Mic Drop: Catching a tempest in a honeypot - Click Here

Summary5 min read

Click Here Podcast Summary

Episode: Mic Drop: Catching a Tempest in a Honeypot
Host: Dina Temple-Raston
Release Date: June 20, 2025
Produced by: Recorded Future News

Introduction to Honeypots and Amazon's MADPOT Network

In this episode, Dina Temple-Raston delves into the sophisticated world of cybersecurity, focusing on Amazon's innovative use of honeypots—specifically their MADPOT network. These digital decoys play a pivotal role in identifying and understanding cyber adversaries.

Steve Schmidt, Amazon’s Chief Security Officer, explains the concept:

"A honeypot is a computer system that's been specifically built to attract adversaries by presenting the image that it's a vulnerable computer system."
(00:26)

Amazon has deployed approximately 10,000 MADPOTs across the internet, creating a robust and constant surveillance system. Schmidt highlights the relentless nature of these probes:

"It takes about 99.0 seconds for one of these honeypots to be probed by an adversary."
(00:53)

This rapid interaction underscores the persistent threats lurking online, emphasizing how quickly vulnerabilities can be discovered and exploited.

Unveiling Volt Typhoon: A Case Study in Cyber Espionage

A significant breakthrough attributed to Amazon's MADPOT network was the identification of Volt Typhoon, a notorious Chinese hacking group backed by the Chinese government. This group's activities include pre-operational reconnaissance and network exploitation targeting critical infrastructure.

Schmidt reveals:

"It's a super important part of our overall intelligence apparatus because it allows us to identify what our adversaries are interested in, the tools they're using, the techniques that they use, and even down to which one of our customers they might be going after."
(01:37)

The discovery was not just current but historical, allowing Amazon to trace Volt Typhoon's activities back several years:

"We were able to go back several years because we store the MADPOT data for many years. So we saw them several years before that in the data."
(05:43)

This retrospective analysis provided invaluable insights into the group's evolving strategies and hidden patterns.

The Strategic Use of Honeypots in Cyber Defense

Unlike traditional cyber defenses that aim to block threats, MADPOTs are designed to attract and observe adversaries. Schmidt elaborates on this proactive approach:

"We want someone to break in. It's the storefront where the front doors aren't locked, the alarm system isn't turned on, the security guard isn't present."
(04:29)

By creating an inviting target, Amazon can monitor the tools and methods employed by hackers, gaining a comprehensive understanding of emerging threats.

Upon detecting an adversary, Amazon follows a meticulous process:

Validation: Ensuring the legitimacy of the threat.
Identification: Pinpointing potential targets within Amazon’s network.
Collaboration: Working with entities like CISA or law enforcement to disseminate information and mitigate risks.

Schmidt emphasizes the importance of timely response:

"If the adversary is exploiting a vulnerability in a piece of software, we'll work with the software developer to get it patched before it's publicly known that there's a problem."
(07:14)

Artificial Intelligence: Enhancing Cybersecurity Efforts

AI plays a crucial role in processing vast amounts of data generated by MADPOTs. Schmidt highlights how AI distinguishes between known and novel threats:

"AI can help adversaries create more believable phishing attempts, but on our side, it helps us extract salient facts and identify unusual tools that might signify a new threat."
(07:35)

However, he clarifies that AI serves as a research assistant rather than a replacement for human expertise:

"It's fast, it's tireless, it flags anomalies and summarizes logs. But it doesn't replace people, not yet anyway."
(07:57)

Schmidt also addresses the misuse of AI by adversaries, particularly in crafting more convincing phishing schemes, underscoring the constant evolution of cyber threats.

Global Cyber Threat Landscape: Comparing Nation-State Actors

The discussion broadens to include the varying capabilities and strategies of different nation-state hackers:

Russia: Known for their sophisticated individual actors, executing precise and targeted operations.
China: Characterized by prolific and relentless efforts, with multiple groups operating under diverse motivations and government affiliations.
Iran and North Korea: Described as aggressive and unpredictable, with North Korea's actions often appearing as desperate measures.

Schmidt provides a nuanced perspective:

"The Russians tend to be some of the most sophisticated individual actors out there. The Chinese are incredibly prolific... The Iranians are very aggressive."
(14:37)

This segmentation helps in understanding the distinct approaches and threat levels posed by each nation.

Lessons from Global Conflicts: The Ukraine Example

The episode examines how digital infrastructure resilience was bolstered during the Ukraine conflict by leveraging cloud technologies. Schmidt explains:

"It was about moving data into a diffuse set of cloud storage locations that gave us availability and resiliency they couldn't get any other way."
(13:14)

This strategy ensured that critical systems remained operational despite physical and cyber assaults, showcasing the strategic advantage of cloud-based defenses.

The Future of Cyber Defense: Human and Machine Collaboration

Concluding the episode, Schmidt offers advice for the next generation of cybersecurity professionals:

"Use AI to do your job more efficiently. It's not AI replacing humans. It's AI replacing the grunt work to make them more efficient, to make them more effective."
(15:57)

He envisions a future where humans and AI work in tandem, enhancing the overall defensive capabilities against evolving cyber threats:

"It's man with machine. Because the tech will change and the threats will change. But the wild card is always us."
(16:15)

Key Takeaways

Proactive Defense: Amazon's MADPOT network exemplifies a shift from reactive to proactive cyber defense strategies.
Intelligence Gathering: Honeypots provide deep insights into adversary behaviors, tools, and targets.
AI Integration: Artificial Intelligence enhances threat detection and analysis but remains complementary to human expertise.
Global Threats: Understanding the distinct characteristics of different nation-state actors is crucial for effective defense.
Resilient Infrastructure: Cloud-based solutions offer significant advantages in maintaining operational continuity during conflicts or disasters.
Human-AI Collaboration: The future of cybersecurity lies in the synergistic partnership between human ingenuity and machine efficiency.

This summary is based on the transcript from the "Click Here" podcast episode "Mic Drop: Catching a Tempest in a Honeypot." For more in-depth discussions and expert insights, listening to the full episode is highly recommended.

Loading summary

Transcript50 lines

[00:03]
Dina Temple-Rousta
From Recorded Future News and prx, this is Click Here. It started with something subtle, a strange signal code that didn't belong. And it was buried in something Amazon calls a matpod.
[00:27]
Steve Schmidt
Madpot is a honeypot network. A honeypot is a computer system that's been specifically built to attract adversaries by presenting the image that it's a vulnerable computer system.
[00:38]
Dina Temple-Rousta
This is Steve Schmidt, he's the chief security officer at Amazon, and he says Amazon has planted literally thousands of these MAD pots all over the web. How much is that people coming into that honeypot? I mean, is it constant?
[00:53]
Steve Schmidt
It is absolutely constant. So to give you some relatively scary numbers, we operate, you know, order 10,000 of these things around the Internet. Right now it takes about 99,0 seconds for one of these honeypots to be probed by an adversary. From when it goes online, within three minutes, adversaries are trying to exploit it.
[01:13]
Dina Temple-Rousta
Which is kind of wild when you think about it. The Internet is so huge, but adversaries can see a vulnerability in a network that fast and then come after it.
[01:24]
Steve Schmidt
Adversaries then probe for it, they find it, they interact with it, and they often deploy their tools to it in an effort to exploit the system.
[01:33]
Dina Temple-Rousta
What they didn't know is that they were being probed back.
[01:38]
Steve Schmidt
It's a super important part of our overall intelligence apparatus because it allows us to identify what our adversaries are interested in, the tools they're using, the techniques that they use, and even down to the which one of our customers might they be going after?
[01:54]
Dina Temple-Rousta
One of the most notorious Chinese hacking groups was lured in this way. Volt Typhoon, a group backed by the Chinese government. The Volt Typhoon malware enabled China to.
[02:04]
Steve Schmidt
Hide, among other things, pre operational reconnaissance.
[02:09]
Dina Temple-Rousta
And network exploitation against critical infrastructure like our communications. And when the FBI announced that the group had been cracking into US infrastructure, most people thought that Microsoft had spotted it or that US cyber forces had discovered it. But in fact, one of the early indicators of Volt Typhoon's activities was an Amazon matpot. From Recorded Future News and prx, this is Click Here's Mic Drop. A longer listen to one of our favorite interviews of the week. I'm Dina Temple Rousted. We've all heard of firewalls and filters and intrusion detection. But what if I told you one of the most effective tools for spotting adversaries was bait? This week, how Amazon's digital decoy, something called a MAD pot, helped uncover one of the most sophisticated Chinese cyber operations in recent memory.
[03:07]
Steve Schmidt
The fact that we can see them and they don't know that we can see them is thrilling. We want to keep on top of that.
[03:15]
Dina Temple-Rousta
Stay with us. Click Here is brought to you by Progressive Insurance. Do you ever find yourself playing the budgeting game? Well, with the name your price tool from Progressive, you can find options that fit your budget and potentially lower your bills. Try it@progressive.com Progressive Casualty Insurance Company and affiliates. Price and coverage match limited by state law. Not available in all states. I'm Dina Temple Roster, and this is Click Here's Mic Drop. We tend to think of cyber defense as something that keeps people out, like deadbolts and security cameras. But Steve Schmidt at Amazon thinks differently. He wants the door wide open. What's the difference between what you're doing and what endpoint detection is doing?
[04:12]
Steve Schmidt
So endpoint detection is about making sure that your laptop is safe. Madpod, on the other hand, is a computer system expressly designed to be exploited by an adversary. We want someone to break in.
[04:29]
Dina Temple-Rousta
Think of it like a fake store window. The glass is loose, there's no alarm, and somewhere someone is watching to see exactly how you try to break in.
[04:40]
Steve Schmidt
It's the storefront where the front doors aren't locked, the alarm system isn't turned on, the security guard isn't present. Because we want to see what tools do they use to break in? Do they jimmy the lock on the front door? Do they use a crowbar when they walk in? What are they going after? What are they trying to steal? What time of day do they do it? Where did the tools that they're using to do this come from? Who supplied it to them?
[05:07]
Dina Temple-Rousta
In the spring of 2023, Steve got an alert that Amazon had spotted a kind of digital red flag in one of his mat pots. Someone thought their honeypot was some company's vulnerable network and they were trying to break in.
[05:22]
Steve Schmidt
What I did get notified was, hey, we found what we consider to be a significant threat actor.
[05:30]
Dina Temple-Rousta
The threat actor in this case was China's Volt Typhoon. And Steve was able to see not just what Volt Typhoon was doing at that specific moment, but was able to track them back to when they first came into madpod.
[05:43]
Steve Schmidt
More importantly, we not only found them in current data, but we were able to go back several years because we store the madpod data for many years. So we saw them several years before that in the data, which allowed them.
[05:55]
Dina Temple-Rousta
To kind of hit a rewind button and watch how Volt Typhoon had developed and to spot patterns that the group had been trying to hide.
[06:04]
Steve Schmidt
Volt Typhoon, like many actors uses multiple sets of intermediate systems to try and hide where they're coming from. When they're attacking somebody, they'll use one set of systems. When they're doing their reconnaissance or their test, they'll use a different set of systems. We saw both because the signature of the tool was the same across both of them.
[06:27]
Dina Temple-Rousta
It's kind of like catching someone based on the way they tie their shoes. So you, you find out that they fell for your mad pot or your honey pot, then what happens? If you can take me sort of step by step.
[06:39]
Steve Schmidt
So we go through a bunch of validation steps to make sure that we're correct with what our conclusions are. The second thing is we identify anybody who we think may be targeted by the adversaries. If we have a relationship with those people, we'll notify them directly that, that we believe they have a problem. And we then go to CISA or law enforcement in the US and share the data with them and say, could you please notify the industry at large?
[07:04]
Dina Temple-Rousta
And then there's, I assume there's a sort of rollup process before it's made public so that people can protect themselves before the adversary knows that you're onto them. Is that right?
[07:14]
Steve Schmidt
Yes. Generally that's what we try and aim for. If the adversary is exploiting a vulnerability in a piece of software, we'll work with whomever the software developer is to get it patched and make the patch patch available before it's publicly known that there's a problem.
[07:30]
Dina Temple-Rousta
These days, it's not just analysis tracking. All of this software is doing it.
[07:35]
Steve Schmidt
That's the beauty of using AI to do this kind of analysis, is that you can have the tooling extract all the salient facts. It can extract the tools that the adversary is using. But more importantly, it can say, this tool is different than any of the other tools I've ever seen before. That's interesting. Let's kick it out. To a human who can say, why? Why is it different? We don't necessarily know, but it's part of the equation.
[07:57]
Dina Temple-Rousta
Now, if you're picturing a shiny robot saving the day, slow down. At this point, AI in cybersecurity is less terminator and more overworked research assistant. It's fast, it's tireless, it flags anomalies and summarizes logs. But it doesn't replace people, not yet anyway. And our are adversaries using a lot of AI? Are you seeing it?
[08:23]
Steve Schmidt
Adversaries do use AI. They are not using AI yet in any large scale to do the actual attacking process. What they are doing, however, is they're using AI to make themselves much more skilled. So an example would be where you get an email, which is phishing, please click on this link because you haven't paid the bill kind of thing. A lot of those are readily identifiable by a normal human because of spelling errors, grammatical errors, poor formatting, things like that. What AI can help the adversary do, though, is create a much more believable object. So it's much more likely to get someone to click on it.
[08:58]
Dina Temple-Rousta
So even in the age of AI, code isn't the biggest vulnerability.
[09:03]
Steve Schmidt
A lot of people look at my job and say, oh, computer security, you know, you gotta be worried about tools and techniques and all that kind of stuff. No, it's people.
[09:11]
Dina Temple-Rousta
So even with AI, the weak link here is the carbon unit, the human.
[09:16]
Steve Schmidt
Yeah, absolutely.
[09:19]
Dina Temple-Rousta
When we come back, how Amazon is using AI agents to duel in cyberspace and why. Stephen Schmidt says the future of cyber defense isn't just in the cloud, it is the cloud. We'll be right back. Jan Marsalek was a model of German corporate success.
[09:46]
Steve Schmidt
It seemed so damn simple for him. Also, it turned out, a fraudster. Where does the money come from? That was something that I always was questioning myself. But what if I told you that.
[09:58]
Dina Temple-Rousta
Was the least interesting thing about him?
[10:00]
Steve Schmidt
His secret office was less than 500 meters down the road. I often ask myself now, did I know the true Jan at all? Certain things in my life since then have gone terribly wrong. I don't know if they followed me to my home.
[10:16]
Dina Temple-Rousta
It looks like the ingredients of a really grand spy story, because this ties together the Cold War with the new one. Listen to Hot Agent of Chaos, wherever you get your podcasts. Steve Schmidt and I were talking on the sidelines of one of Amazon's massive conferences in D.C. the kind with glossy booths, endless coffee, and the phrase artificial intelligence echoing through every panel like a mantra. So I asked the question that felt inevitable. Was Amazon using AI to fight back? And they do. In fact, they're using a roster of AI agents or programs.
[11:13]
Steve Schmidt
We have a really fun set of agents inside my security org right now who are effectively dueling. There's one agent who is an adversary, and their job is to break into computer systems. Another agent's a defender that's identifying the adversary's behavior, building signatures that allow us to put into our detection systems the things that alarm on the presence of it and take the next step, which is patch, to prevent the problem from working in the first place.
[11:41]
Dina Temple-Rousta
It's A bit like setting up a practice heist. So the alarm system learns what to watch for. And if a system spots a vulnerability, a kind of loose digital floorboard. I asked if those same agents could patch that before someone fell through.
[11:56]
Steve Schmidt
I think that we will be pretty darn close to an agent doing that for us, for non production systems in the near future. So what non production versus production means is a production system is the system that serves you. Www.Amazon.com if it goes down, big deal, big problem. A non production system is the workstation that I use for my day to day work. If it goes down, it's annoying to me, but it's not the end of the world for the company. So I'm much more willing to take an automated action on a non production system because the blast radius of a problem is much smaller. Whereas for a production system like something that supports the retail website, we've got to be exactly correct every time.
[12:36]
Dina Temple-Rousta
Translation. If it's your office laptop, the agent might go ahead and plug the hole. But if it's Amazon's main site, with millions of users and billions of dollars flowing through it, they're not letting the robot hold the wrench. At least not yet. But the bigger question, especially in a world where digital infrastructure is becoming just infrastructure, is what happens when the attack isn't just hypothetical because it's already happened. You mentioned this. We spent a month in Ukraine last year. Are there lessons that you've taken from these conflicts that have made you look at things a little bit differently?
[13:14]
Steve Schmidt
So if you look at the Ukraine situation, particularly, it was about taking data which was physically present in an area that was under threat and moving it into a diffuse set of cloud storage locations that gave us availability and resiliency that they couldn't get any other way. That was true for Ukraine, but it also applies in any circumstance where a natural disaster, for example, might be at risk.
[13:36]
Dina Temple-Rousta
In other words, if your servers are in a building that can be bombed, they're vulnerable. But if they're dispersed across cloud infrastructure, duplicated, encrypted, invisible to missiles, you've already won a battle most people don't even know they're in. And that wasn't lost on Ukraine. As Russian bombs fell, the country quietly shifted much of its digital infrastructure to the cloud. Government records, energy systems, emergency communications, all moved out of reach, at least physically, which seemed to limit the damage Russia had ended up doing to Ukraine's digital infrastructure. Something that surprised a lot of people. I asked him what he thought about the Russians cyber warfare abilities compared to other countries. Do you feel like the Russians and the Chinese and the North Koreans and Iran are all kind of on the same scale or how would you rate them?
[14:38]
Steve Schmidt
Now, it varies dramatically, but traditionally, the way we've looked at it has been that the Russians tend to be some of the most sophisticated individual actors out there. The Chinese are incredibly prolific. There are many, many different groups that are controlled by many components of the Chinese government infrastructure, including by provincial governments. They have different motivations, they have different risk tolerances, and they do different things. The Iranians, they go up and down in sophistication and motivation, and they are somebody who's really prevalent right now, and they're very aggressive. There are other nation states that are out there who have very competent and effective information operations organizations. Some of them are more allied to the U.S. or less allied to the U.S. and so we have to think about all of them depending on where we are around the world.
[15:24]
Dina Temple-Rousta
Russia is precise, China is relentless, Iran is unpredictable, and North Korea kind of desperate. These aren't just cyber attacks. They're signals and strategies and sometimes even side hustles. And the line between amateur and adversary, it's thinner than you think. So we asked Schmidt, we what would you tell people standing on the front lines of what comes next? If you could whisper one thing in the ear of the next generation of cybersecurity leaders, what would it be?
[15:57]
Steve Schmidt
Use AI to do your job more efficiently. It's not AI replacing humans. It's AI replacing the grunt work to make them more efficient, to make them more effective, and to transfer the knowledge from the really skilled individuals at the top of the pyramid to the frontline engineers at the bottom.
[16:15]
Dina Temple-Rousta
It's not man versus machine anymore. It's man with machine. Because the tech will change and the threats will change. But the wild card is always us. From recorded future news, this has been Click Here's Mic Drop. It was written and produced by Megan Dietre, Sean Powers, Erica Gaeda, Zach Zach Hirsch, Lucas Riley and me, Dena Temple Rest. It was edited by Karen Duffin. We'll be back on Tuesday with an all new episode of Click Here. Have a great weekend.
[17:03]
Steve Schmidt
If you're looking for a daily guide to cybersecurity news and policy, sign up for the Cyber Daily from Recorded Future News. It serves up the day's most interesting and important cyber stories from our sister publication the Record, and then aggregates all of the big cyber stories you might have missed from news outlets around the world. Just go to the Record Media and click on Cyber Daily to get all you need to know about the world of cybersecurity right in your inbox.