AWS Marketplace

Enhance incident response with Amazon VPC Traffic Mirroring using ExtraHop

Introduction

Packet capture plays a vital role in forensic investigation, incident response, and threat hunting. By integrating with Amazon VPC Traffic Mirroring, ExtraHop Packet Basics (EPB) provides incident responders and forensic investigators with copies of network packets as soon as they are deployed in an AWS environment.

In this post, Daniel and I will show you how to use EPB to enable network traffic packet analysis with Amazon VPC Traffic Mirroring. 

Prerequisites

  • An AWS account
  • A VPC and subnet where EPB can be deployed
  • One or more Elastic Network Interfaces (ENIs) for VPC Traffic Mirror sources

Walkthrough: enhance incident response with Amazon VPC Traffic Mirroring using ExtraHop

Step 1: Subscribe to ExtraHop Packet Basics

  1. Sign in to your AWS Console and navigate to AWS Marketplace.
  2. Search for ExtraHop Packet Basics.
  3. Choose ExtraHop Packet Basics (Free) and review the product details.
  4. Choose Continue to Subscribe. On the Subscribe to this software page, the recommended EC2 instance type should already be selected (xlarge). Choose Accept Terms.

You are now subscribed to EPB (Free).

Step 2: Deploy ExtraHop Packet Basics

On the Subscribe to this software page, you can launch EPB from AWS Marketplace.

  1. To go to the Configure this software page, choose Continue to Configuration. Under Delivery Method, select CloudFormation Template. Select the latest Software Version, and select US East (N.Virginia) for the Region.
  2. To go to the Launch this software page, choose Continue to Launch. Under Choose Action, select Launch CloudFormation. Then choose Launch. The Amazon S3 URL should already be pre-populated as the Template source. Choose Next. On the Specify stack details page, type a name in the Stack name field to identify your instance in AWS.
  3. In the Network configuration section, configure the following fields:
    • VPCID: Select the VPC where the EPB will be deployed.
    • MgmtTrafficMirrorSubnetID: Select the subnet where the appliance ENI will be deployed. A single ENI acts as both management interface and traffic mirror target.
    • RemoteAccessCIDR: Type a CIDR IP range to restrict user access to the instance. We recommend that you configure a trusted IP address range.
    • PublicEIP: Specify whether the appliance ENI should have a public IP address. Select false if you do not want a public-facing IP address. Select true if you want EPB available to users through the public internet.
  1. (Optional) In the Mirror source configuration section, you can specify an ENI from your subnet as an initial traffic mirror source.
    • ENITrafficMirrorSource: Specify an ENI source that should be initially mirrored to the EPB instance.
    • ENITrafficMirrorSessionNumber: Specify a session number for the VPC Traffic Mirror session. The session number determines the order that traffic mirror sessions are evaluated. Use 1 for the highest priority. Choose Next.
  1. Add one or more tags in the Tags section and then choose Next. Review your configuration settings and then choose Create stack. Wait for the stack creation to complete, and then choose the Outputs
  2. From the Outputs tab, choose the PacketBasicsUserAccess value URL to go to the EPB login screen. Copy the PacketBasicsCredentials value. This is the password required to log in to the ExtraHop system as the setup user. Login to the EPB Portal, which is the ENI of your ExtraHop appliance in EC2. Be aware that the initial boot of EPB requires up to 10 minutes for the login screen to become available.
  3. (Optional) Change the default password after you log in for the first time. To change the default password, choose the System Settings icon image on the top right and then choose Administration. Choose Passwords to change the default password.

The instance of EPB has been deployed, and you have logged into the ExtraHop Portal. Now you must configure the VPC Traffic Mirroring session to view the packets from the mirror source into EPB.

Step 3: Configure VPC Traffic Mirroring session

You can configure the VPC Traffic Mirroring session to mirror an ENI’s packets to EPB. To do that, follow these steps:

  1. Open the Amazon VPC Console. On the left navigation panel under Traffic Mirroring, choose Mirror Sessions and then Create Traffic Mirror Session.
    • (Optional) For Name tag, enter a name for the traffic mirror session.
    • (Optional) For Description, enter a description for the traffic mirror session.
  1. For Mirror source, choose the network interface of the instance that you want to monitor.
  2. For Mirror target, from the dropdown list, choose [Stack Name].target.
  3. Under Additional settings, do the following. Note that traffic is only mirrored one time:
  4. For Session number, enter the session number. The session number determines the order that traffic mirror sessions are evaluated in both of the following situations:
    • When an interface is used by multiple sessions.
    • When an interface is used by different traffic mirror targets and traffic mirror filters.
  5. Use 1 for the highest priority.
  6. For Filter, from the dropdown list choose [Stack Name].filter. To finish creating Traffic mirror session, choose Create.

The Traffic Mirroring session has been created, and you are now able to investigate network packets from the EPB Portal.

How to use ExtraHop Packet Basics in an incident response workflow

You can use EPB to gather and analyze packet capture () in AWS environments, helping your Security Operation Center (SOC) team make decisions about the steps to take to stop a threat. SOC incident responders use network packets from an EPB instance to investigate abnormal activity.

The following diagram shows an example of how you can use EPB to view network packets to investigate abnormal activity.

  1. An incident responder identifies abnormal activity and submits an EC2 instance to investigate.
  2. The Amazon API Gateway interacts with an AWS Lambda.
  3. Given input, the Lambda triggers an action.
  4. The Lambda launches an EPB instance.
  5. The Lambda also enables Amazon VPC Traffic Mirroring.
  6. Amazon VPC Traffic Mirroring forwards copies of network packets to the EPB instance.
  7. The incident responder can now analyze packet data on the potentially compromised workload and take the next steps. Refer to the following diagram.

Using EPB to analyze traffic captured with AWS VPC Traffic Mirroring

Alternately, you can use an open XDR platform like to correlate different cloud threat intelligence data feeds to prioritize and categorize detections along with MITRE ATT&CK Framework (Access, Impact, Movement.).

The following diagram shows how you might use Hunters.ai XDR to detect, investigate, correlate and response to abnormal activity.

Using Hunters XDR to response to findings from EBP

  1. Findings from EPB are ingested into Hunters.ai XDR along with other telemetry sources such as , VPC Flow Logs, and endpoint protection logs.
  2. Ingested data goes through XDR detection engine for automatic investigations.
  3. Events and alerts get prioritized, resulting correlations of attack stories.
  4. Depending on the rules, a trigger can be sent to SOC analysts for manual remediation or to a AWS Lambda function for automatic response.
  5. A sample response for the Lambda is to cut off the offending EC2 from the VPC by changing the security group. Refer to the following diagram.

Conclusion

In this post, we showed how to enable ExtraHop Packet Basics to perform forensic investigations, incident response, and threat hunting. We showed how to subscribe and deploy EBP, create Amazon VPC Traffic Mirroring, and access EBP for instance access to network packets for incident response. We also showed an example flow of how an incident responder can use EPB in stand alone or in combination with Hunters.ai XDR to investigate an abnormal activity. To try this for yourself, subscribe to ExtraHop Packet Basics, available in AWS Marketplace.

About the authors

Nam Le Nam Le, Senior Partner Solutions Architect, AWS Marketplace

Nam Le focuses on security and governance with 20 years of experience in consulting, sales, and engineering. He specializes in AWS Control Tower, AWS Service Catalog, AWS Marketplace, and AWS Data Exchange. As an AWS Marketplace Solutions Architect, he also works with AWS partners to build and deliver best-practices solutions to customers. Outside of work, he enjoys biking, car building, travel photography, and spending time with family.

Daniel KimDaniel Kim, Senior Partner Management Solutions Architect

Daniel is a Solutions Architect at AWS, supporting APN Partners with the technical development of capabilities on the AWS platform. He has over 15 years of experience in application development and technical management and specializes in Serverless architecture to help customers modernize their applications as they move to AWS. Outside of work, he enjoys outdoor activities, including camping and hiking with his family.