Episode 3 - Network Visibility in the Cloud: Why Network Traffic Analysis Remains Critical
Episode 3 - Network Visibility in the Cloud: Why Network Traffic Analysis Remains Critical
0:00 / 0:00
About the episode
Richard Bejtlich discusses cloud security from a network-centric perspective with Corelight's cloud security researcher, David Burkett. They explore why monitoring network traffic remains essential in cloud environments, despite the presence of native security features offered by cloud providers. David highlights common threats such as container compromises, coin miners, and supply chain attacks, emphasizing the value of traffic visibility for detecting unusual behaviors and breaches. The episode delves into practical approaches like baselining cloud workloads, analyzing ingress and egress traffic, and the unique advantages of monitoring cloud infrastructure through network-based taps. Tune in to discover how organizations can enhance their cloud security strategies through proactive network visibility.
Episode transcript
Download transcriptEpisode 3 - Network Visibility in the Cloud: Why Network Traffic Analysis Remains Critical
Gain clear, actionable intelligence from Corelight's network defense experts. Corelight' Defenders translates complex cybersecurity detection challenges into concise, practical episodes designed to support faster, smarter decision-making across modern security teams. Welcome to Corelight Defenders. I'm
Richard Bejtlich, strategist and author in residence at Corelight. In each episode, we explore insights from the front lines of NDR, network detection and response. And today, I'm speaking with David Birkett, our cloud security researcher at Corelight. Welcome, David.
Hey. Glad to be on. Thank you for joining me for this episode. If anyone knows my background, they'll know I am a, a s- network security type person. I spend, uh, I have spent many years looking at traffic in a network, but I am fascinated by this topic of cloud security and how network approaches can work in the cloud.
And I, I'm not too proud to admit, several years ago, I read a book about cloud security and how the cloud was gonna take care of itself, and it had all these native features, and I believed it. I was like, "Okay, I don't have to worry about this network stuff in the cloud anymore."
But here we are years later, and, you know, obviously we're talking from the Corelight perspective. We have a lot of interest in cloud security for a network-centric product. So, can you t- maybe just give me a little bit of background, a little bit of understanding, like why, why is network traffic so important in a cloud security context? Uh, a lot of the same, uh, principles that are gonna apply o- on premises are gonna apply, uh, to the cloud. And, uh, there's, uh, some common attacks going around right now that blind EDR tools. Uh, and I thought it would be prudent to, uh, to write something up about how that same kind of, uh, tactic, uh, applies to actually cloud, uh, cloud native technologies, so. Yes. So, I will link the blog post that you're referring to. I will put that in the show notes so people can take a look at it. Let's say you, you accept the premise that there is a role for monitoring in the cloud. What is it that we're actually monitoring? I, like,
I understand we do have a capability, we're building a capability to look at things like VPC flow logs and so forth. But if I'm looking at more from just a network traffic perspective, what is it I'm actually looking at? Yeah. Okay. So basically, uh, there's a, a ton of different things. So, um, whenever you're in AWS, uh, specifically, one of the things that they do that's really nice is they tag all of their, uh, uh, m- internal traffic. So like, if you're using EKS, the, the managed Kubernetes, uh, service, uh, they tag with, uh, the, uh, TLS certificates, um, what that service is, so you can kind of get a b- a good idea of a baseline of like what you're different tools are, uh, communicating with whenever it comes to, uh, the different like cloud APIs and, uh, different services behind the scenes. Uh, but not only that, you can also get a good idea of just, you know, your traditional, like ev- anything that you think, uh, you might need on prem is really gonna apply to the cloud. So, um, w- whatever your containers are gonna be doing, if you have any EC2, um, instances, uh, yeah, basically everything that, uh, is gonna be traditional type infrastructure or if that, uh, you can get a PCAP on, uh, is what we're, we're gonna be monitoring. So, are people looking at the traffic and building a baseline and saying, "This is what it looks like. Maybe I don't understand everything that's there, but this, this is what's happening on a day-to-day basis." And then if something new happens, they pay closer attention to that and say, "Okay, this could be an indicator of a problem."
Yeah. Yeah, yeah, exactly. So, one of the things that's actually pretty useful about cloud workloads, so tho- despite them being fairly elastic whenever they scale, the way that they work, like so the ports that they use and that kind of a thing, uh, is actually fairly static. Whenever you're using things like, uh, containers, Kubernetes, um, ideally, uh, in a perfect world, uh, you're gonna have those be i- immutable whenever they're deployed. You're not gonna have anything really changing in production. So, it makes it great for baselining. Uh, and whenever you start looking or seeing any kind of drift from that baseline, uh, you know that you have something interesting probably going on.
Uh, but not only that, um, one of the things that is w- weirdly the most common is, uh, whenever you have a, a supply chain attack where, uh, some, you know, really common po- or, uh, package or, um, tool or something gets compromised, uh, maybe in a container, um, w- for whatever reason, attackers love to just use, uh, coin miners. And, uh, those always have to, to beacon out to the mining pool just in the way that they, they kind of work. Uh, so, um, it's really useful to, to be able to th- see what kind of, uh, more detailed network traffic they have, um, be able to catch things like the, uh, the TLS certificates if they're even encrypting it. Okay. So that, um, I think that highlights two aspects of this that are interesting. One is, you could be looking at traffic in the cloud itself among your different workloads, or, sorry, I'm not up to speed with like what things are called or whatever, but within the cloud, they're d- different pieces talking to each other. Yep. But then, the- it sounds like you also have the ability or you, you would want the ability, make sure you have this ability to watch, uh, ingress and egress, because as, like you said, if there's some type of C2 or whatever going on that's outside of... Well, by definition, C2 would be outside of your profile, but you could possibly see traffic that is outside of the use profile. Is that right?
Whenever you have, uh, uh, Kubernetes in your Kubernetes clusters, uh, you're gonna have things like your workloads, your containers that run on 'em. Uh, then you're gonna have the nodes. So, the nodes are gonna be basically the servers that, uh, the containers run on.
Um, and with, uh, the current kind of setup that we have, uh, we currently see the, uh, the node kind of level, uh, visibility. Uh, but we do partner with, uh, groups like, uh, Orca and have-...
um, some cloud enrichment kind of tools to get deeper down into seeing the, the individual containers. It, it's just the, the same, uh, visibility that you would have if it was an on-prem Kubernetes, uh, server. So it's not like you have any kind of less visibility in the cloud. Um, but basically, uh, y- you get all of that traffic coming in and out of the, the containers, just as you would if it was just, like, a, a, an on-prem server, so. Over the last few years, there's been issues with looking at providers and trying to figure out if they give you a tap into network traffic. Are we at the point now where pretty much, you know, the big providers all give you equivalent capabilities or are we still waiting on some to, to add that? Yeah, some are definitely better than, uh, uh, than others. But I, at this point, um, I think all three, especially if the, the big, uh, major cloud providers, uh, have i- at least some basic capability. And, uh, they seem to actually also be realizing that this is where, uh, I guess the, the market is moving in cloud security. So, uh, they are, they're all, uh, uh, actually maturing and pushing out new stuff. I think I actually saw, uh, a recent announcement from, uh, Google that, um, you know, they were expanding some of their network security stuff with Corelight being, uh, one of the offerings. Um, so it, it, m- I, I think, uh, all of the, the cloud providers are working to mature, uh, and basically make, uh, that, that network traffic, uh, even more available, more accessible, um, than it has been.
So that seems to be a, uh, a good thing to see. One of the issues they had with the cloud-native offering was that maybe the visibility wasn't there or if there were logs of any type, sometimes there was a delay, or the quality wasn't up to the level that they could use to detect and respond.
Are those concerns still around in 2025? Yeah, unfortunately so. Um, I've seen some, uh, reports where there's been instances of, uh, I believe it was Azure, um, was just either not logging or the logs were delayed by a, a significant time period, um, for whatever reason. Um, that seems to be not very common, but something that can potentially happen. Um, but, uh, I would say that that's probably more the exception these days. But it, it is still one of the things that, um, I, I think is still gonna be the case is the, uh, the amount of API calls and, um, d- different services that are added to different cloud providers, uh, makes a lot of the, um,
I guess, uh, logs difficult to understand for analysts. So, um, one of the, I guess, kind of benefits of doing a, a lot of the network security monitoring stuff is, uh, you're gonna be more familiar with what you're looking at, as if you're doing network, uh, security monitoring on-prem. You know, your analysts are gonna know what the logs are and how they work and that kind of thing. Yeah, that is a really good point. Uh, sometimes people underestimate the ability of an analyst to pivot among different log sources. And if you have all of the data in a format that they're already familiar with, even if it's coming from a different location, you're able to pick up patterns or just know where things are and work with it. Never mind your tool chain, uh, not having to adjust it to deal with the different type of log format or fidelity or whatever.
So, yeah, that's a, that's a really interesting point too. Yeah, yeah, yeah, exactly. And if you wanna think about, like, a, a typical cloud attack chain, so for example, one of the, the common ones right now, uh, are, uh, info stealers. So people who will google things like Putty, whatever, uh, get a backdoored version, have their credentials compromised or maybe, uh, just the attacker on their machine steals their, uh, session tokens. Uh, and whenever, however they do gain access to then your cloud environment, um, having that kind of same network data allows you to be able to kind of quickly, um, correlate and see if they're communicating to some of that same infrastructure that they used to, to breach you. A lot of times, it's not gonna be, you know, obviously the same, but it can be a real quick way to pivot to your cloud, uh, network to see if you have any, um, any kind of compromises from that. Yeah. Are there any developments for- Mm-hmm. ... network security monitoring in the cloud that we should be paying attention to? Like, any cool things that are coming or... I mean, obviously we're not gonna leak product details or anything, but any sorts of approaches perhaps or that sort of development that you're interested in? Yeah, so there's, uh, a lot of different things. I,
I think that, um, we sit in kind of a, a unique position. So, um, one of the, the things that, uh, again I, I kind of talked about in the blog post is, uh, uh, there's a, a concept of, um, you know, whenever you get on, uh, control of a device, whether it's on-prem or in the cloud, you gain admin access. Uh, you're gonna have the capability to do things like disable, um, uh, you know, security monitoring tooling, add firewall rules so that it maybe can't communicate out to, uh, it's, uh, you know, it's SaaS platform. Uh, that all applies, uh, the same as, uh, on-prem as it does in the cloud. So if you have a Kubernetes workload or a, a cluster, for example, that maybe has a, a poor misconfiguration or, um, m- maybe even just a, gets a, a, a supply chain compromise with an, uh, a container running elevated, uh, privileges, um, that can, uh, cause a lot of the same problems as it would if, uh, uh, you know, it happened on an on-prem just instance. So, um, one of the things that's really interesting is, um, in my, at least in my mind, is we sit in a unique spot to where we're collecting that network traffic, um, on from the actual, like, taps in the, the cloud, uh, where there's a lot of, uh, I guess you could say network security monitoring tools, which are great by the way, they're, uh, eBPF-based, but they are host-based, so they have that kind of, um, limitation. And it's interesting to try and do research, uh, around a lot of the, uh, the traffic that we see in, um-... just from a, like, that, you know, attacked perspective, 'cause there's not a lot out there on what's being done. So, uh, that's one, kind of, piece that's interesting to me. But some of the stuff that's coming in the future that's just kind of cool, uh, is, uh, w- we are doing a lot with our, uh, anomaly detection, uh, engine. So, uh, like I mentioned, the, uh, a lot of the workloads in the cloud are, uh, fairly static. So, once you get an idea of what kind of services that they're using, the ports, you know, that kind of a thing, um, those become fairly reliable, uh, especially in the, uh, kind of cloud environments. Um, one of the things that I'm actually working on... So, uh, whenever you're deploying, um, like, uh, or working in a containerized environment, uh, such as, like, EKS or GKE, one of the other, uh, kind of environments, m- because, uh, you're gonna have your, uh, containers be, you know, mutable, all that stuff, you're not gonna be troubleshooting
'em in production. Uh, you're, you, so you shouldn't really be seeing, uh, administration tools, so like SSH, uh, RDP, VNC, um, you know, that sort of thing. Uh, that can be an indication of compromise. So, um, like I mentioned earlier, we have ways to go through and identify, uh, what sort of traffic is EKS traffic, for example, uh, and then we can go through and start profiling that and look for things that might be, uh, a container to container SSH session, which, um, m- might be, uh, uh, w- the way an application works. But those will be easy to go through and kind of identify what's legitimate and what's not, uh, 'cause you're typically gonna have either, you know, your orchestration tools like your Ansible or whatever, or the application itself is gonna be using SSH for some sort of a reason. So, those are gonna be kind of the exception.
Um, and then outside of that, uh, just seeing some of that activity, uh, you know, could be signs of a potential compromise. And, uh, yeah, we just have a, a lot of cool stuff coming up on the, uh, the, the, the cloud front. I had heard of, and because of your blog post I learned a little bit about using tools to instrument the workloads themselves.
But if you're adding it, it means an intruder can either modify it or remove it. So, it's kind of nice to have this removed capability that is watching. And lots of people will say, "Well, if it's encrypted or, you know, I, I don't get full details." But if you're in a situation where that's all you've got, that's, that for me, that's th- that, that's the mejor que nada aspect of security. Like, it's better than nothing.
I will take that any day, um, in addition to all the other things that you, you could do with it, uh, otherwise. Yeah. Yeah. Yeah. And l- like I said, the, uh, because the, uh, cloud workloads are traditionally fairly static in how they run, baselining is actually really, really powerful for detection in the cloud. The way that a lot of the host-based tools work, uh, is they just looked for drift, are the container images changing from when they were first deployed. Mm-hmm. Uh, that actually is essentially, uh, what you can do at the network level as well. Uh, are... is that network pattern changing from once the host is deployed? I wouldn't even assume that a lot of the, uh, attackers are using encrypted traffic. I was actually just reading before we got on the call a, uh, blog post, the most recent, uh, report on the defer, uh, reports, uh, site, uh, I wanna say it was, uh, around a, uh, a lock bit ransomware deployment. Uh, they pulled the file down in the clear, or at least one of the, the payloads. So, um- Yeah. I've always said unless the intruder is physically co-located with the asset, y- you've got a chance using the network. Now, they could always get creative and use a satellite phone or something, and if they're doing that now, it's really interesting. David, that's all the time we have for today. Thank you so much. I learned a ton about cloud security with this one.
Um, we'll probably have you back because this is an area that's only changing and introducing new issues that we can address. So, uh, thank you very much for joining me today. Yeah. Happy to be here and, uh, uh, thank you for having me. Thank you for joining us on the Network Defenders podcast sponsored by Corelight.
We will see you on the network. You've been listening to Corelight Defenders. To stay informed with expert intelligence on today's cybersecurity challenges, please subscribe to ensure you never miss an episode. We'll see you on the network.
Richard Bejtlich, strategist and author in residence at Corelight. In each episode, we explore insights from the front lines of NDR, network detection and response. And today, I'm speaking with David Birkett, our cloud security researcher at Corelight. Welcome, David.
Hey. Glad to be on. Thank you for joining me for this episode. If anyone knows my background, they'll know I am a, a s- network security type person. I spend, uh, I have spent many years looking at traffic in a network, but I am fascinated by this topic of cloud security and how network approaches can work in the cloud.
And I, I'm not too proud to admit, several years ago, I read a book about cloud security and how the cloud was gonna take care of itself, and it had all these native features, and I believed it. I was like, "Okay, I don't have to worry about this network stuff in the cloud anymore."
But here we are years later, and, you know, obviously we're talking from the Corelight perspective. We have a lot of interest in cloud security for a network-centric product. So, can you t- maybe just give me a little bit of background, a little bit of understanding, like why, why is network traffic so important in a cloud security context? Uh, a lot of the same, uh, principles that are gonna apply o- on premises are gonna apply, uh, to the cloud. And, uh, there's, uh, some common attacks going around right now that blind EDR tools. Uh, and I thought it would be prudent to, uh, to write something up about how that same kind of, uh, tactic, uh, applies to actually cloud, uh, cloud native technologies, so. Yes. So, I will link the blog post that you're referring to. I will put that in the show notes so people can take a look at it. Let's say you, you accept the premise that there is a role for monitoring in the cloud. What is it that we're actually monitoring? I, like,
I understand we do have a capability, we're building a capability to look at things like VPC flow logs and so forth. But if I'm looking at more from just a network traffic perspective, what is it I'm actually looking at? Yeah. Okay. So basically, uh, there's a, a ton of different things. So, um, whenever you're in AWS, uh, specifically, one of the things that they do that's really nice is they tag all of their, uh, uh, m- internal traffic. So like, if you're using EKS, the, the managed Kubernetes, uh, service, uh, they tag with, uh, the, uh, TLS certificates, um, what that service is, so you can kind of get a b- a good idea of a baseline of like what you're different tools are, uh, communicating with whenever it comes to, uh, the different like cloud APIs and, uh, different services behind the scenes. Uh, but not only that, you can also get a good idea of just, you know, your traditional, like ev- anything that you think, uh, you might need on prem is really gonna apply to the cloud. So, um, w- whatever your containers are gonna be doing, if you have any EC2, um, instances, uh, yeah, basically everything that, uh, is gonna be traditional type infrastructure or if that, uh, you can get a PCAP on, uh, is what we're, we're gonna be monitoring. So, are people looking at the traffic and building a baseline and saying, "This is what it looks like. Maybe I don't understand everything that's there, but this, this is what's happening on a day-to-day basis." And then if something new happens, they pay closer attention to that and say, "Okay, this could be an indicator of a problem."
Yeah. Yeah, yeah, exactly. So, one of the things that's actually pretty useful about cloud workloads, so tho- despite them being fairly elastic whenever they scale, the way that they work, like so the ports that they use and that kind of a thing, uh, is actually fairly static. Whenever you're using things like, uh, containers, Kubernetes, um, ideally, uh, in a perfect world, uh, you're gonna have those be i- immutable whenever they're deployed. You're not gonna have anything really changing in production. So, it makes it great for baselining. Uh, and whenever you start looking or seeing any kind of drift from that baseline, uh, you know that you have something interesting probably going on.
Uh, but not only that, um, one of the things that is w- weirdly the most common is, uh, whenever you have a, a supply chain attack where, uh, some, you know, really common po- or, uh, package or, um, tool or something gets compromised, uh, maybe in a container, um, w- for whatever reason, attackers love to just use, uh, coin miners. And, uh, those always have to, to beacon out to the mining pool just in the way that they, they kind of work. Uh, so, um, it's really useful to, to be able to th- see what kind of, uh, more detailed network traffic they have, um, be able to catch things like the, uh, the TLS certificates if they're even encrypting it. Okay. So that, um, I think that highlights two aspects of this that are interesting. One is, you could be looking at traffic in the cloud itself among your different workloads, or, sorry, I'm not up to speed with like what things are called or whatever, but within the cloud, they're d- different pieces talking to each other. Yep. But then, the- it sounds like you also have the ability or you, you would want the ability, make sure you have this ability to watch, uh, ingress and egress, because as, like you said, if there's some type of C2 or whatever going on that's outside of... Well, by definition, C2 would be outside of your profile, but you could possibly see traffic that is outside of the use profile. Is that right?
Whenever you have, uh, uh, Kubernetes in your Kubernetes clusters, uh, you're gonna have things like your workloads, your containers that run on 'em. Uh, then you're gonna have the nodes. So, the nodes are gonna be basically the servers that, uh, the containers run on.
Um, and with, uh, the current kind of setup that we have, uh, we currently see the, uh, the node kind of level, uh, visibility. Uh, but we do partner with, uh, groups like, uh, Orca and have-...
um, some cloud enrichment kind of tools to get deeper down into seeing the, the individual containers. It, it's just the, the same, uh, visibility that you would have if it was an on-prem Kubernetes, uh, server. So it's not like you have any kind of less visibility in the cloud. Um, but basically, uh, y- you get all of that traffic coming in and out of the, the containers, just as you would if it was just, like, a, a, an on-prem server, so. Over the last few years, there's been issues with looking at providers and trying to figure out if they give you a tap into network traffic. Are we at the point now where pretty much, you know, the big providers all give you equivalent capabilities or are we still waiting on some to, to add that? Yeah, some are definitely better than, uh, uh, than others. But I, at this point, um, I think all three, especially if the, the big, uh, major cloud providers, uh, have i- at least some basic capability. And, uh, they seem to actually also be realizing that this is where, uh, I guess the, the market is moving in cloud security. So, uh, they are, they're all, uh, uh, actually maturing and pushing out new stuff. I think I actually saw, uh, a recent announcement from, uh, Google that, um, you know, they were expanding some of their network security stuff with Corelight being, uh, one of the offerings. Um, so it, it, m- I, I think, uh, all of the, the cloud providers are working to mature, uh, and basically make, uh, that, that network traffic, uh, even more available, more accessible, um, than it has been.
So that seems to be a, uh, a good thing to see. One of the issues they had with the cloud-native offering was that maybe the visibility wasn't there or if there were logs of any type, sometimes there was a delay, or the quality wasn't up to the level that they could use to detect and respond.
Are those concerns still around in 2025? Yeah, unfortunately so. Um, I've seen some, uh, reports where there's been instances of, uh, I believe it was Azure, um, was just either not logging or the logs were delayed by a, a significant time period, um, for whatever reason. Um, that seems to be not very common, but something that can potentially happen. Um, but, uh, I would say that that's probably more the exception these days. But it, it is still one of the things that, um, I, I think is still gonna be the case is the, uh, the amount of API calls and, um, d- different services that are added to different cloud providers, uh, makes a lot of the, um,
I guess, uh, logs difficult to understand for analysts. So, um, one of the, I guess, kind of benefits of doing a, a lot of the network security monitoring stuff is, uh, you're gonna be more familiar with what you're looking at, as if you're doing network, uh, security monitoring on-prem. You know, your analysts are gonna know what the logs are and how they work and that kind of thing. Yeah, that is a really good point. Uh, sometimes people underestimate the ability of an analyst to pivot among different log sources. And if you have all of the data in a format that they're already familiar with, even if it's coming from a different location, you're able to pick up patterns or just know where things are and work with it. Never mind your tool chain, uh, not having to adjust it to deal with the different type of log format or fidelity or whatever.
So, yeah, that's a, that's a really interesting point too. Yeah, yeah, yeah, exactly. And if you wanna think about, like, a, a typical cloud attack chain, so for example, one of the, the common ones right now, uh, are, uh, info stealers. So people who will google things like Putty, whatever, uh, get a backdoored version, have their credentials compromised or maybe, uh, just the attacker on their machine steals their, uh, session tokens. Uh, and whenever, however they do gain access to then your cloud environment, um, having that kind of same network data allows you to be able to kind of quickly, um, correlate and see if they're communicating to some of that same infrastructure that they used to, to breach you. A lot of times, it's not gonna be, you know, obviously the same, but it can be a real quick way to pivot to your cloud, uh, network to see if you have any, um, any kind of compromises from that. Yeah. Are there any developments for- Mm-hmm. ... network security monitoring in the cloud that we should be paying attention to? Like, any cool things that are coming or... I mean, obviously we're not gonna leak product details or anything, but any sorts of approaches perhaps or that sort of development that you're interested in? Yeah, so there's, uh, a lot of different things. I,
I think that, um, we sit in kind of a, a unique position. So, um, one of the, the things that, uh, again I, I kind of talked about in the blog post is, uh, uh, there's a, a concept of, um, you know, whenever you get on, uh, control of a device, whether it's on-prem or in the cloud, you gain admin access. Uh, you're gonna have the capability to do things like disable, um, uh, you know, security monitoring tooling, add firewall rules so that it maybe can't communicate out to, uh, it's, uh, you know, it's SaaS platform. Uh, that all applies, uh, the same as, uh, on-prem as it does in the cloud. So if you have a Kubernetes workload or a, a cluster, for example, that maybe has a, a poor misconfiguration or, um, m- maybe even just a, gets a, a, a supply chain compromise with an, uh, a container running elevated, uh, privileges, um, that can, uh, cause a lot of the same problems as it would if, uh, uh, you know, it happened on an on-prem just instance. So, um, one of the things that's really interesting is, um, in my, at least in my mind, is we sit in a unique spot to where we're collecting that network traffic, um, on from the actual, like, taps in the, the cloud, uh, where there's a lot of, uh, I guess you could say network security monitoring tools, which are great by the way, they're, uh, eBPF-based, but they are host-based, so they have that kind of, um, limitation. And it's interesting to try and do research, uh, around a lot of the, uh, the traffic that we see in, um-... just from a, like, that, you know, attacked perspective, 'cause there's not a lot out there on what's being done. So, uh, that's one, kind of, piece that's interesting to me. But some of the stuff that's coming in the future that's just kind of cool, uh, is, uh, w- we are doing a lot with our, uh, anomaly detection, uh, engine. So, uh, like I mentioned, the, uh, a lot of the workloads in the cloud are, uh, fairly static. So, once you get an idea of what kind of services that they're using, the ports, you know, that kind of a thing, um, those become fairly reliable, uh, especially in the, uh, kind of cloud environments. Um, one of the things that I'm actually working on... So, uh, whenever you're deploying, um, like, uh, or working in a containerized environment, uh, such as, like, EKS or GKE, one of the other, uh, kind of environments, m- because, uh, you're gonna have your, uh, containers be, you know, mutable, all that stuff, you're not gonna be troubleshooting
'em in production. Uh, you're, you, so you shouldn't really be seeing, uh, administration tools, so like SSH, uh, RDP, VNC, um, you know, that sort of thing. Uh, that can be an indication of compromise. So, um, like I mentioned earlier, we have ways to go through and identify, uh, what sort of traffic is EKS traffic, for example, uh, and then we can go through and start profiling that and look for things that might be, uh, a container to container SSH session, which, um, m- might be, uh, uh, w- the way an application works. But those will be easy to go through and kind of identify what's legitimate and what's not, uh, 'cause you're typically gonna have either, you know, your orchestration tools like your Ansible or whatever, or the application itself is gonna be using SSH for some sort of a reason. So, those are gonna be kind of the exception.
Um, and then outside of that, uh, just seeing some of that activity, uh, you know, could be signs of a potential compromise. And, uh, yeah, we just have a, a lot of cool stuff coming up on the, uh, the, the, the cloud front. I had heard of, and because of your blog post I learned a little bit about using tools to instrument the workloads themselves.
But if you're adding it, it means an intruder can either modify it or remove it. So, it's kind of nice to have this removed capability that is watching. And lots of people will say, "Well, if it's encrypted or, you know, I, I don't get full details." But if you're in a situation where that's all you've got, that's, that for me, that's th- that, that's the mejor que nada aspect of security. Like, it's better than nothing.
I will take that any day, um, in addition to all the other things that you, you could do with it, uh, otherwise. Yeah. Yeah. Yeah. And l- like I said, the, uh, because the, uh, cloud workloads are traditionally fairly static in how they run, baselining is actually really, really powerful for detection in the cloud. The way that a lot of the host-based tools work, uh, is they just looked for drift, are the container images changing from when they were first deployed. Mm-hmm. Uh, that actually is essentially, uh, what you can do at the network level as well. Uh, are... is that network pattern changing from once the host is deployed? I wouldn't even assume that a lot of the, uh, attackers are using encrypted traffic. I was actually just reading before we got on the call a, uh, blog post, the most recent, uh, report on the defer, uh, reports, uh, site, uh, I wanna say it was, uh, around a, uh, a lock bit ransomware deployment. Uh, they pulled the file down in the clear, or at least one of the, the payloads. So, um- Yeah. I've always said unless the intruder is physically co-located with the asset, y- you've got a chance using the network. Now, they could always get creative and use a satellite phone or something, and if they're doing that now, it's really interesting. David, that's all the time we have for today. Thank you so much. I learned a ton about cloud security with this one.
Um, we'll probably have you back because this is an area that's only changing and introducing new issues that we can address. So, uh, thank you very much for joining me today. Yeah. Happy to be here and, uh, uh, thank you for having me. Thank you for joining us on the Network Defenders podcast sponsored by Corelight.
We will see you on the network. You've been listening to Corelight Defenders. To stay informed with expert intelligence on today's cybersecurity challenges, please subscribe to ensure you never miss an episode. We'll see you on the network.
Subscribe now
