Let’s focus on the outbound and inbound spikes and see if we can determine what’s happening. This expands the VPC Flow Details, shown in Figure 3. To start the investigation, I choose the display details for scope time button, shown circled at the bottom of Figure 2. It’s most likely that these outbound spikes are related to the Unusual Behaviors/VM/Behavior:EC2-NetworkPortUnusual finding I mentioned earlier. In this investigation, I’m very curious about the two large spikes in inbound traffic that I see in the Overall VPC flow volume panel, which seem to be visually associated with some unusual outbound traffic spikes. Check them out! Investigating VPC flow in Detective These info links are available throughout Detective.
#Vpc flow logs how to
If you choose the Info link next to the panel title, you can see helpful tips that describe how to use the visualizations and provide ideas for questions to ask within your investigation. Keeping this in mind as I scroll down, at the bottom of this profile page, I find the Overall VPC flow volume panel. While we might not investigate every instance of anomalous traffic, having these alerts correlated by Detective provides context for validating the issue.
GuardDuty builds a baseline on your network traffic and will generate findings where there is traffic outside the calculated normal. The finding I’m investigating is listed there, as well as an Unusual Behaviors/VM/Behavior:EC2-NetworkPortUnusual finding. Detective displays related findings to provide analysts with additional evidence and context about potentially related issues. I begin scrolling down the page and notice the Findings associated with EC2 instance i-9999999999999999 panel. As I dive into this finding, I’m going to be asking questions that help assess whether the instance was in fact accessed unintentionally, such as, “What IP port or network service was in use at that time?,” “Were any large data transfers involved?,” “Was the traffic allowed by my security groups?” Profile pages in Detective organize content that helps security analysts investigate GuardDuty findings, examine unexpected network behavior, and identify other AWS resources that might be affected by a potential security issue. In this case, the profile page for this GuardDuty UnauthorizedAccess:EC2/TorClient finding provides contextual and behavioral data about the EC2 instance on which GuardDuty has noted the issue. In my GuardDuty console, I’m going to select the UnauthorizedAccess:EC2/TorClient finding shown in Figure 1, choose the Actions menu, and select Investigate. I’ll demonstrate how to use Amazon Detective to investigate an instance that was flagged by Amazon GuardDuty to determine whether it is compromised or not. GuardDuty documentation states that this alert can indicate unauthorized access to your AWS resources with the intent of hiding the unauthorized user’s true identity. Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. In this blog post, I describe how to use the new VPC flow feature in Detective to investigate an UnauthorizedAccess:EC2/TorClient finding from Amazon GuardDuty. Detective doesn’t require VPC Flow Logs to be configured and doesn’t impact existing flow log collection. Detective automatically collects VPC flow logs from your monitored accounts, aggregates them by EC2 instance, and presents visual summaries and analytics about these network flows.
Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Each record describes aspects of the traffic flow, such as where it originated and where it was sent to, what network ports were used, and how many bytes were sent.Īmazon Detective now enables you to interactively examine the details of the virtual private cloud (VPC) network flows of your Amazon Elastic Compute Cloud (Amazon EC2) instances. Flow logs capture information about the IP traffic going to and from EC2 interfaces in a VPC. The information that VPC Flow Logs provide is frequently used by security analysts to determine the scope of security issues, to validate that network access rules are working as expected, and to help analysts investigate issues and diagnose network behaviors.
Having good telemetry is paramount, and VPC Flow Logs are a very important part of a robust centralized logging architecture. Traditionally, cost, the complexity of collection, and the time required for analysis has led to incomplete investigations of network flows. Many Amazon Web Services (AWS) customers need enhanced insight into IP network flow.
0 kommentar(er)
