Thursday, April 18, 2024

MadPot: AWS Honeypot to Disrupt Threat Actors

In the realm of cybersecurity, the battle against threat actors never stops. With its vast cloud infrastructure, Amazon Web Services (AWS) is at the forefront of this ongoing struggle. 

AWS employs a global network of sensors and advanced disruption tools daily to detect and thwart hundreds of cyberattacks. 

These relentless efforts remain largely unseen but play a pivotal role in safeguarding AWS’s network, infrastructure, and customers. 

Beyond protecting its own ecosystem, AWS collaborates with responsible providers to combat threat actors operating within their infrastructure, contributing to a safer internet as a whole.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Global-Scale Threat Intelligence with AWS Cloud:

AWS boasts the largest public network footprint of any cloud provider, granting it unparalleled real-time insight into internet activities. 

Leveraging this scale, AWS Principal Security Engineer Nima Sharifi Mehr pioneered innovative approaches to gather threat intelligence. 

The result was MadPot, an internal suite of tools designed for two primary purposes: detecting and monitoring threats and disrupting harmful activities when possible. 

MadPot has evolved into a sophisticated system of monitoring sensors and automated response capabilities.

MadPot: Mimicking Real Systems at Scale:

MadPot, resembling honeypots, deceives threat actors by appearing as a vast array of plausible innocent targets. 

This approach attracts threat actors, whose behavior is then observed and acted upon. 

MadPot sensors monitor over 100 million potential threat interactions daily, with around 500,000 classified as malicious. 

This wealth of threat intelligence is analyzed to provide actionable insights about potential harmful activity across the internet. 

Automated responses protect AWS’s network from identified threats, and relevant information is shared with companies whose infrastructure is used for malicious activities.

Swift Action and Disruption:

Internet probes detect it within approximately 90 seconds of deploying a new MadPot sensor. In just three minutes on average, attempts to penetrate and exploit it occur. 

MadPot then analyzes telemetry, code, network connections, and other threat actor behavior data points. 

High-confidence findings trigger disruptive actions, such as disconnecting threat actors from AWS networks. 

Additionally, threat data is shared with customers through Amazon GuardDuty, allowing their own tooling and automation to respond effectively.

Collaborating with the Security Community:

AWS actively collaborates with the security community, sharing threat intelligence findings. In the first quarter of 2023 alone:

– 5.5 billion signals from internet threat sensors and 1.5 billion signals from active network probes were used in anti-botnet security efforts.

– Over 1.3 million outbound botnet-driven DDoS attacks were stopped.

– Security intelligence findings were shared with hosting providers and domain registrars, including nearly a thousand botnet Command and Control (C2) hosts.

– 230,000 Layer 7/HTTP(S) DDoS attacks were traced back and disrupted.

Effectiveness in Action: Botnets, Sandworm, and Volt Typhoon:

MadPot has proven its effectiveness in identifying and mitigating threats across various infrastructure types. It has successfully disrupted DDoS botnets, aided in identifying and mitigating the Sandworm threat group, and contributed to dismantling state-sponsored threat actor Volt Typhoon.

The relentless efforts of AWS’s MadPot system demonstrate its commitment to securing the cloud and making the internet a safer place for all.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.


Latest articles

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...

Outlook Login Panel Themed Phishing Attack Evaded All Antivirus Detections

Cybersecurity researchers have uncovered a new phishing attack that has bypassed all antivirus detections.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles