Why understanding what's out there is important before you stand up…

The following diagrams represent us evaluating AWS Infrastructure utilizing public IP addresses assigned by Amazon. 

For our purposes, we have intentionally made this machine accessible to the internet avoiding security best practices and other recommendations in order to have an understanding, better data set, and education about  threat actors existing on this infrastructure.  This is our way of evaluating infrastructure prior to deployment.

***We stress that AWS recommends utilizing best security practices and protocols when implementing technologies within their infrastructure. ( ie. Whitelists, blacklists, firewalls, etc. should be included in your architectural design.) 

Sensors are deployed on the Amazon EC2 Infrastructure with assigned, live public IP Addresses. The scope of this analysis is to determine potential malicious threat actors that one assumes and has to adopt if using this infrastructure. This is the reason that Amazon suggests utilizing strong security protocols and additional fortification as needed.

  • This is a snap shot taken overtime which represents unique destination ports from potential malicious threat actors.
  • Between May 3rd & 4th sensor  172.31.88.32 we saw a spike in port scanning activity.
  • This graphic represents unique IP Addresses from potential malicious threat actors that we've seen over time by source IP Address. The blue line represents the uniqueness per day, followed by the dotted trending line.
  • The graphic illustrates that we are observing a smaller subsection of attackers per day, producing less interest from bots seen in the past.

The above graphic shows the correlation of unique connecting IP Addresses and the unique destination ports of all of our sensors combined per day. Notice that there is a drop in the uniqueness of the source IP over time, however, there is spike in the destination ports on May 4th. This is indicative of port scanning activity.

This is unique data we have observed. All five sensors are listed. We are observing the uniqueness of the data, the uniqueness of the destination port, and source IP. If you follow the trend line overtime, there is a slight increase in the distinctiveness of the data in April, and it flat lines in May. The Destination port increases in April, in May it drops.

More to follow as our evaluation continues. However, we are identifying large patches of  geographically disbursed threat actors performing continual automated attacks on a daily basis.

****We stress that AWS recommends utilizing best security practices and protocols when implementing your technologies within their infrastructure. ( ie. Whitelists, blacklists, firewalls, etc. should be included in your architectual design.)