AWS Honeypot Data:
Visualizing The Threat of Cyberattacks
Online digital industry experts define a cyberattack as an attempt to gain unauthorized access to any assets they can reach, in order to expose, alter, disable, destroy, steal, or make unauthorized use of them. A cyberattack is any type of offensive maneuver that targets computer information systems, infrastructure, computer networks, or personal computer devices. A cyberattack can be initiated by nation-states, individuals, hackers, groups, or organizations. In this study, we focused on attempted attacks on Amazon Web Services (AWS).
A very effective way of combating the impact of cyberattacks on computer infrastructure is to set up a honeypot. A honeypot is a computer or computer system intended to mimic likely targets of cyberattacks. It can be used to detect attacks or deflect them from a legitimate target. It can also be used to gain information about how cybercriminals operate. The principle behind a honeypot is simple: don’t stop attacks; instead, prepare something that would attract attacks — the honeypot — and then wait for the attackers to strike the honeypot instead of your servers. Cybercriminals are attracted to honeypots because they think each honeypot is a legitimate target, something worthy of their time. That’s because the bait includes applications and data that simulate real computer systems.
At AWS, how does a honeypot work? Amazon IT teams set up a honeypot system that, to outsiders, looks like the Amazon network. They monitor traffic to such systems, and they can see where the attacks are coming from, how they operate, and what they want. This helps determine which security measures are working and which ones may need improvement.
What Can We Learn From Data About Honeypot Cyberattacks?
We can identify the countries from which attacks originate. China, the U.S., Russia, Germany, and Vietnam make up the top five. (These metrics measured the countries in which the IP address of the attacking device was based but does not necessarily mean the attackers themselves operated from these countries.) We can also identify attack patterns and timing in terms of attack weeks, days, hours, and minutes.
Based on an open-source database from Kaggle that included information about cyberattack attempts, we had records of 451,581 attacks on AWS honeypots for a period of 6 months.
This report analyzes this data set in order to decipher and visualize types of cyber attacks in two dimensions: time and place. We introduce abnormality of cyberattacks by time periods (weeks/days/hours/minutes) and by the origin of the attack (country).
Using a Sisense dashboard, we visualized the cyberattacks that we analyzed.
Our data set included over 450K cyberattacks on the AWS honeypot over a period of 6 months. Most of the cyberattacks originate from China (191K attacks) and the U.S (90K attacks). On an average week, there were 16,700 Cyberattacks on AWS that were diverted to the honeypot.
Our study exposed two cyberattacks at two time-points.
- Wednesday, July 24th, 7:47-7:55 a.m.
- Monday-Tuesday, August 26th – 27th, from 11:38 p.m on Monday, August 26th until 12:36 a.m. on Tuesday, August 27th.
In this study we compare these two types of cyberattacks, considering the time and duration of the attacks, the intensity of the attacks (number of attacks/attempts) and the country source of the attackers.
We found two interesting cyberattack patterns. The first attack on Wednesday, July 24 took place for only a short time (9 minutes), but the highest intensity of attacks reached 1,908 attacks per minute for the first 4 minutes.
The second attack came from China, between Monday and Tuesday, August 26 and 27, from 11:38 p.m. on Monday until 12:36 a.m. on Tuesday. These attacks took place over a long time: almost 1 hour of a mid-intensity attack with 340 attacks per minute. The duration and the intensity of the attacks imply that the attacker was not an individual, rather, an organization. These long-term, mid-intensity patterns show the capabilities and involvement of organizations that create these attacks.
In this dataset, most of the cyberattacks and attack attempts came from China, the U.S., and then Japan, Iran, Taiwan, and The Netherlands.
Graph 2. Number of Cyberattacks Per Week March 3rd to September 7th (Weeks 10 to 36)
In an average week, there were 16.7K cyberattacks on the AWS honeypot. Our study exposed two abnormal cyberattacks during two time periods—Week 30, July 21 – July 27 (29.6K attacks) and week 35, August 25 – August 31 (34K attacks)—twice the amount of an average week.
Pattern 1: Cyberattacks During Week 30 (July 21st – July 27th)
In week 30, almost half (46%) of the attacks occurred on Wednesday (July 24).
Most of the attacks on that Wednesday occurred between 7:00-8:00 a.m.—11,217 attacks.
Graph 3.1. Number of Cyberattacks in Week 30 (July 21st – July 27th) by Days of the Week
Graph 3.2: Number of Cyberattacks on July 24th, Per Hour
Furthermore, most of the attacks between 7:00 and 8:00 a.m. struck in 9 minutes between 7:47 and 7:55 a.m. The attacks mainly occurred in a 4-minute burst that included 7,632 cyberattacks /attempts (on average 1,908 attacks per minute!)
These attacks came from Iran.
Graph 3.3: Number of Cyberattacks on July 24th, between 7:40 and 7:58 a.m., Per Minute
Graph 3.4: Cyberattacks by Country of Origin on Wednesday, July 24th 7:00 to 8:00 a.m.
Pattern 2: Cyberattacks During Week 35 (August 25th – August 31st)
In week 35, most of the attacks occurred on Monday (33%) and Tuesday (34%).
Also, most of the attacks on Monday and Tuesday occurred from 11:38 p.m. (Monday) until 12:36 a.m. (Tuesday). These attacks came from China.
Graph 4.1. Number of Cyberattacks in Week 35 (August 25th – August 31st)by Days of the Week
Graph 4.2 Number of Cyberattacks on August 26th – 27th, Per Hour
Graph 4.3: Number of Cyberattacks August 26th – 27th, Per Minute
Graph 4.4: Cyberattacks by Country of Origin, Monday, August 26th – Tuesday, August 27th, between 11:38 p.m. and 12:26 a.m.
Not all cyberattacks are created equal!
The analysis unveiled two very distinct patterns of cyberattacks. Short and intense versus very long and continuous.
The first attack originated from Iran, on Wednesday, July 24th. The attack was very intense and spanned 9 minutes between 7:00 – 8:00 a.m. The attack intensity was 1,908 attacks per minute (for the first 4 minutes).
The second attack originated in China between Monday, August 26 at 11:38 p.m. and Tuesday, August 27 at 12:36 p.m. The last attack was a longer, mid-intensity attack spanning 1 hour with 340 attempts per minute.
This data on the AWS honeypot attacks helps us shed light on different attack patterns. When defending IT infrastructure from cyberattacks, the ability to identify the source and pattern of the attack helps organizations mitigate them and protect themselves.
Using a Sisense dashboard can help anyone dive into these attacks and learn how they develop.
Explore our Cyber Analytics Dashboard: