Saturday, September 7, 2024
HomeAWSMadPot: AWS Honeypot to Disrupt Threat Actors

MadPot: AWS Honeypot to Disrupt Threat Actors

Published on

In the realm of cybersecurity, the battle against threat actors never stops. With its vast cloud infrastructure, Amazon Web Services (AWS) is at the forefront of this ongoing struggle. 

AWS employs a global network of sensors and advanced disruption tools daily to detect and thwart hundreds of cyberattacks. 

These relentless efforts remain largely unseen but play a pivotal role in safeguarding AWS’s network, infrastructure, and customers. 

- Advertisement - EHA

Beyond protecting its own ecosystem, AWS collaborates with responsible providers to combat threat actors operating within their infrastructure, contributing to a safer internet as a whole.

Global-Scale Threat Intelligence with AWS Cloud:

AWS boasts the largest public network footprint of any cloud provider, granting it unparalleled real-time insight into internet activities. 

Leveraging this scale, AWS Principal Security Engineer Nima Sharifi Mehr pioneered innovative approaches to gather threat intelligence. 

The result was MadPot, an internal suite of tools designed for two primary purposes: detecting and monitoring threats and disrupting harmful activities when possible. 

MadPot has evolved into a sophisticated system of monitoring sensors and automated response capabilities.

MadPot: Mimicking Real Systems at Scale:

MadPot, resembling honeypots, deceives threat actors by appearing as a vast array of plausible innocent targets. 

This approach attracts threat actors, whose behavior is then observed and acted upon. 

MadPot sensors monitor over 100 million potential threat interactions daily, with around 500,000 classified as malicious. 

This wealth of threat intelligence is analyzed to provide actionable insights about potential harmful activity across the internet. 

Automated responses protect AWS’s network from identified threats, and relevant information is shared with companies whose infrastructure is used for malicious activities.

Swift Action and Disruption:

Internet probes detect it within approximately 90 seconds of deploying a new MadPot sensor. In just three minutes on average, attempts to penetrate and exploit it occur. 

MadPot then analyzes telemetry, code, network connections, and other threat actor behavior data points. 

High-confidence findings trigger disruptive actions, such as disconnecting threat actors from AWS networks. 

Additionally, threat data is shared with customers through Amazon GuardDuty, allowing their own tooling and automation to respond effectively.

Collaborating with the Security Community:

AWS actively collaborates with the security community, sharing threat intelligence findings. In the first quarter of 2023 alone:

– 5.5 billion signals from internet threat sensors and 1.5 billion signals from active network probes were used in anti-botnet security efforts.

– Over 1.3 million outbound botnet-driven DDoS attacks were stopped.

– Security intelligence findings were shared with hosting providers and domain registrars, including nearly a thousand botnet Command and Control (C2) hosts.

– 230,000 Layer 7/HTTP(S) DDoS attacks were traced back and disrupted.

Effectiveness in Action: Botnets, Sandworm, and Volt Typhoon:

MadPot has proven its effectiveness in identifying and mitigating threats across various infrastructure types. It has successfully disrupted DDoS botnets, aided in identifying and mitigating the Sandworm threat group, and contributed to dismantling state-sponsored threat actor Volt Typhoon.

The relentless efforts of AWS’s MadPot system demonstrate its commitment to securing the cloud and making the internet a safer place for all.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...