Triggers
- An AWS control-plane API was invoked, which leveraged an EC2 instance as a traffic mirroring target. This suggests a malicious network traffic session will be created, mirroring traffic to the target EC2 instance.
Possible Root Causes
- A malicious actor is mirroring network traffic to an attacker controlled EC2 in order to steal credentials like passwords and further pivot into the environment.
- An administrator may have intentionally configured an EC2 as a traffic mirroring target as part of normal operations.
Business Impact
- Malicious traffic mirroring can be extremely impactful as the traffic moving within VPCs is frequently unencrypted. This is common due to the cloud network design practice of terminating SSL/TLS encryption at load balancers.
- Stolen credentials sniffed from a network can further an attack campaign, impacting the confidentially of data stored on impacted systems.
- When confidentially of data is affected, there may be regulatory or compliance implications for the business.
Steps to Verify
- Investigate the Principal that performed the actions for other signs of malicious activity.
- Validate that the creation of the traffic mirroring target is authorized, given the purpose and policies governing this resource.
- Review CloudTrail logs to determine if a traffic mirroring session was established and is authorized, given the purpose and policies governing this resource.
- If review indicates possible malicious actions or high-risk configurations were made:
- Revert any configuration changes.
- Terminate any traffic mirroring session created by the Principal.
- Disable credentials associated with this alert.
- Perform a comprehensive investigation to determine initial compromise and if network traffic from the source EC2 instance was encrypted in transit.