Inside AWS’s Secret Security Arsenal: How Sonaris, Mithra, and MadPot Keep Hackers at Bay 

In today’s cloud-driven landscape, maintaining a security posture is more important than ever. AWS is at the forefront of cloud security innovation, deploying internal tools like Sonaris, Mithra, and MadPot to enhance threat detection and response capabilities. Sonaris integrates with various AWS services, such as AWS Shield, VPC, and S3, to provide real-time threat intelligence and defense. Mithra, an advanced neural network model, plays a role in assessing domain trustworthiness, processing trillions of DNS requests daily to predict and detect malicious domains before they surface on third-party feeds. Meanwhile, MadPot complements these tools by employing honeypot techniques to gather high-fidelity signals about potential threats. This post delves into how Sonaris, Mithra, and MadPot collaborate to strengthen AWS’s security infrastructure and enhance the security of services that AWS customers rely on. 

Sonaris 

Sonaris is an internal AWS security tool designed to integrate with and enhance the protection of various AWS services. Although AWS does not publicly disclose all details regarding Sonaris’s integration across its infrastructure, the following services are known to benefit from its capabilities: 

AWS Shield: Sonaris improves AWS Shield’s ability to detect and mitigate DDoS attacks by providing real-time threat intelligence. 

AWS WAF (Web Application Firewall): Sonaris’s threat detection capabilities are integrated with AWS WAF to enhance its protection of web applications against common exploits. 

AWS Identity and Access Management (IAM): While not explicitly stated, Sonaris likely contributes to IAM’s ability to detect and prevent unauthorized access attempts. 

AWS CloudTrail: Sonaris may integrate with CloudTrail to provide enhanced threat detection based on API activity logs. 

Amazon GuardDuty: Although not directly built on Sonaris, GuardDuty likely benefits from the threat intelligence gathered by Sonaris to improve its threat detection capabilities. 

It’s important to recognize that Sonaris operates at a foundational level within AWS’s infrastructure, so its benefits likely extend to numerous other AWS services indirectly by bolstering the overall security posture of the AWS environment. The precise extent of Sonaris’s integration across AWS services is not publicly detailed for security reasons. 

MadPot 

MadPot is another internal security tool developed by AWS, designed to complement and enhance AWS’s threat detection and prevention capabilities. MadPot serves as a honeypot system used to detect and analyse potential security threats targeting AWS infrastructure and services. It emulates various AWS services and customer accounts to attract and monitor malicious activities, allowing AWS to gather high-fidelity signals about potential threats. By simulating vulnerable targets, MadPot helps AWS gather valuable information about attacker techniques, tools, and patterns, for improving AWS’s overall security posture. 

Proactive Defense: Insights gained from MadPot allow AWS to proactively update and strengthen its security measures against emerging threats. 

Scale: Like other AWS security tools, MadPot operates globally, helping to protect AWS’s infrastructure. 

Continuous Learning: As a honeypot system, MadPot continuously learns about new attack vectors and evolving threat landscapes, enabling AWS to stay ahead of potential security risks. 

Non-Public Tool: Like Sonaris, MadPot is an internal AWS tool and is not directly available to AWS customers as a service. Instead, its benefits are realized through enhanced security across AWS services. 

MadPot illustrates AWS’s multi-layered approach to security, combining proactive threat intelligence gathering with defense mechanisms to protect its cloud infrastructure and customers. By employing tools like MadPot and Sonaris together, AWS aims to create a more comprehensive and adaptive security ecosystem.   

Mithra 

Mithra is a sophisticated internal neural network graph model developed by AWS to enhance its threat intelligence capabilities. Named after the mythological rising sun, Mithra is an integral part of the AWS’s security infrastructure by ranking domain trustworthiness to safeguard customers from potential threats. 

Scale and Structure: Mithra is a graph model comprising approximately 3.5 billion nodes and 48 billion edges, allowing it to process and analyse vast amounts of data related to domain reputation. 

Functionality: Mithra’s primary function is to assign reputation scores to domain names queried within AWS, analysing up to 200 trillion DNS requests daily in a single AWS Region. On average, Mithra detects about 182,000 new malicious domains each day. 

Threat Detection: Mithra identifies malicious domains with fewer false positives compared to traditional methods, capable of predicting malicious domains before they appear on third-party threat intelligence feeds. 

Integration with AWS Services: Mithra’s high-confidence list of previously unknown malicious domain names is utilized in services like Amazon GuardDuty to enhance customer protection and reduce false positives in services relying on third-party threat feeds. 

Security Investigations: AWS security analysts can leverage Mithra’s scores for additional context during security investigations. 

Autonomous Operation: By developing Mithra, AWS has reduced its dependence on third-party sources for detecting emerging threats, enabling it to generate knowledge more swiftly and act on potential threats in real time. 

Customer Benefits: While Mithra is an internal AWS tool, its advantages extend to AWS customers through improved security across various AWS services, aiding in blocking malicious domains and alerting customers to potential threats. 

Continuous Evolution: Like other AWS security tools, Mithra is continually updated and refined to keep pace with evolving threat landscapes. 

Mithra represents an advancement in AWS’s threat intelligence capabilities, leveraging machine learning and big data analytics to provide proactive security measures for its cloud infrastructure and customers. By identifying and scoring potentially malicious domains, Mithra plays an important role in AWS’s multi-layered approach to security. 

AWS’s internal security tools, including Sonaris, Mithra, and MadPot, are foundational to the company’s ability to provide security for its customers. Sonaris enhances threat detection and response across services like GuardDuty, S3, and IAM. Mithra, with its capacity to analyze vast amounts of DNS data, enables AWS to predict and block malicious domains long before they are recognized by traditional threat feeds. MadPot, with its honeypot capabilities, gathers intelligence on emerging threats, feeding that information back into AWS’s security systems. Together, these tools strengthen AWS’s active defense strategy, ensuring customers benefit from enhanced security measures. 

As an advanced partner of AWS, TC2 leverages AWS’s cutting-edge technology, and thus ensures its clients benefit from AWS’s industry-leading security capabilities, too. By collaborating with TC2, you may gain access to expertise in implementing these advanced solutions, safeguarding their cloud environments against evolving cyber threats. 

For more information get in touch with us by filling out the webform below or writing us at info@tc2.hu.