AWS Pulls Back the Curtain on 'MadPot,' Its Internal Security Intelligence Tech

For over a decade now, Amazon has been trawling the Internet for botnets -- and neutralizing them -- using a complex system of honeypots and analysis tools under the umbrella project "MadPot."        

Last week, Amazon publicly shared some details about the previously little-known tooling, which has become a central piece of the company's cybersecurity efforts and regularly contributes to the improvement of Amazon Web Services (AWS) security products like GuardDuty, Shield and Web Application Firewall. 

MadPot was the brainchild of Nima Sharifi Mehr, an AWS principal security engineer, in the "late 2010s." Its aim was twofold, according to Amazon: "[F]irst, discover and monitor threat activities and second, disrupt harmful activities whenever possible to protect AWS customers and others."

To gather intelligence on security threats, MadPot first lures attackers to Amazon's expansive network of honeypots, whose sensors "observe more than 100 million potential threat interactions and probes every day around the world, with approximately 500,000 of those observed activities advancing to the point where they can be classified as malicious." 

When a malicious attack is identified, MadPot analyzes the bot's behavior and develops a profile of the attack that it can then use to protect users of its AWS cloud, update the aforementioned AWS security products, as well as share with other organizations so they can take their own protective measures. 

Any detected malware gets launched in a sandboxed environment, where MadPot gathers even more intelligence. It then "acts to disrupt threats whenever possible, such as disconnecting a threat actor's resources from the AWS network. Or, it could entail preparing that information to be shared with the wider community, such as a computer emergency response team (CERT), internet service provider (ISP), a domain registrar, or government agency so that they can help disrupt the identified threat."

So far this year, MadPot has helped Amazon identify and mitigate attacks from nation-state groups Volt Typhoon and Sandworm, as well as over 1 million distributed denial-of-service botnets.

Said MadPot creator Sharifi Mehr, the project is now "the main source for gathering threat intelligence and malware samples across Amazon."

More information about MadPot can be viewed in this YouTube video from this summer's AWS re:Inforce event.

About the Author

Gladys Rama (@GladysRama3) is the editorial director of Converge360.


Subscribe on YouTube