Google Compute Engine firewall egress rule opened to the world

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Google Compute Engine firewall egress rule is opened to the world.

Strategy

This rule monitors Google Cloud Audit Logs to determine when a v*.compute.firewalls.insert API call is made with the traffic direction as egress (@data.protoPayload.request.direction:EGRESS) and the destination range as all IP addresses (@data.protoPayload.request.destinationRanges:0.0.0.0/0).

An excessively open firewall rule like this could be a sign of an ongoing cryptomining attack.

Triage and response

  1. Determine if {{@usr.id}} from IP address {{@network.client.ip}} should have made the {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate the user credentials.
  • Determine what other API calls were made by the user.
  • Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.
  1. If the API call was made legitimately by the user:
  • Advise the user to modify the IP range to the company private network or bastion host.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.
  • 25 September 2024 - Updated query to replace attribute @threat_intel.results.category:anonymizer.
PREVIEWING: rtrieu/product-analytics-ui-changes