AWS Unveils ‘MadPot’ Tools for Countering Cyberattacks

Highlights:

• The Director of the Office of the CISO at AWS, Mark Ryland, claims that MadPot has developed into a sophisticated system of monitoring sensors and automated response capabilities.
• MadPot successfully uncovered Volt Typhoon, an alleged state-sponsored threat actor believed to be of Chinese origin, which initially surfaced in May.

Recently, Amazon Web Services Inc. disclosed information about a previously unidentified internal set of tools called “MadPot” that the business employs to identify and successfully thwart thousands of cyberattacks.

MadPot, which has its roots in the late 2010s, draws its intelligence from a massive number of sensors placed throughout the AWS infrastructure. It continuously monitors and assesses potential threat interactions to protect its network’s and its customers’ integrity. The service was designed to do two things: identify and track threat activity and, whenever possible, stop harmful activity to safeguard other people and AWS customers.

The Director of the Office of the CISO at AWS, Mark Ryland, claims that MadPot has developed into a sophisticated system of monitoring sensors and automated response capabilities. More than 100 million potential threat interactions and probes are reportedly observed by the sensors each day, with about 500,000 of these observed activities progressing to the point where they can be labeled as malicious.

MadPot consumes, correlates, and analyzes the threat intelligence data to provide actionable insights about potentially harmful online activity. Additionally, the service includes response capabilities that automatically defend the AWS network against threats and generate outbound communications to other businesses whose infrastructure is being abused by criminals.

Any tool or service from any company is only as good as its performance, and MadPot’s results are undeniably impressive. Ryland claims that MadPot has been essential in locating and neutralizing a wide range of cyber threats.

A distributed denial of service botnet that used a particular domain for command and control was discovered and examined by MadPot in one such instance. The company said it mapped out the threat, identified the servers’ IP addresses, and worked with the appropriate hosting organizations to quickly neutralize the threat. The infamous Sandworm threat group’s activities were also discovered by MadPot, which allowed for prompt mitigation measures.

Another success for MadPot was the discovery of Volt Typhoon, a threat actor purportedly supported by the Chinese government that first surfaced in May. MadPot conducted an investigation and discovered distinct signatures connected to the activities of this group, assisting the US government’s cybersecurity advisory efforts.

During the initial quarter of this year, MadPot analyzed 5.5 billion signals from internet threat sensors and an additional 1.5 billion signals from AWS active network probes. Remarkably, it successfully thwarted 1.3 million bot-driven distributed denial-of-service (DDoS) attacks. Nearly 1,000 command-and-control botnet hosts were among the data collected from MadPot that were distributed to pertinent hosting companies and domain registries.