AWS Suspect Traffic Mirror Creation

Triggers

• An AWS control-plane API was invoked, which leveraged an EC2 instance as a traffic mirroring target. This suggests a malicious network traffic session will be created, mirroring traffic to the target EC2 instance.

Possible Root Causes

• A malicious actor is mirroring network traffic to an attacker controlled EC2 in order to steal credentials like passwords and further pivot into the environment.
• An administrator may have intentionally configured an EC2 as a traffic mirroring target as part of normal operations.

Business Impact

• Malicious traffic mirroring can be extremely impactful as the traffic moving within VPCs is frequently unencrypted. This is common due to the cloud network design practice of terminating SSL/TLS encryption at load balancers.
• Stolen credentials sniffed from a network can further an attack campaign, impacting the confidentially of data stored on impacted systems.
• When confidentially of data is affected, there may be regulatory or compliance implications for the business.

Steps to Verify

• Investigate the Principal that performed the actions for other signs of malicious activity.
• Validate that the creation of the traffic mirroring target is authorized, given the purpose and policies governing this resource.
• Review CloudTrail logs to determine if a traffic mirroring session was established and is authorized, given the purpose and policies governing this resource.
• If review indicates possible malicious actions or high-risk configurations were made:
  - Revert any configuration changes.
  - Terminate any traffic mirroring session created by the Principal.
  - Disable credentials associated with this alert.
  - Perform a comprehensive investigation to determine initial compromise and if network traffic from the source EC2 instance was encrypted in transit.