Google Compute Engine firewall egress rule opened to the world

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a Google Compute Engine firewall egress rule is opened to the world.

Strategy

This rule monitors Google Cloud Audit Logs to determine when a v*.compute.firewalls.insert API call is made with the traffic direction as egress (@data.protoPayload.request.direction:EGRESS) and the destination range as all IP addresses (@data.protoPayload.request.destinationRanges:0.0.0.0/0).

An excessively open firewall rule like this could be a sign of an ongoing cryptomining attack.

Triage and response

  1. Determine if {{@usr.id}} from IP address {{@network.client.ip}} should have made the {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate the user credentials.
  • Determine what other API calls were made by the user.
  • Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.
  1. If the API call was made legitimately by the user:
  • Advise the user to modify the IP range to the company private network or bastion host.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.
  • 25 September 2024 - Updated query to replace attribute @threat_intel.results.category:anonymizer.