Impact: Google Cloud Backup and DR expire image

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Overview

A potentially malicious actor has requested to delete a backup image.

Event Threat Detection is the source of this finding.

How to respond

To respond to this finding, do the following:

Step 1: Review finding details

  1. Open the Inhibit System Recovery: Google Cloud Backup and DR expire image finding, as detailed in Reviewing findings. The details panel for the finding opens to the Summary tab.
  2. On the Summary tab, review the information in the following sections:
    • What was detected, especially the following fields:
      • Policy name: the name for a single policy, which defines backup frequency, schedule, and retention time
      • Template name: the name for a set of policies that define backup frequency, schedule, and retention time
      • Profile name: specifies the storage target for backups of application and VM data
      • Principal subject: a user that has successfully executed an action
    • Affected resource
      • Resource display name: the project in which the backup image was deleted
    • Related links, especially the following fields:
      • MITRE ATTACK method: link to the MITRE ATT&CK documentation
      • Logging URI: link to open the Logs Explorer

Step 2: Research attack and response methods

Contact the owner of the service account in the Principal email field. Confirm whether the legitimate owner conducted the action.

Step 3: Implement your response

  1. In the project where the action was taken, navigate to the management console.
  2. Navigate to the Monitor tab and select Jobs to review the status of the delete backup job.
  3. If a delete job is not authorized, navigate to IAM permissions to review users with access to backup data.

What's next