AWS introduces Mithra advanced threat intelligence neural network

In a recent blog post from AWS, Amazon Chief Information Security Officer CJ Moses detailed the robust threat intelligence capabilities that safeguard AWS customers. Through tools like Mithra and MadPot, AWS collects and analyzes vast data, identifying and neutralizing threats with unparalleled accuracy and speed. AWS's proactive approach to sharing high-fidelity threat intelligence enhances the security of organizations worldwide.

Amazon Web Services (AWS) employs advanced threat intelligence to safeguard data, leveraging its global reach and sophisticated tools to identify and counteract cyber threats. This intelligence is critical for protecting AWS customers' sensitive information and ensuring the resilience of their operations.

AWS introduces Mithra: How AWS tracks and mitigates major security threats

AWS's infrastructure is designed to detect and neutralize cyberattacks swiftly. With the largest public network footprint of any cloud provider, AWS has unparalleled visibility into internet activities in real-time. This extensive reach enables AWS to gather vast amounts of data, analyze it quickly, and eliminate false positives. For instance, an employee working late might be flagged as an insider threat, but this is quickly rectified with accurate data analysis. The use of artificial intelligence (AI) and machine learning (ML) assists analysts in sifting through large datasets, enhancing the accuracy of threat detection.

Mithra: The neural network behind AWS's threat detection

AWS's Mithra is a massive internal neural network graph model that ranks the trustworthiness of domains. This tool helps identify malicious domains based on various metrics, ensuring that AWS can protect its customers from emerging threats. Mithra processes up to 200 trillion DNS requests per day in a single AWS Region and detects an average of 182,000 new malicious domains daily. By assigning reputation scores to these domains, Mithra enables AWS to respond to threats more quickly and accurately than if they relied on third-party feeds.

MadPot: Global honeypot network

MadPot, AWS's globally distributed network of honeypot threat sensors, plays a crucial role in threat detection. These sensors observe over 100 million potential threats daily, with approximately 500,000 classified as malicious. This network provides real-time findings that feed into Amazon GuardDuty, AWS's intelligent threat detection service, which protects millions of AWS accounts.

Proactive threat intelligence sharing

AWS actively shares its threat intelligence with customers and other organizations. When AWS detects potential compromises or vulnerabilities, it notifies affected parties, enabling them to take preventive measures. This proactive approach helps organizations mitigate risks before incidents occur. For instance, AWS notifies organizations if their systems are potentially compromised or if they have misconfigured systems vulnerable to exploits.

Real-world examples of AWS threat intelligence

• Food Service Industry Threat: AWS's MadPot sensors detected suspicious network traffic indicating data exfiltration from a large multinational food service organization's IP space to Eastern Europe. Although the organization's security team believed they had resolved the issue, AWS's real-time logs showed ongoing threats, prompting immediate action to stop the data theft.
• Ivanti Connect Secure VPN Vulnerabilities: AWS enhanced MadPot sensors to detect exploitation attempts of zero-day vulnerabilities in Ivanti Connect Secure VPNs. This led to the identification of multiple active exploitation campaigns, which AWS then integrated into the GuardDuty CVE feed to help customers detect and stop these activities.
• Russian Cyber Threats: During Russia's invasion of Ukraine, AWS identified infrastructure used by Russian threat groups for phishing campaigns against Ukrainian government services. AWS's intelligence findings were used to protect AWS customers and were shared with the Ukrainian government. Additionally, AWS helped thwart potential supply chain disruptions targeting Western businesses opposed to Russia's actions.
   

Commitment to ongoing security efforts

AWS's threat intelligence capabilities are continually evolving to meet the ever-changing landscape of cyber threats. The company's commitment to sharing high-fidelity threat intelligence has significantly enhanced the security of its customers and other organizations. AWS plans to expand on these efforts in future posts, discussing additional tools and methodologies such as Sonaris and mean time to defend.

By leveraging its global network, advanced AI and ML technologies, and proactive intelligence sharing, AWS remains at the forefront of cybersecurity, protecting its customers from the most sophisticated and persistent threats. This robust approach ensures that AWS can provide a secure environment for organizations worldwide, enabling them to focus on their core business operations without the constant worry of cyber threats.