By Splunk Threat Research Team May 10, 2018
Many cloud-enabled organizations leverage Amazon Web Services' (AWS) virtual private cloud (VPC), an on-demand managed cloud-computing service that isolates tenants' computing resources as an added layer of security. Amazon VPC provides clients with a private, non-routable subnet and a means to create IPSEC tunnels between the home network and the AWS VPC. The traffic that flows in and out of this VPC can be controlled via network access-control rules and security groups.
Amazon VPC: Convenient for you, convenient for hackers
It all sounds perfectly ducky...until the moment you realize attackers could abuse your AWS infrastructure with insecure VPCs in their efforts to co-opt AWS resources for command-and-control nodes, data exfiltration, or a number of other nefarious ends. Once an EC2 instance is compromised, an attacker *could* initiate outbound network connections for malicious reasons.
A better way to keep tabs on your cloud traffic
Monitoring network traffic behaviors is crucial to understanding the types of traffic flowing in and out of your network and to alert you to suspicious activities. A new Analytic Story in the May 9 release of Enterprise Security Content Update, "Suspicious AWS Traffic," will monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors that could be indicative of malicious activity within your VPC. At that point, you can determine whether to investigate further.
Other updates included in this week's ESCU release are new detection, contextual, and support searches for the previously released "AWS Network ACL Activity" Analytic Story, which can help you monitor your AWS network infrastructure for bad configurations and malicious activity.
Update the Enterprise Security Content Update app now on Splunkbase to ensure you always have the latest analytics!