By Phil Rodrigues, Head of Security, Asia-Pacific and Japan Commercial, Amazon Web Services (AWS)
As Generative AI and digital transformation initiatives continue among a hybrid workforce in the Asia-Pacific region, I am often asked by security professionals how threat intelligence is being gathered and used to help protect sensitive workloads in the cloud. They know that threat intelligence is critical to improving their security posture, but they seek a better understanding to help ensure this intelligence converts to actionable insights that lead to meaningful impact and real business value.
Using cloud scale to inform threat intelligence
Threat intelligence seeks to help successfully defend against cyberattacks that might otherwise be disruptive and costly. Every day across our cloud infrastructure, we detect and successfully thwart hundreds of confirmed cyberattacks with a global network of sensors and an associated set of disruption tools. The goal is to make it more difficult and expensive for cyberattacks to be carried out against our network and infrastructure. In doing so, we also help make the internet as a whole a safer place by also working with other responsible providers to take action against threat actors operating within their infrastructure.
For example, some years ago, Amazon Web Services (AWS) created a collection of internal cybersecurity tools we call “MadPot,” which is made up of decoy sensors and disruption tools. These tools are today a key component to our threat intelligence strategy. MadPot decoy sensors mimic plausible workloads to attract potential threats, then learn their behaviour. This information is automatically ingested, correlated, and analysed to create actionable intelligence data about potentially harmful activity happening across the internet which we can see attempting to affect us. Using the intelligence data, we automatically nullify data on our networks, swiftly generate automated outbound communications to providers whose infrastructure is being abused for malicious activities, and lastly, rapidly re-invest this knowledge through automated integration with our security services.
To give a sense of scale, here is how swiftly malicious actors work to exploit potential vulnerabilities and test a company’s infrastructure: within about 90 seconds of launching a new decoy, the sensor is “discovered” by probes scanning the internet. From there, it takes only three minutes on average before attempts are made to penetrate and exploit it. This is a very short amount of time, considering these workloads aren’t advertised, or part of systems visible to the public internet. This demonstrates the eagerness and large volume of scanning taking place and the high degree of automation that threat actors employ to find their next target.
Tackling Cyber Threats Globally
Here are two examples of how MadPot has helped protect organisations against malicious actors. In 2022, a MadPot decoy was mimicking a variety of services when a threat actor attempted to exploit what it thought was a vulnerability. This allowed MadPot to gather distinguishing information, which identified the threat group called Sandworm, and also the groups’ attempt to compromise a customer. Using the intelligence, we alerted the customer, and the customer swiftly mitigated the vulnerability, preventing harm.
In another case in May this year, MadPot detected, downloaded, and analysed suspicious signals that identified a malware botnet conducting Distributed Denial of Service (DDoS) attacks to knock websites offline. Once identified, network traffic communication was blocked on the AWS network to protect customers. MadPot also traced the command-and-control server and originating domain registrar, then used automation to send takedown notices to the affected companies without human intervention. Both server hosts and the domain registrar could take down the abused systems within 72 hours. This eliminated the threat actors’ ability to distribute the DDoS malware and made it much more difficult for them to move their command-and-control infrastructure elsewhere.
Security is a Shared Responsibility
Turning global-scale threat intelligence into swift action is just one of the many steps that we take as part of our commitment to making security our top priority. As the digital economy grows, maintaining the security of the cloud and its infrastructure is foundational for innovative technologies such as edge computing and artificial intelligence.
It is imperative that organisations continue to embrace the shared responsibility model for security and work together with partners to better counter complex and mature cyberattacks. Threat intelligence is a cornerstone for businesses around the world to help protect intellectual property and enable new innovative solutions. When companies join together and share insights, it makes it more difficult for threat actors to succeed, and security as a whole improves.