Wednesday, April 2, 2025
HomeAWSMadPot: AWS Honeypot to Disrupt Threat Actors

MadPot: AWS Honeypot to Disrupt Threat Actors

Published on

SIEM as a Service

Follow Us on Google News

In the realm of cybersecurity, the battle against threat actors never stops. With its vast cloud infrastructure, Amazon Web Services (AWS) is at the forefront of this ongoing struggle. 

AWS employs a global network of sensors and advanced disruption tools daily to detect and thwart hundreds of cyberattacks. 

These relentless efforts remain largely unseen but play a pivotal role in safeguarding AWS’s network, infrastructure, and customers. 

Beyond protecting its own ecosystem, AWS collaborates with responsible providers to combat threat actors operating within their infrastructure, contributing to a safer internet as a whole.

Global-Scale Threat Intelligence with AWS Cloud:

AWS boasts the largest public network footprint of any cloud provider, granting it unparalleled real-time insight into internet activities. 

Leveraging this scale, AWS Principal Security Engineer Nima Sharifi Mehr pioneered innovative approaches to gather threat intelligence. 

The result was MadPot, an internal suite of tools designed for two primary purposes: detecting and monitoring threats and disrupting harmful activities when possible. 

MadPot has evolved into a sophisticated system of monitoring sensors and automated response capabilities.

MadPot: Mimicking Real Systems at Scale:

MadPot, resembling honeypots, deceives threat actors by appearing as a vast array of plausible innocent targets. 

This approach attracts threat actors, whose behavior is then observed and acted upon. 

MadPot sensors monitor over 100 million potential threat interactions daily, with around 500,000 classified as malicious. 

This wealth of threat intelligence is analyzed to provide actionable insights about potential harmful activity across the internet. 

Automated responses protect AWS’s network from identified threats, and relevant information is shared with companies whose infrastructure is used for malicious activities.

Swift Action and Disruption:

Internet probes detect it within approximately 90 seconds of deploying a new MadPot sensor. In just three minutes on average, attempts to penetrate and exploit it occur. 

MadPot then analyzes telemetry, code, network connections, and other threat actor behavior data points. 

High-confidence findings trigger disruptive actions, such as disconnecting threat actors from AWS networks. 

Additionally, threat data is shared with customers through Amazon GuardDuty, allowing their own tooling and automation to respond effectively.

Collaborating with the Security Community:

AWS actively collaborates with the security community, sharing threat intelligence findings. In the first quarter of 2023 alone:

– 5.5 billion signals from internet threat sensors and 1.5 billion signals from active network probes were used in anti-botnet security efforts.

– Over 1.3 million outbound botnet-driven DDoS attacks were stopped.

– Security intelligence findings were shared with hosting providers and domain registrars, including nearly a thousand botnet Command and Control (C2) hosts.

– 230,000 Layer 7/HTTP(S) DDoS attacks were traced back and disrupted.

Effectiveness in Action: Botnets, Sandworm, and Volt Typhoon:

MadPot has proven its effectiveness in identifying and mitigating threats across various infrastructure types. It has successfully disrupted DDoS botnets, aided in identifying and mitigating the Sandworm threat group, and contributed to dismantling state-sponsored threat actor Volt Typhoon.

The relentless efforts of AWS’s MadPot system demonstrate its commitment to securing the cloud and making the internet a safer place for all.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Hijack Telegram Accounts via Default Voicemail Passwords

The Israeli Internet Association has issued a public warning about a surge in cyberattacks...

Gootloader Malware Spreads via Google Ads with Weaponized Documents

The notorious Gootloader malware has resurfaced with a new campaign that combines old tactics...

Google Introduces End-to-End Encryption for Gmail Business Users

Google has unveiled end-to-end encryption (E2EE) capabilities for Gmail enterprise users, simplifying encrypted email...

New Outlaw Linux Malware Using SSH brute-forcing To Maintain Botnet Activities for long Time

A persistent Linux malware known as "Outlaw" has been identified leveraging unsophisticated yet effective...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Hijack Telegram Accounts via Default Voicemail Passwords

The Israeli Internet Association has issued a public warning about a surge in cyberattacks...

Gootloader Malware Spreads via Google Ads with Weaponized Documents

The notorious Gootloader malware has resurfaced with a new campaign that combines old tactics...

Google Introduces End-to-End Encryption for Gmail Business Users

Google has unveiled end-to-end encryption (E2EE) capabilities for Gmail enterprise users, simplifying encrypted email...