced architecture providing accurate detection with minimal overhead; he was the CEO of TopSpin Security until the company was acquired by Fidelis Security. Previously he served as Vice President of Products and Engineering at Breach Security acquired by Trustwave defining and developing advanced Web Application Firewall. Before that he had several roles in Motorola Semiconductor Israel including leading the software development for the company.

Share this post

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.