Inside AWS’s Secret Security Arsenal for Security and Cloud

In today’s cloud-driven landscape, maintaining a security posture is more important than ever. AWS is at the forefront of cloud security innovation, deploying internal tools like Sonaris, Mithra, and MadPot to enhance threat detection and response capabilities. Sonaris integrates with various AWS services, such as AWS Shield, VPC, and S3, to provide real-time threat intelligence and defense. Mithra, an advanced neural network model, plays a role in assessing domain trustworthiness, processing trillions of DNS requests daily to predict and detect malicious domains before they surface on third-party feeds. Meanwhile, MadPot complements these tools by employing honeypot techniques to gather high-fidelity signals about potential threats. This post delves into how Sonaris, Mithra, and MadPot collaborate to strengthen AWS’s security infrastructure and enhance the security of services that AWS customers rely on. 

Strengthening Cloud Data Security with AWS’s Internal Tools

Sonaris

Sonaris is an internal AWS security tool designed to integrate with and enhance the protection of various AWS services. Although AWS does not publicly disclose all details regarding Sonaris’s integration across its infrastructure, the following services are known to benefit from its capabilities:

AWS Shield: Sonaris improves AWS Shield’s ability to detect and mitigate DDoS attacks by providing real-time threat intelligence. 

AWS WAF (Web Application Firewall): Sonaris’s threat detection capabilities are integrated with AWS WAF to enhance its protection of web applications against common exploits. 

AWS Identity and Access Management (IAM): While not explicitly stated, Sonaris likely contributes to IAM’s ability to detect and prevent unauthorized access attempts. 

AWS CloudTrail: Sonaris may integrate with CloudTrail to provide enhanced threat detection based on API activity logs. 

Amazon GuardDuty: Although not directly built on Sonaris, GuardDuty likely benefits from the threat intelligence gathered by Sonaris to improve its threat detection capabilities. 

It’s important to recognize that Sonaris operates at a foundational level within AWS’s infrastructure, so its benefits likely extend to numerous other AWS services indirectly by bolstering the overall security posture of the AWS environment. The precise extent of Sonaris’s integration across AWS services is not publicly detailed for security reasons. 

Beyond its technical integrations, Sonaris may also help organizations align with compliance standards. For example, in industries such as healthcare and finance, where regulations like HIPAA or PCI DSS demand strict monitoring, the intelligence Sonaris provides can support AWS services like AWS Shield in reinforcing cloud data security. This allows businesses to better meet regulatory obligations while keeping sensitive workloads safe.

In practical scenarios, Sonaris could reduce noise in incident detection, meaning IT teams receive fewer false alarms and more accurate alerts. For example, an enterprise might benefit from faster remediation during a DDoS campaign, or a startup could see improved protection against unauthorized logins without adding more staff. This efficiency, combined with cloud managed services, creates an ecosystem where monitoring and defense work hand in hand.

MadPot

MadPot is another internal security tool developed by AWS, designed to complement and enhance AWS’s threat detection and prevention capabilities. MadPot serves as a honeypot system used to detect and analyse potential security threats targeting AWS infrastructure and services. It emulates various AWS services and customer accounts to attract and monitor malicious activities, allowing AWS to gather high-fidelity signals about potential threats. By simulating vulnerable targets, MadPot helps AWS gather valuable information about attacker techniques, tools, and patterns, for improving AWS’s overall security posture. 

Proactive Defense: Insights gained from MadPot allow AWS to proactively update and strengthen its security measures against emerging threats. 

Scale: Like other AWS security tools, MadPot operates globally, helping to protect AWS’s infrastructure. 

Continuous Learning: As a honeypot system, MadPot continuously learns about new attack vectors and evolving threat landscapes, enabling AWS to stay ahead of potential security risks. 

Non-Public Tool: Like Sonaris, MadPot is an internal AWS tool and is not directly available to AWS customers as a service. Instead, its benefits are realized through enhanced security across AWS services. 

MadPot illustrates AWS’s multi-layered approach to security, combining proactive threat intelligence gathering with defense mechanisms to protect its cloud infrastructure and customers. By employing tools like MadPot and Sonaris together, AWS aims to create a more comprehensive and adaptive security ecosystem.   

Honeypot strategies such as those employed by MadPot have been used in cybersecurity research for decades, but AWS applies them at a global scale. This means attackers from anywhere in the world can be studied in real time, giving AWS broad visibility into evolving threats. For example, insights gathered through MadPot may later inform defenses in AWS Shield, strengthening protection for all customers.

Customers don’t interact with MadPot directly, but the benefits can still be seen. A retailer preparing for a holiday sales event, for instance, may experience stronger DDoS protection thanks to data MadPot has collected on attack patterns. Similarly, a financial institution could gain from more resilient defenses against sophisticated fraud attempts, because AWS analysts have already studied similar attacks in MadPot’s simulated environments.

Mithra

Mithra is a sophisticated internal neural network graph model developed by AWS to enhance its threat intelligence capabilities. Named after the mythological rising sun, Mithra is an integral part of the AWS’s security infrastructure by ranking domain trustworthiness to safeguard customers from potential threats. 

Scale and Structure: Mithra is a graph model comprising approximately 3.5 billion nodes and 48 billion edges, allowing it to process and analyse vast amounts of data related to domain reputation. 

Functionality: Mithra’s primary function is to assign reputation scores to domain names queried within AWS, analysing up to 200 trillion DNS requests daily in a single AWS Region. On average, Mithra detects about 182,000 new malicious domains each day. 

Threat Detection: Mithra identifies malicious domains with fewer false positives compared to traditional methods, capable of predicting malicious domains before they appear on third-party threat intelligence feeds. 

Integration with AWS Services: Mithra’s high-confidence list of previously unknown malicious domain names is utilized in services like Amazon GuardDuty to enhance customer protection and reduce false positives in services relying on third-party threat feeds. 

Security Investigations: AWS security analysts can leverage Mithra’s scores for additional context during security investigations. 

Autonomous Operation: By developing Mithra, AWS has reduced its dependence on third-party sources for detecting emerging threats, enabling it to generate knowledge more swiftly and act on potential threats in real time. 

Customer Benefits: While Mithra is an internal AWS tool, its advantages extend to AWS customers through improved security across various AWS services, aiding in blocking malicious domains and alerting customers to potential threats. 

Continuous Evolution: Like other AWS security tools, Mithra is continually updated and refined to keep pace with evolving threat landscapes. 

Mithra represents an advancement in AWS’s threat intelligence capabilities, leveraging machine learning and big data analytics to provide proactive security measures for its cloud infrastructure and customers. By identifying and scoring potentially malicious domains, Mithra plays an important role in AWS’s multi-layered approach to security. 

One of Mithra’s strengths is its ability to recognize patterns that traditional systems often miss. For example, phishing domains often mimic brand names with small variations, which human users might spot but conventional filters could overlook. Mithra, processing trillions of DNS queries, can detect these subtle anomalies and categorize them accurately. This demonstrates how AWS applies advanced AI to strengthen security and cloud defenses.

The predictive capabilities of Mithra may also support organizations during critical business operations. For instance, a global enterprise running a product launch or a bank during reporting season could benefit from Mithra’s ability to block malicious domains before they disrupt systems. In this way, Mithra indirectly supports cloud optimization by helping businesses maintain both performance and protection at scale.

Building a Strong Foundation for Security and Cloud with AWS’s Internal Tools

AWS’s internal security tools, including Sonaris, Mithra, and MadPot, are foundational to the company’s ability to provide security for its customers. Sonaris enhances threat detection and response across services like GuardDuty, S3, and IAM. Mithra, with its capacity to analyze vast amounts of DNS data, enables AWS to predict and block malicious domains long before they are recognized by traditional threat feeds. MadPot, with its honeypot capabilities, gathers intelligence on emerging threats, feeding that information back into AWS’s security systems. Together, these tools strengthen AWS’s active defense strategy, ensuring customers benefit from enhanced security measures. 

As an advanced partner of AWS, TC2 leverages AWS’s cutting-edge technology, and thus ensures its clients benefit from AWS’s industry-leading security capabilities, too. By collaborating with TC2, you may gain access to expertise in implementing these advanced solutions, safeguarding their cloud environments against evolving cyber threats. 

For more information get in touch with us by filling out the webform below or writing to us at info@tc2.hu.