Automated Cloud Network Threat Detection and Response with Blue Hexagon and AWS
By Dr. Arun Raman, Head of Platform at Blue Hexagon
By James Wenzel, Sr. Partner Solutions Architect, Networking at AWS
Threat actors increasingly employ automation to breach defenses and act on their objectives. Indeed, malware-as-a-service is a prosperous business, with the micro-perimeter network very often being the first line of attack.
Securing customer workloads against these attacks has largely focused on identity and access management (IAM), log aggregation, and processing to uncover threats after the fact. However, it’s at the application-layer that advanced malware/non-malware threats increasingly look to compromise hybrid enterprise networks.
These threats directly attack web-facing workloads, they move laterally from on-premises networks to virtual private clouds (VPCs), and they attack supply chains built from open source libraries in machine-generated traffic, all in a matter of seconds.
To defend against such threats, security teams have been deploying signature-based intrusion detection systems (DS), antivirus tools, and sandboxes.
However, the slow and reactive nature of such tools makes them particularly ill-suited to the velocity of cloud workloads and threats posed to them. Detecting and responding to such threats requires real-time packet-level inspection and deep analysis capabilities.
The shared responsibility model for security at Amazon Web Services (AWS) secures the underlying infrastructure and relies on customers to secure their own workloads.
In this post, we will show you how to design an effective defense against the current threat landscape using a combination of native AWS capabilities and services with Blue Hexagon’s next-gen Network Detection and Response (NG-NDR) security tool powered by deep learning artificial intelligence (AI).
Blue Hexagon is an AWS Advanced Technology Partner with a real-time deep learning platform for network threat protection.
Using the AWS CloudFormation templates this post links to, you can deploy the entire stack in minutes, and manage it as code end-to-end, resulting in continuous and automated VPC network security that is scalable and reliable.
NDR-as-Code Solution Architecture
All architectural solutions described here are available as AWS CloudFormation templates that you can deploy in your AWS accounts.
The solution architecture consists of three distinct components, deployed and managed as code stored in a CloudFormation template.
Network Threat Detection
- Blue Hexagon NG-NDR for AWS to monitor network traffic and convict malicious content and activity in real-time. Includes AI-based zero-day classification and predictive explanations.
Network Traffic Visibility
- VPC Traffic Mirroring to get a high-fidelity copy of packets hitting network interfaces in the VPC.
- VPC Ingress Routing to route all ingress/egress traffic in your VPC subnets through a “choke point.”
Network Response and Remediation
- AWS Security Hub to ingest Blue Hexagon alerts and trigger incident response playbooks.
- AWS Lambda to implement response/remediation playbooks.
Blue Hexagon NG-NDR for AWS
Blue Hexagon NG-NDR applies deep learning-based inspection to VPC network traffic. It analyzes both headers and payloads looking for malware and non-malware based threats.
Figure 1 – Deep inspection and real-time deep learning analysis in Blue Hexagon NG-NDR.
For example, assume an attacker has discovered your Secure Shell (SSH) key in a public repository, runs a port scan to discover accessible instances of Amazon Elastic Compute Cloud (Amazon EC2), and tries to install Coinminer malware on them.
When this happens, Blue Hexagon detects, in real-time:
- The port scan (both horizontal and vertical scans).
- The malicious Coinminer payload transfer.
- Any command and control (C2) communications to attacker-controlled malicious domains.
Deep learning models running in the virtual appliance deliver verdicts in under a second, together with predicted attacker tactics, techniques, and procedures (TTPs) mapped to the MITRE ATT&CK framework.
Figure 2 – Dashboard showing threat detections across multiple vectors with sub-second verdict time for all network flows.
You can deploy Blue Hexagon NG-NDR for AWS as either a standalone Amazon EC2 virtual appliance or in high-availability mode.
Figure 3 − Blue Hexagon NG-NDR for AWS deployed in high-availability mode.
A high availability deployment of NG-NDR consists of:
- Network Load Balancer with cross-AWS Availability Zone load balancing for fault tolerance.
- Auto Scaling group for automatic scaling in response to the monitored traffic bandwidth.
- Amazon EC2 instances launched in the Auto Scaling group in multiple Availability Zones for performing deep learning-based threat detection.
Depending on how Blue Hexagon is deployed, the VPC traffic mirroring target is registered appropriately:
- Standalone mode: The elastic network interface of the EC2 instance is registered as the traffic mirroring target.
- High-availability mode: The Network Load Balancer is registered as the traffic mirroring target. Mirrored traffic is automatically distributed across the EC2 instances in the backing Auto Scaling group (see Figure 1).
To get started with Blue Hexagon NG-NDR, you can sign up for a free trial and get a license key to deploy Blue Hexagon in your environment.
Once you have your license key, deploy Blue Hexagon in standalone mode by launching the CloudFormation stack below. To deploy Blue Hexagon in high-availability mode, contact a Blue Hexagon representative to get the template.
Note that if you wish to trial and deploy Blue Hexagon at a later date, you can still follow the steps in the remainder of this post by selecting “no” to the question “Do You Have a Valid Blue Hexagon License Key?” in the CloudFormation stack.
Selecting “no” will launch an instance from an Amazon Linux AMI into which you can login as the ec2-user with the SSH key selected at stack deployment time. VPC Traffic Mirroring will mirror all traffic to the instance, which you can inspect using tcpdump or other tools.
- Specify the CloudFormation stack details to deploy Blue Hexagon NG-NDR for AWS.
- Acknowledge stack capabilities and deploy by clicking on Create Stack.
- Copy traffic mirror filter ID from the stack Outputs section for subsequent use.
Network Traffic Visibility
AWS provides powerful networking primitives such as VPC traffic mirroring and VPC ingress routing to get packet-level visibility into network traffic entering or leaving the subnets in a VPC.
You can leverage these AWS networking primitives using multiple architectural patterns. To illustrate, I’ll use two VPCs while discussing these patterns:
- Monitored VPC containing workloads in subnets to be monitored.
- Security VPC containing the security tool (Blue Hexagon) that does the actual network traffic monitoring.
Although you can deploy security tools in a subnet within the monitored VPC, it’s a best practice to deploy the security tool in an isolated VPC; preferably in a separate account altogether.
AWS provides primitives, such as VPC peering, to facilitate such isolation and copy mirrored traffic from the monitored VPC to the security VPC.
- Pattern one – mirror at the source.
- Pattern two – mirror at the chokepoints.
Note that the architectural patterns discussed below can be composed with the aforementioned AWS networking primitives to create more complex security monitoring architectures on a larger scale, possibly involving use of AWS Transit Gateway.
Pattern One − Mirror at the Source
Figure 4 shows a variety of workloads running in both public (reachable from the internet) and private subnets.
These workloads may be web applications deployed in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. They may also be Amazon EC2 instances running custom services and applications or just serving as Linux/Windows virtual desktops.
Figure 4 – Turn on VPC traffic mirroring for elastic network interfaces attached to instances in VPC and set Blue Hexagon as the traffic mirroring target.
To monitor network traffic hitting the elastic network interfaces attached to these workloads, you can create VPC traffic mirroring sessions in the AWS VPC console by specifying:
- Elastic network interfaces of the instance you would like to monitor.
- Destination of traffic mirroring (the Blue Hexagon traffic mirroring target).
- Traffic mirroring filter (for example, only port 80 / port 443 traffic). The default filter created by the Blue Hexagon CloudFormation template mirrors all traffic).
AWS provides a serverless application to automate setting up traffic mirroring based on VPCs, subnets, or tags as input. See the instructions to deploy the application.
When setting up VPC traffic mirroring, keep in mind that:
- Network traffic in managed services such as AWS Lambda cannot be mirrored using VPC traffic mirroring.
- VPC traffic mirroring is available on Nitro-based instances.
- Mirrored traffic counts towards instance bandwidth, with production traffic taking priority under traffic congestion.
More considerations are available in the AWS documentation.
Caught in the Wild
At the start of one of Blue Hexagon’s trials, the prospect turned on VPC traffic mirroring for EC2 instances in their private subnet and directed the traffic to Blue Hexagon.
Inspecting the TLS traffic patterns, Blue Hexagon detected the instance was pre-infected and was beaconing out to a C&C server in a foreign country, as shown in the Blue Hexagon threats view below.
Figure 5 – Blue Hexagon detected beaconing to remote C&C server over covert TLS channel.
Pattern Two − Mirror at the Choke Points
Your VPC network architecture may already have choke points, typical of conventional demilitarized zone (DMZ) networks often found on-premises.
You may also run workloads in managed services that cannot be mirrored directly via VPC traffic mirroring. In such cases, a natural solution is to mirror the elastic network interfaces of the choke point, which could be a next-gen firewall or a third-party gateway appliance.
Figure 6 − Turn on VPC traffic mirroring for elastic network interfaces attached to “choke point” gateways.
Through VPC ingress routing, all incoming and outgoing traffic to or from an internet gateway or virtual private gateway can be routed through the gateway appliance.
Figure 6 above shows how all traffic originating from or destined for your workloads in the subnets in the monitored VPC can be mirrored at a single point—the gateway—and sent to Blue Hexagon in the security VPC for real-time threat detection and response.
To create the monitored VPC shown, launch the CloudFormation stack below:
The monitored VPC has two subnets, corresponding route tables with VPC ingress routing through a vanilla Linux-based gateway EC2 instance, and VPC peering to the security VPC in which Blue Hexagon is deployed.
- Specify the CloudFormation stack details to deploy the security architecture shown in Figure 6, with a monitored VPC and a security VPC running Blue Hexagon.
- Click on the WebServerURL link to launch web application for trialing Blue Hexagon NG-NDR capabilities.
The CloudFormation template also brings up a file management web application with a public IP address running in the private subnet of the monitored VPC. Try uploading/downloading suspicious files to/from the web application, and see Blue Hexagon make verdicts on them instantly.
VPC traffic mirroring mirrors all web application traffic flowing through the gateway and sends it to Blue Hexagon for inspection. Figure 7 shows the web application with two suspicious files uploaded by an anonymous user.
Figure 7 – File management web application with two suspicious file uploads by anonymous user.
Blue Hexagon instantly convicts both files as ransomware and trojan respectively. In addition to the classification, Blue Hexagon provides concrete network Indicators of Compromise (IoCs) as well as AI-predicted IoCs that are mapped to MITRE ATT&CK TTPs. These can be found by clicking on any threat in the threats view shown below.
Figure 8 – Blue Hexagon instantly convicts payloads uploaded to web application as ransomware and trojan.
Caught in the Wild
Emotet is an infamous banking trojan that serves as a delivery vehicle for other malware. Hackers are constantly evolving Emotet to bypass traditional defenses, with new variants using PDFs containing links to weaponized Word documents.
The PDF itself appears benign to traditional defenses and avoids detection on delivery; once the message is past the firewall and in a user’s inbox, the malicious URL is more likely to be clicked.
Using ensembles of deep learning models, Blue Hexagon was able to convict every stage of the kill-chain in less than a second, preventing infection of the end-user asset.
Response and Remediation
Upon detecting a threat, Blue Hexagon instantly sends a finding to AWS Security Hub. Once configured for custom action, AWS Security Hub emits an Amazon CloudWatch event that triggers a Lambda function to automatically perform the custom remediation action on your behalf.
Figure 9 − Blue Hexagon sends the finding to AWS Security Hub, which triggers Lambda to automatically remediate infected workloads.
Such actions could include quarantining the infected EC2 instance, doing a memory dump, or snapshotting the Amazon Elastic Block Store (Amazon EBS) volume for digital forensics and investigation. They could also include cutting off the infected subnet to prevent lateral movement or restoring persistent data to pre-infection snapshots.
- Configure AWS Security Hub to accept findings from Blue Hexagon. All findings will be published in native ASFF format.
- Blue Hexagon publishes various types of findings to AWS Security Hub. You can configure automated playbook triggers to orchestrate response and remediation.
To activate Blue Hexagon response and remediation through AWS Security Hub in your AWS account, contact a Blue Hexagon representative.
VPC traffic mirroring and VPC ingress routing are powerful AWS networking primitives to monitor network traffic in your VPC at the packet-level. With Blue Hexagon NG-NDR for AWS, powered by real-time deep learning, you can detect threats in network headers and payloads in less than a second.
With AWS Security Hub integration, you can trigger a rich action space of remediation and response. This provides an end-to-end self-driving security architecture that lowers the burden on your SecOps teams, while still providing high-fidelity alerts to reinforce your security posture.
You can deploy the reference architectures described in this post in minutes as AWS CloudFormation stacks. They provide fully automated detection and response capabilities against advanced threats targeting your VPC.
Blue Hexagon – AWS Partner Spotlight
Blue Hexagon is an AWS Advanced Technology Partner with a real-time deep learning platform for network threat protection. With Blue Hexagon’s Network Detection and Response (NG-NDR) security tool for AWS, you can detect threats in network headers and payloads in less than a second.
*Already worked with Blue Hexagon? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.