Finding truth in the cloud: Google Cloud Packet Mirroring and Corelight Network Traffic Analysis

“Remember, all I’m offering is the truth” – Morpheus, from the movie Matrix (1999)

There is a great scene at the end of Matrix where a fallen Neo resurrects himself and breaks past the illusion of the Matrix to see the reality of the world around him for what it really is – code. 

The public cloud is similar to Neo’s Matrix. Built on layers of code, it is designed to hide the complexity behind the gleam and flawlessness of the virtual world.  However, this can also obscure visibility into the infrastructure that defenders depend on to secure their organizations. A lack of visibility into the cloud infrastructure, a non-existent perimeter, and an expanding attack surface and ephemeral workloads makes it a challenge to defend, while the shared responsibility model in the cloud introduces further gaps in coverage.

The only way to defeat the attackers, as Neo does, is to get deep visibility into the environment. Here at Corelight we believe that the networks are an honest source of truth and tools tailored to tease out security-centric insights from network traffic offer a uniquely broad view of the environment that attackers cannot modify retroactively.

So when we heard Google Cloud is bringing the ability to tap and mirror network traffic in the cloud, we got visibly excited. Google Cloud Packet Mirroring allows customers to mirror traffic from select Compute Engine or Google Kubernetes (GKE) instances. This cloud-native traffic mirror eliminates the need for 3rd party agents, improving availability and scalability. Our customers will get the same visibility across their on-prem and Google Cloud deployments with common capabilities, insight and management that streamlines their incident response and threat hunting workflows. This is a game changer for our GCP customers.

Corelight’s support for Google Cloud environments, currently in Beta, turns packet-mirrored traffic into comprehensive logs, extracted files, and custom insights via Zeek, a powerful, open-source network security monitoring framework used by thousands of organizations worldwide to accelerate incident response and unlock new threat hunting capabilities.

How can threat hunting teams use this data to secure their cloud? A great place to start is the recently released MITRE ATT&CK Cloud Matrix for enterprises. This matrix covers the cloud-based TTPs that adversaries employ. Additionally, we have put together a tool that identifies TTPs in the ATT&CK matrix where Corelight data can be used to discover and thwart attackers. 

For example:

  • T1020 – Automated Exfil: Data exfil from Cloud Storage is one of the most common sources of data breach experienced in Cloud. The ‘producer-consumer ratio’ package helps defenders identify the typical direction and volume of data transfer between two hosts and to determine when it changes.
  • T1110 – Brute Force: IAM account compromise allows attackers to move through the cloud environment undetected, while wreaking havoc. Corelight’s data can help monitor password guessing or brute-forcing attacks over SSH. Even with encrypted traffic, Corelight relies on user behavior rather than content to glean irrecoverable insights from the traffic.

As enterprise adoption of cloud explodes, there is an increasing awareness that security in the cloud cannot be taken for granted. We believe Google’s support of traffic mirroring is a step in the right direction and we look forward to collaborating with Google Cloud to bring the power of Zeek to GCP.  If you’d like more details on our public cloud offering and what’s coming in the future, please reach out.



    Recent Posts