The secret? A little-known project called MadPot. Unleashed in the late 2010s, the effort utilized AWS’s scale as a leading cloud services provider to lure would-be attackers into targeting phony digital targets in order to study and counter their methods.
Since its rollout, the technology has become a key component in Amazon’s constantly evolving cybersecurity strategy and has paid significant dividends for companies, governments, and the internet.
Last May, for example, when a nation state-sponsored hacking group called Volt Typhoon allegedly planted spyware across U.S. critical infrastructure, MadPot provided intelligence that enabled Amazon to learn more about the threat and how it might affect customers. Amazon was then able to alert affected customers and provide valuable intelligence to federal agencies investigating the perpetrators.
Similarly, Sandworm, a hacking group tied to Russia, attempted to exploit a vulnerability in what it thought was a security appliance, but was actually MadPot. Using insights from MadPot, Amazon was able to capture information about the group’s IP addresses and other distinguishing signatures, discover a customer was in the hacking group’s crosshairs, and alert the customer of the threat in time to avert harm.
How MadPot works
MadPot does all of this using both threat intelligence gained from network sensors, and threat disruption using Amazon Web Services’ (AWS) network controls and cooperation with other internet players.
The threat intelligence piece is supported by tens of thousands of threat sensors monitoring more than 100 million daily attempts to connect with the company’s digital decoys, generally known as “honeypots.” All the data gathered through those interactions feeds into Amazon’s broader understanding of the threat landscape and the way in which it fortifies its cloud infrastructure.
The threat disruption system works by tapping a combination of data analytics methods and intelligence extraction techniques, such as network probes, to convert MadPot data into insights that its automation and IT security personnel (when human judgment is required) can then use to neutralize threats. Results sometimes also produce updates to security services like Amazon GuardDuty, AWS Shield, and AWS Web Application Firewall (WAF), as well as inform exploit vulnerability intelligence in Amazon Inspector. MadPot also frequently sends automatic requests to internet hosting sites asking them to block or remove any of their customers found to be involved in malicious activity.
“We basically make the whole internet a safer place to operate by running this system,” said Mark Ryland, director for Amazon Security. “MadPot’s detection and disruption capabilities give us a powerful one-two punch to alert customers of potential threats and often stop cybercriminals in their tracks.”
Safeguarding the entire internet
MadPot was the brainchild of one individual at AWS, Principal Security Engineer Nima Sharifi Mehr. As the story goes, with global data breaches spinning out of control, he started looking for novel approaches for gathering intelligence to counter threats and began testing the digital decoy idea. Within just a few months, Amazon security researchers were successfully finding, studying, and stopping thousands of digital threats that might have affected its customers.
Today, MadPot is a pillar of Amazon’s cybersecurity strategy with teams across the company using it to protect customers and partners around the world while raising the bar for cybersecurity globally.
“It’s become the main source for gathering threat intelligence and malware samples across Amazon,” Sharifi Mehr said. “Deploying it across our huge global infrastructure enables us to push the limits of what’s possible to protect our systems and the hundreds of millions of customers who rely on us to help keep them secure.”