CASE 104 · SPOOL · 2023
Network captures from before the incident started.
A cryptocurrency exchange had had a near-miss that they could not fully reconstruct because they had no packet-level capture of the attacker traffic. We turned on VPC Traffic Mirroring against the customer-facing API tier with a 72-hour rolling retention, so the next investigation would have ground truth.
Cryptocurrency exchange
SECURITY
2023
RESULTS
What changed, by the numbers.
PCAP RETENTION
72h
STORAGE COST
< $400/mo
IDS DETECTIONS
BONUS
INCIDENT RECONSTRUCTION
POSSIBLE
HOW IT WENT
The near-miss had been resolved by GuardDuty cutting off the suspicious traffic, but the team had spent a week trying to reconstruct exactly what the attacker had probed and never reached a firm conclusion. The audit committee asked: what would we do differently next time? "Capture the packets" was the answer.
Traffic Mirroring fanned the API tier traffic to a Network Load Balancer feeding an EKS-hosted Suricata + Zeek pipeline. PCAP files compressed and landed in S3 with a 72-hour rolling retention. The IDS pipeline picked up secondary signal that GuardDuty does not catch.
Cost steady-state under $400/month — much less than the post-incident discovery work the team had budgeted for. The next incident, eight months later, was reconstructed inside four hours from the PCAP archive. The audit committee’s question now has a documented answer.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.