AWS VPC Flows for DFIR Part 1 - Introduction
Introduction This is the first in a small collection posts about using AWS VPC Flows during incident response. One of the big benefits is the ability to save the data to an S3 bucket or Athena so even if the EC2 is no longer in existence, the flow data is still available to help piece together what might have taken place (lateral movement, exfil, etc.). For example if an actor has created and then deleted their own EC2 instance to stage their attack it could still be possible to identify lateral movement, what actions they might have taken based on port numbers. What Are VPC Flows? VPC flows are the AWS equivalent of NetFlow data and can be a valuable resource when investigating a variety of incident scenarios. Although called VPC flows, there are three options for where to collect the flow data from: VPC - This will collect data from all of the interfaces in the subnet. Subnet - This will collect from all interfaces that are within the same subnet. Interfa...