How virtual red team technology can find high-risk security issues before attackers do
Joakim Nydrén
Product Manager, Security Command Center
Nav Jagpal
Principal Engineer, Google Cloud Security
Cloud security teams use cloud-native application protection platforms (CNAPPs) to find misconfigurations and vulnerabilities in their multi-cloud environments. While these solutions can discover thousands of potential security issues in large cloud environments, many fail to answer two fundamental cloud security questions: “Where am I most at risk?” and “What issues should I prioritize?”
Security Command Center can help answer both questions with its virtual red team capability. The virtual red team simulates a sophisticated and determined attacker. It runs millions of attack permutations against a digital twin model of an organization's cloud environment to find gaps in cloud defenses that an external attacker could exploit.
Importantly, the virtual red team can discover attack paths with toxic combinations that are unique to each customer’s cloud environment. Toxic combinations are groups of security issues that can create a path for an attacker to reach high-value cloud resources. These resources could include databases with sensitive customer information, or virtual machines (VMs) running business-critical applications.
This simulation-based approach to surfacing cloud risks is different from the static, rules-based approach employed by most CNAPPs. It empowers Security Command Center customers to find attack paths with toxic combinations that have not been seen before, and it can result in more effective responses to previously–unknown cloud risks.
Why toxic combinations are important
Cloud environments can have thousands of resources, some of which may have security or compliance issues: a misconfiguration, an exploitable software vulnerability, or simply a corporate policy violation. However, not all these issues create the same level of risk.
For example, a VM in a development environment that has been isolated from the production environment is different from a VM configured with a public IP address that has a known vulnerability, and can access a storage bucket containing customer data. The former issue can wait; the latter should be acted on immediately.
Security Command Center can help cloud security teams discover and prioritize these critical issues.
An example of a toxic combination discovered by Security Command Center.
Early approaches to find toxic combinations
Finding toxic combinations is at the heart of many CNAPP solutions. The prevailing approach is to write and run rules to find things that are obvious risks. This can provide immediate value, but some shortcomings soon become apparent:
-
First, how do you define a high-risk attack path or toxic combination? Most vendors write static rules to find cloud security issues. This requires humans to write lots of rules to find risks in even moderately complex cloud environments, and to constantly create new rules to keep pace with new risks.
-
A rule-based approach is inherently limited. It can only find attack paths with toxic combinations that are already known. Does anyone know all the bad things that can happen in a cloud environment? And if they did, could they write rules for all of them?
-
Cloud environments can be highly dynamic, which means that rules should run frequently to discover new risks. If they are not run constantly, results may be out-of-date quickly.
At Google Cloud, we take a different approach.
How virtual red teaming works
Security Command Center finds toxic combinations using virtual red teaming technology, which simulates a motivated and sophisticated attacker attempting to breach your cloud defenses and compromise your high-value assets.
We use a simulation engine that runs millions of attack permutations against a digital twin model of your cloud environment. It looks for all possible paths an attacker could take to reach sensitive cloud resources, and when it finds them it reveals where an external attacker could strike and identifies the cloud resources that could be exposed. Virtual red teaming can help security teams prioritize their responses to threats, so they can eliminate cloud risks before attackers exploit them.
It can find risks for which there are no rules written, or which have not been contemplated by a security vendor’s rule development team. Breaking dependence on static rules enables SCC to find risks that are unique to each cloud environment and decreases the chances of missing critical exposure points.
Here are some real-world risks we have discovered in cloud environments using virtual red teaming:
-
For a retail customer, SCC found an attacker could identify and connect to a publicly-accessible VM, and then exploit a widely exploited vulnerability to gain privileges. These privileges could be used to resume operations on another VM that was suspended, and then log into this second VM running a critical business application.
-
For a financial services customer, SCC found an attacker could gain a foothold on a compute instance in a cloud environment and then abuse permissions in an over-privileged service account to move laterally to a second compute instance. On that second instance, the attacker could then make use of the permissions assigned to the instance service account, which include administrator privileges. The attacker could use these administrator privileges to set an IAM policy that would allow read, write and delete access to a sensitive bigquery dataset.
-
For a healthcare industry customer, SCC found an attacker could phish a user and gain access to an associated cloud service account. The attacker could then use this service account’s privileges to create new keys for other service accounts, and enable access to several high-value resources.
These more complex scenarios illustrate the types of cloud risks that aren’t easily surfaced by purely rules-based approaches. Security Command Center has a better way to help you find the greatest risks in your multicloud environment, providing insight into issues you may not have known existed. We help turn security managers into cloud risk experts who are empowered to make their cloud environments safe for their important applications and data.
Why we believe our approach is more effective
The tactics, techniques, and procedures (TTPs) used by attackers are not static, so your cloud defenses can’t be, either. Our virtual red team technologies simulate the persistence and creativity of real-world attackers, without affecting the performance or integrity of your production cloud environment. In the process of virtual red teaming we:
-
Build a digital twin model. Instead of analyzing a production cloud environment, we build a non-production, digital twin model of your unique cloud environment. This model does not contain your data or applications, but has knowledge of how your cloud environment is set up, including cloud resource configurations, IAM permissions, software vulnerability information, and the location of sensitive data.
-
Use large-scale simulation. Using the digital twin model, we can simulate millions of potential attack paths that could allow an attacker to reach and compromise high-value resources.
-
Use probabilistic reasoning. Virtual red teaming considers common attacker tactics, such phishing attacks and credential theft, during attack simulations. We run what-if attack permutations and compute toxic combinations that can lead to attack paths that expose cloud resources.
-
Infuse frontline threat intelligence. The simulation also incorporates threat intelligence from Mandiant experts who investigate cyber incidents. We use information about actively exploited software vulnerabilities to determine the greatest risks in the cloud environment.
You can learn more about virtual red team capabilities in Security Command Center in our Security Talks presentation or our technical webinar.
Make Google part of your security team
To evaluate Security Command Center capabilities and explore subscription options, please contact a Google Cloud sales representative or authorized Google Cloud partner. You can also join our Security Command Center user community for product news and technical advice.
You can learn how to activate Security Command Center here.