Nerd Level Tech logo
|
Lesson 16 of 24

Network & Infrastructure Security

Network Logging & Threat Detection

4 min read

Without visibility, you can't detect attacks. Cloud network logging and threat detection services provide the foundation for security operations and incident response.

Essential Network Logs

Log Types by Provider

Log Type AWS Azure GCP
Network flow VPC Flow Logs NSG Flow Logs VPC Flow Logs
DNS queries Route 53 Query Logs DNS Analytics Cloud DNS Logs
API activity CloudTrail Activity Log Cloud Audit Logs
Load balancer ALB/NLB Access Logs App Gateway Logs Load Balancer Logs
WAF WAF Logs WAF Logs Cloud Armor Logs

AWS VPC Flow Logs Analysis

# Enable comprehensive flow logs
aws ec2 create-flow-logs \
    --resource-type VPC \
    --resource-ids vpc-12345678 \
    --traffic-type ALL \
    --log-destination-type s3 \
    --log-destination arn:aws:s3:::flow-logs-bucket \
    --log-format '${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status} ${vpc-id} ${subnet-id} ${instance-id} ${tcp-flags} ${type} ${pkt-srcaddr} ${pkt-dstaddr}'

Flow log analysis queries (Athena):

-- Find rejected traffic (potential attacks)
SELECT srcaddr, dstaddr, dstport, COUNT(*) as count
FROM vpc_flow_logs
WHERE action = 'REJECT'
  AND start > date_add('hour', -24, now())
GROUP BY srcaddr, dstaddr, dstport
ORDER BY count DESC
LIMIT 100;

-- Unusual outbound traffic (data exfiltration)
SELECT srcaddr, dstaddr, SUM(bytes) as total_bytes
FROM vpc_flow_logs
WHERE dstaddr NOT LIKE '10.%'
  AND dstaddr NOT LIKE '172.16.%'
  AND dstaddr NOT LIKE '192.168.%'
  AND start > date_add('hour', -24, now())
GROUP BY srcaddr, dstaddr
HAVING SUM(bytes) > 1000000000  -- > 1GB
ORDER BY total_bytes DESC;

Cloud-Native Threat Detection

AWS GuardDuty

Intelligent threat detection using ML and threat intelligence:

# Enable GuardDuty
aws guardduty create-detector --enable

# Enable S3 protection
aws guardduty update-detector \
    --detector-id 12abc34d567e8fa901bc2d34e56789f0 \
    --data-sources S3Logs={Enable=true}

# Enable EKS protection
aws guardduty update-detector \
    --detector-id 12abc34d567e8fa901bc2d34e56789f0 \
    --features '[{"Name":"EKS_AUDIT_LOGS","Status":"ENABLED"}]'

GuardDuty finding types:

  • Reconnaissance: Port scanning, API enumeration
  • Instance compromise: Cryptocurrency mining, malware communication
  • Account compromise: Unusual API calls, credential abuse
  • Data exfiltration: Unusual S3 access patterns

Azure Defender for Cloud

# Enable Defender for Cloud
az security pricing create \
    --name VirtualMachines \
    --tier Standard

az security pricing create \
    --name StorageAccounts \
    --tier Standard

az security pricing create \
    --name KeyVaults \
    --tier Standard

GCP Security Command Center

# Enable Security Command Center Premium
gcloud scc settings update \
    --organization=123456789 \
    --enable-asset-discovery

# View findings
gcloud scc findings list \
    --organization=123456789 \
    --source=- \
    --filter="state=\"ACTIVE\""

SIEM Integration

Centralized Log Collection

┌──────────────────────────────────────────────────────────┐
│                    Log Sources                            │
├──────────────────────────────────────────────────────────┤
│  CloudTrail │ VPC Flow │ GuardDuty │ WAF │ CloudWatch    │
└──────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────┐
│                   SIEM Platform                           │
│  (Splunk, Elastic, Sumo Logic, Chronicle, Sentinel)      │
├──────────────────────────────────────────────────────────┤
│  - Correlation rules                                      │
│  - Alerting                                               │
│  - Investigation                                          │
│  - Reporting                                              │
└──────────────────────────────────────────────────────────┘

AWS Security Hub

Aggregate findings from multiple services:

# Enable Security Hub
aws securityhub enable-security-hub

# Enable standards
aws securityhub batch-enable-standards \
    --standards-subscription-requests '[
        {"StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"},
        {"StandardsArn": "arn:aws:securityhub:::ruleset/aws-foundational-security-best-practices/v/1.0.0"}
    ]'

Network Security Monitoring Patterns

Baseline Establishment

Before detecting anomalies, establish normal patterns:

Metric Normal Range Alert Threshold
Outbound traffic 10GB/day >50GB/day
Failed logins <10/hour >100/hour
Rejected flows <1% >5%
DNS queries Known domains Unknown TLDs
API calls Business hours 3 AM spikes

Detection Rules

Suspicious SSH activity:

# CloudWatch Log Insight Query
fields @timestamp, srcAddr, dstPort, action
| filter dstPort = 22 and action = 'REJECT'
| stats count(*) as attempts by srcAddr
| filter attempts > 100
| sort attempts desc

Data exfiltration pattern:

# Large outbound transfers to new destinations
fields @timestamp, srcAddr, dstAddr, bytes
| filter bytes > 100000000  # 100MB
| filter dstAddr not like /^10\./
| stats sum(bytes) as total_bytes by srcAddr, dstAddr
| filter total_bytes > 1000000000  # 1GB total

Incident Response Readiness

Network Security Runbook

Scenario Detection Response
Port scan detected GuardDuty/Flow logs Block source IP via NACL
Unusual outbound Flow log analysis Isolate instance, investigate
API abuse CloudTrail anomaly Revoke credentials, audit
DDoS attack WAF/Shield alerts Engage DRT, adjust rules
Data exfiltration S3/Flow logs Revoke access, forensics

Next module: Container and Kubernetes security for cloud-native workloads. :::

Quiz

Module 4: Network & Infrastructure Security

Take Quiz