How to use ExtraHop to enable network traffic packet analysis with Amazon VPC Traffic Mirroring

My customers often ask for techniques to implement network detection and response (NDR) protection to secure their applications and workloads in Amazon Virtual Private Clouds (VPCs).

NDR software captures and analyzes copies of the network packets flowing through your Amazon VPC. It establishes behavioral baselines for resources communicating with each other inside the perimeter of your VPC. If a threat makes it past your perimeter-focused tools, such as next-generation firewalls (NGFW) and intrusion detection systems (IDS), the NDR detects the baseline deviation. The NDR then alerts security teams, which can then investigate and respond to the threat.

With the introduction of Amazon VPC Traffic Mirroring at AWS re:Inforce in 2019, you can capture and inspect network traffic at scale. ExtraHop Reveal(x) natively integrates with Amazon VPC Traffic Mirroring to capture and analyze copies of network packets without the need to deploy agents or sensors. You can get access to copies of network packets from cloud workloads comprised of network load balancers (NLBs), Amazon EC2 instances, and virtual machines containing elastic network interfaces (ENIs).

In this post, I’ll show you how to use ExtraHop Reveal(x) to enable network traffic packet analysis with Amazon VPC Traffic Mirroring.

Prerequisites

• An AWS account
• Amazon VPC Traffic Mirroring
• Amazon CloudWatch
• AWS CloudTrail
• VPC Flow logs
• A Customer Portal Account with ExtraHop

Enabling network traffic packet analysis with Amazon VPC Traffic Mirroring and ExtraHop

Step 1: Subscribing to ExtraHop Reveal(x) EDA (BYOL)

1. Log into your AWS Console. Navigate to AWS Marketplace Subscriptions.
2. Expand the left column and go to Discover Products. Search for Reveal(x) EDA.
3. Select the ExtraHop Discovery Appliance based on your requirements.

Whenever possible, locate the Discover appliance within the same cluster placement group as the devices that are forwarding traffic. This best practice optimizes the quality of the feed that the Discover appliance receives. For this walkthrough, I choose Reveal(x) 1100v (BYOL).

4. Choose Continue to Subscribe. Select your Delivery Method: Amazon Machine Image, select Software Version: latest, and select Region: US East (N.Virginia). Select EC2 instance type: xlarge (you should choose Vendor Recommended EC2 instance type). Then Choose Continue to Subscribe.
5. On the Subscribe to this software page, Choose Accept Terms.

You are now subscribed to Reveal(x) 1100v (BYOL).

Step 2: Deploying Reveal(x) EDA BYOL

On the Subscribe to this software page, you can launch Reveal(x) 1100v (BYOL) from AWS Marketplace.

1. Choose Continue to Configuration. It will take you to the Configure this software page. Verify Delivery Method, Software Version, and Region as selected from Step 1 earlier. Select Continue to Launch. It will take you to the Launch this software page.
2. On the Launch this software page, select Choose Action: Launch from Website and then for EC2 Instance Type: c5.xlarge, for VPC Settings: the VPC you want to deploy to, and for Subnet Settings: the subnet you want to deploy to.
3. Under the Security Group Settings section, choose Create new based on seller settings. Enter a name and description for your Security Group and then choose Save.
4. In the Key Pair Settings section, choose the EC2 key pair.
5. Choose Launch. Your EDA has now been created. It will also take you to a page that says Congratulations! An instance of this software is successfully deployed on EC2!
6. On that page, choose EC2 Console. Alternately, you can log in to the Amazon EC2 service console. In the left sidebar, choose Instances Select the checkbox next to the ExtraHop instance you just created. In the bottom pane, locate the Elastic (public) IPv4 (ENI) and Instance ID addresses. Copy the ENI address and the Instance ID.

Step 3: Creating a traffic mirroring session

You can create an elastic network interface (ENI) in your Amazon VPC to capture inbound and outbound packets as they enter their EC2 instance. This is the mirroring source. To do this, follow these steps:

1. Open the Amazon VPC console.
2. In the Region selector, choose the AWS Region that you used when you created the VPCs.
3. In the navigation pane, choose Traffic Mirroring, Mirror Sessions.
4. Choose Create traffic mirror session.
   • (Optional) For Name tag, enter a name for the traffic mirror session.
   • (Optional) For Description, enter a description for the traffic mirror session.
5. For Mirror source, choose the network interface of the instance that you want to monitor. For Mirror target, choose the traffic mirror target.
6. Under Additional settings, do the following. Note that traffic is only mirrored one time:
   • For Session number, enter the session number. The session number determines the order that traffic mirror sessions are evaluated in both of the following situations:
     • When an interface is used by multiple sessions.
     • When an interface is used by different traffic mirror targets and traffic mirror filters.

• • Use 1 for the highest priority.

7. Choose Create.

Step 4: Register your ExtraHop Discover Appliance with ExtraHop

Request a new product key by logging into your ExtraHop Customer Portal and submitting a support case. Once that has been received, proceed to step 1.

1. In your browser, enter the URL (ENI from step 2.6) of the ExtraHop Admin, https://ENI/admin.
2. Review the license agreement, select I Agree, and then choose Submit.
3. On the login screen, under username, enter setup.
4. For the password, enter the instance ID. The instance ID is the string of characters that follow i- but not i- itself. For example, my Instance from EC2 console is i-0f3c83d56380XXXXX, then my password is 0f3c83d56380XXXXX.
5. Choose Log In.
6. In the Appliance Settings section, choose License. Choose Manage License. Choose Register and enter your product key you requested prior to step 4.1.

The traffic mirroring session sends copies of the traffic from the mirror source into the ExtraHop Reveal(x) EDA that is sent to ExtraHop Reveal(x) 360 SaaS. This is where ExtraHop Reveal(x) 360 processes the data to decode enterprise protocols and decrypt Secure Socket Layer (SSL)/Transport Layer Security (TLS) 1.3 traffic at line rate. ExtraHop Reveal(x) 360 then analyzes that SSL/TLS data with cloud-scale machine learning to detect and surface illicit behaviors. The ExtraHop Supported AWS Integration allows for correlation of information ingested from Amazon CloudWatch, AWS CloudTrail, and VPC Flow Logs integrations.

Step 5: Finding detections in the ExtraHop system

When anomalous behavior is identified, the ExtraHop system generates a detection and displays the available data and investigative options in the Detections page. To navigate to the Detections page, you must log on to the ExtraHop admin console from Step 4. Then do the following:

1. From the top menu of the console, select Detections.
2. To analyze detections, from the top left of the page, select the timeline. Detection cards appear in sortable list in the left side of the console. These can be further grouped and filtered by multiple criteria on the main Detections page.
3. Select one of the detection cards.
4. Each detection card identifies the cause of the detection, the detection category, when the detection occurred, and the victim and other participants. Security detections include a risk score.
5. In the detail page of each detection card are various sections for the detection. These sections vary depending on the type of the detection. Sections include:
   • Related detections
   • Activity map
   • Compare behaviors
   • Investigative data and links
   • Detection details

ExtraHop controls identity and access management for Reveal(x) 360 based on your AWS security policies, ensuring only authorized users can log in to the user interface.

With NDR, you can ensure network traffic packets in the cloud can be used to deliver event-driven security through packet acquisition from VPC mirroring, ExtraHop Discovery Appliance, and ExtraHop Detections.

Conclusion

In this post, I showed how to enable traffic packet analysis using Amazon VPC Traffic Mirroring and ExtraHop Reveal(x) EDA. I showed how to subscribe to and deploy ExtraHop, create a traffic mirroring session, register your ExtraHop appliance, and to find detections that indicate possible security risks. I also showed how to secure applications and workloads by implementing network detection and response protection to alert security teams to investigate and respond to the threat. To try this for yourself, subscribe to ExtraHop Reveal(x) EDA, available in AWS Marketplace.

About the authors

Nam Le, Senior Partner Solutions Architect, AWS Marketplace

Nam Le focuses on security and governance with close to 20 years of experience in consulting, sales and engineering. He specializes in AWS Control Tower, AWS Service Catalog, AWS Marketplace, and AWS Data Exchange. As an AWS Marketplace Solutions Architect, he also works with AWS partners to build and deliver best-practices solutions to customers. Outside of work, he enjoys biking, car building, travel photography, and spending time with family.

 Larry Im, Technical Account Manager, AWS Enterprise Support

As a Technical Account Manager for Enterprise Support, Larry helps customers realize their business outcomes on AWS. He has over 20 years of experience in IT operations, architecture and management. Outside of work, you can find him making memories with his family, falling off bikes, and on the quest for the perfect taco.