Amazon Web Services (AWS) has developed a neural network graph model to upgrade its ability to detect malicious domains within its infrastructure. This system, known as Mithra, utilizes a neural network containing 3.5 billion nodes and 48 billion edges, improving AWS’s threat proficiencies. Mithra employs algorithms to analyze data, providing AWS with a reputation scoring system designed to identify malicious domains. AWS Chief Information Security Officer (CISO) CJ Moses explained that the system processes up to 200 trillion DNS requests per day in a single AWS Region, identifying an average of 182,000 new malicious domains daily. With reputation scores to the domains queried within AWS, Mithra reduces their dependancy on third-party threat detection services, yielding faster and more accurate threat intelligence. The system can predict malicious domains up to 36 months before they appear on third-party threat intelligence feeds.
Integrating Mithra with AWS Security Services
Mithra’s function’s expand to AWS security services like GuardDuty, which uses the high-confidence list of previously unknown malicious domains generated by Mithra to protect AWS customers. This integration allows GuardDuty to block malicious domains and alert users to potential threats, improving security. Mithra’s reputation scores can also be used by third-party threat feeds to reduce false positives and provide AWS security analysts with additional context during security investigations. This strategy is aimed at protecting AWS and its customers from the newest threats. Alongside Mithra, AWS utilizes an internal threat intelligence decoy system called ‘MadPot’. Madpot was developed by AWS software engineer Nima Sharifi Mehr, as a network of monitoring sensors and automated response capabilities. The system traps malicious actors, monitors their movements, and generates protection data for AWS security products. MadPot has been productive in detecting and thwarting advanced persistent threats (APTs) from nation-state actors like Volt Typhoon and Sandworm. MadPot By analyzses millions of potential threats daily, providing AWS with high-fidelity threat intelligence that improves its security posture.
The Scale and Speed of AWS Threat Intelligence
AWS’s global infrastructure allows it to gather and analyze large volumes of raw data in real-time, boosting the effectiveness of its threat intelligence. With this level of insight into internet activities, AWS can identify and respond to cyberattacks in a timely manner, protecting its customers’ sensitive data. AWS’s threat intelligence program is designed to detect, analyze, and mitigate various types of malicious activities. By utilizing artificial intelligence (AI) and machine learning (ML), AWS processes data, reducing false positives and providing insights to security analysts. AWS uses its threat intelligence to protect its own infrastructure, also sharing important information with customers and other organizations. This approach helps organizations assess their risk, implement necessary mitigations, and prevent potential disruptions. For example, AWS notifies organizations if their systems are potentially compromised or if they are running misconfigured systems vulnerable to exploits. These notifications often include recommendations for actions such as reviewing security logs, blocking specific domains, implementing mitigations, and conducting forensic investigations. This reaches non-customer organizations too, promoting a safer internet by sharing threat intelligence that can prevent further exploitation.
Real-World Applications of AWS Threat Intelligence
AWS’s threat intelligence has been fundamental in several high-profile cases. MadPot sensors detected unusual network traffic indicating potential data exfiltration from a large multinational food service organization to Eastern Europe. AWS alerted the organization, helping them address and stop the threat. AWS also identified active exploitation campaigns targeting vulnerable Ivanti Connect Secure VPNs using information from MadPot sensors. This intelligence was integrated into GuardDuty, allowing customers to stop the exploitation. During the Russia-Ukraine conflict, AWS identified infrastructure used by Russian threat groups for phishing campaigns against Ukrainian government services. The findings were integrated into GuardDuty and shared with the Ukrainian government, helping to protect against cyber threats.
AWS continues to improve its threat intelligence capabilities, ensuring the security of its global infrastructure and the sensitive data of its customers.
Photo credits: gguy, AdobeStock.com
