SVL

Detecting DNS Exfiltration and Network Anomalies in AWS Using Network Firewall and CloudWatch

 
  • Mar 09, 2026

Introduction

Modern cloud environments often operate across multiple virtual networks and rely heavily on outbound connectivity. While this architecture enables scalability and flexibility, it also introduces visibility challenges. In many AWS deployments, outbound traffic from workloads can leave the environment without deep inspection or centralized monitoring.

This investigation explores how centralized inspection and logging can be used to detect suspicious activity originating from EC2 instances. The environment simulates several attacker behaviors commonly observed after an initial compromise, including reconnaissance activity, protocol abuse, and data exfiltration through DNS.

To detect these behaviors, the environment leverages several AWS-native security services:

  • AWS Network Firewall

  • Route53 Resolver DNS Firewall

  • Amazon CloudWatch Logs

  • CloudWatch Log Insights for threat hunting

The goal of the investigation is to demonstrate how combining these services can provide visibility into network activity and enable detection of malicious behavior in cloud environments.

Architecture Overview

The environment uses a hub-and-spoke network architecture designed to centralize traffic inspection.

Two workload VPCs host EC2 instances that simulate normal application workloads. Both VPCs connect through an AWS Transit Gateway to a dedicated inspection VPC. All outbound traffic must traverse this inspection layer before reaching the internet.

The inspection VPC contains several key components:

  • AWS Network Firewall for deep packet inspection

  • NAT Gateway for controlled outbound internet access

  • Internet Gateway for external connectivity

By routing all outbound traffic through the inspection VPC, the architecture ensures that network activity can be inspected, logged, and analyzed.

Simulated Attacker Activity

To evaluate detection capabilities, three common attacker techniques were simulated within the environment.

Network Reconnaissance

One compromised EC2 instance performs repeated ICMP requests to discover reachable hosts in the network. Although ICMP traffic itself is not inherently malicious, an abnormal volume of echo requests can indicate network scanning or reconnaissance.

Protocol Tunneling

A second instance attempts to communicate over TCP port 443 using a protocol that is not TLS. Because port 443 is typically associated with encrypted HTTPS traffic, sending other protocols through this port may indicate attempts to evade security controls.

DNS-Based Data Exfiltration

The final scenario simulates data exfiltration through DNS queries. Instead of transmitting data through HTTP or other monitored channels, the attacker encodes sensitive information into DNS query names and sends them to an external domain.

Because DNS traffic is often allowed by default in many environments, it is frequently abused as a covert communication channel.

Security Controls Implemented

To detect and mitigate these behaviors, multiple security layers were implemented.

AWS Network Firewall

AWS Network Firewall was deployed in the inspection VPC to perform stateful traffic inspection. Custom rule groups were created to block connections to suspicious domains and to detect anomalous network behavior.

Suricata Detection Rules

Custom Suricata rules were implemented to identify traffic anomalies, including non-TLS traffic sent over TCP port 443. This detection technique helps identify protocol tunneling attempts or command-and-control communication.

Managed Threat Intelligence

AWS managed rule groups were enabled to automatically block known malicious domains and IP addresses. These rule groups provide continuously updated threat intelligence.

DNS Firewall

Route53 Resolver DNS Firewall was configured to block domain resolution requests for suspicious domains. This prevents workloads from resolving attacker-controlled infrastructure and provides additional visibility into DNS activity.

CloudWatch Logging

Network Firewall alerts and DNS query logs were forwarded to Amazon CloudWatch Logs. These logs serve as the primary telemetry source used for threat hunting and detection analysis.

Threat Hunting and Detection

The investigation relies on analyzing telemetry generated by the firewall and DNS logging infrastructure.

Using CloudWatch Log Insights queries, several detection patterns were identified:

  • repeated ICMP activity indicating reconnaissance behavior

  • Suricata alerts triggered by non-TLS traffic on port 443

  • blocked DNS queries containing suspicious domain patterns

By correlating these signals with instance metadata, it becomes possible to attribute malicious activity to specific EC2 instances within the environment.

This approach demonstrates how network telemetry can be used to detect post-compromise behavior in cloud environments.

Full Technical Report (PDF):

https://github.com/SergioValverde/Github-Labs/blob/main/Threat%20Hunting%20AWS%20.pdf

Search