Amazon Web Service Inc. today detailed Mithra, an internal system it uses to detect malicious website domains.

The cloud giant says that Mithra spots an average of 182,000 malicious domains per day. AWS uses the system to protect customers from malicious web traffic. In some cases, Mithra also helps the Amazon.com Inc. unit detect cyberattacks against organizations that don’t use its cloud. 

Hackers rely on malicious domains to power malware-laden websites, send phishing emails and carry out other types of other cyberattacks. Identifying malicious domains in time allows an organization to block the web traffic associated with them and thereby stave off breach attempts. However, doing so consistently can be difficult because hackers regularly register new domains to avoid detection.

One of the sources from which Mithra obtains data about hacker activity is AWS’ MadPot honeypot network. A honeypot is a file that appears as a business document or an application, but is in reality a sensor designed to draw cyberattacks.

When hackers attempt to compromise a MadPot sensor with malware, it captures the malware and studies how it works. The information gleaned through this process helps AWS block similar cyberattacks that may target its customers in the future. 

The service also uses threat intelligence from other sources, notably the Amazon unit’s cloud platform, to catch malicious domains. AWS’ platform is powered by a network of data center clusters known as regions. The company detailed that one of its regions processes up to 200 trillion DNS requests, or requests to access domains, every day.

Mithra organizes the threat intelligence it collects in a graph. This is a data structure that can hold not only individual data points, such as malicious domains, but also connections between those data points. For example, a graph can link a malicious domain to the hacking group that uses it to launch cyberattacks.

“Imagine a graph so large (perhaps one of the largest in existence) that it’s impossible for a human to view and comprehend the entirety of its contents, let alone derive usable insights,” Amazon Chief Information Security Officer CJ Moses wrote in a blog post. “With its 3.5 billion nodes and 48 billion edges, Mithra’s reputation scoring system is tailored to identify malicious domains that customers come in contact with.”

AWS uses Mithra to power its Amazon GuardDuty threat detection service. The service analyzes data from Mithra and third-party sources to detect malicious activity in customers’ cloud environments.

The cloud giant also uses Mithra to detect cyberattacks against organizations that don’t use its cloud. “In certain circumstances when we receive signals that suggest a third-party (non-customer) organization may be compromised by a threat actor, we also notify them because doing so can help head off further exploitation, which promotes a safer internet at large,” Moses wrote. “Often, when we alert customers and others to these kinds of issues, it’s the first time they become aware that they are potentially compromised.”

In many cases, AWS not only alerts organizations that they’re being targeted by hackers but also shares remediation suggestions. The cloud giant might, for example, recommend that a company move a vulnerable workload behind a firewall to block inbound traffic.

“Sometimes, the customers and other organizations we notify contribute information that in turn helps us assist others,” Moses wrote. “After an investigation, if an affected organization provides us with related indicators of compromise (IOCs), this information can be used to improve our understanding of how a compromise occurred.”

Image: AWS