Why (and how) Google Cloud is adding attack path simulation to Security Command Center

As cloud environments scale and evolve based on changing business priorities, security teams may struggle to understand where their biggest risks are and where to focus their security controls. Some cloud security products have begun to incorporate attack path analysis to address this prioritization problem. Attack path analysis is a technique of discovering possible pathways that adversaries can take to access and compromise IT assets.

A common approach in implementing attack path analysis is to produce a graph of all assets, and then query the map to discover possible exploit paths. While this may produce impressive-looking graphs, it requires the management of large query sets, and it often fails to  help teams set the right priorities.

To address this shortcoming of current solutions, we are taking a more intelligent approach in Security Command Center (SCC), our security and risk management solution that is built into Google Cloud. We are adding an advanced simulation engine to attack path analysis that will identify assets that are most vulnerable to attack, which can help defenders know where to apply the right security controls to better protect their cloud environment.

Attack path simulation

Adding automated simulation to attack path analysis enables Security Command Center to model how real-world adversaries could potentially attack cloud resources. Our simulation engine will analyze all assets in a Google Cloud environment, the relationships between these assets, the current state of defenses, and potential security issues, including misconfigurations and vulnerabilities. It will then mimic how an attacker could navigate the environment to gain unauthorized access to high value assets.

Our attack path simulation technology comes from Foreseeti, a Swedish risk analytics company acquired by Google in 2022. Foreseeti was founded by university researchers and scientists who were inspired by large-scale simulations in other industries, including automobile crash tests and the structural analysis of bridges, and sought to apply their research and techniques to improve cybersecurity. 

How it works

Attack path simulation will be driven from an external attacker’s perspective. The simulation engine employs multiple attack methods, across all known paths to valued assets, with the goal of reaching and compromising the asset. It will consider obvious exposure points, such as open firewall ports and public IP addresses, but also factor in less-obvious factors.

For example, the simulation engine will be able to compute scenario-based risk assessments, such as what happens if a user gets phished and also has an over-privileged account; or if an attacker exploits a vulnerability in an operating system, which they can subsequently leverage to abuse a default service account. 

In building the simulation model, we understood that it could potentially yield too many possible attack paths to be useful to security teams. So we configured it to identify the specific attack paths leading to the highest value resources that could be compromised with the least resistance. By factoring in the value of cloud assets (such as databases containing customer information), along with the level of effort and skill required by an attacker to reach the asset, simulation results should reveal the most critical attack paths and the resources most exposed to attackers.

To make day-to-day operations less taxing for security teams, we designed attack simulations to run automatically over time rather than require an engineer to manually invoke them every time there is a change to the environment. Additionally, the attack path simulation model will directly access information about the Google Cloud environment, including detailed asset information, comprehensive security data, and rapid support for new services — helping ensure that simulation results accurately reflect the most current state of the environment. 

Who benefits from attack path simulation?

Attack path simulation can put vital information at the fingertips of security professionals and engineers, including:

• Security Operations Center (SOC) and vulnerability management teams can get more actionable information on their cloud security findings, which can lead to better prioritization of the risks leading to the likeliest attack exposures.

• The Chief Information Security Officer (CISO) can better track and manage risks in their Google Cloud environment over time, and compare progress across projects and teams.

• DevOps teams can design more secure environments and scale faster, better leveraging risk insights to mitigate exposures earlier in the development lifecycle.

How to get attack path simulation for your Google Cloud environment

We'll have more details on the integration of this groundbreaking technology into Security Command Center and its availability for customers soon.

To learn more about how to secure your Google Cloud environment with Security Command Center please visit: https://cloud.google.com/security-command-center