This page provides an overview of the concept of a toxic combination and of the findings and cases that you, a vulnerability analyst or other role responsible for securing your cloud environment, can use to identify, prioritize, and remediate any toxic combinations.
Toxic combination findings and cases help you to more effectively identify risk and improve security in your cloud environments, including Google Cloud and Amazon Web Services (AWS) (Preview).
Definition of a toxic combination
A toxic combination is a group of security issues that, when they occur together in a particular pattern, create a path to one or more of your high-value resources that a determined attacker could potentially use to reach and compromise those resources.
A security issue is anything that contributes to the exposure of your cloud resources, such as a particular configuration of resources, a misconfiguration, or a software vulnerability.
The Risk Engine of Security Command Center Enterprise detects toxic combinations during the attack path simulations it runs. For each toxic combination that Risk Engine detects, it issues a finding. Each toxic combination includes a unique attack exposure score, called a toxic combination score, that measures the risk of the toxic combination to the high-value resource set in your cloud environment. Risk Engine also generates a visualization of the attack path that the toxic combination creates to the resources in your high-value resource set.
You work with toxic combination findings through cases, but if you need to see the findings themselves, you can see them in the Google Cloud console on the Findings page, where you can filter the findings by the Toxic combination finding class or sort the findings by Toxic combination score.
Attack exposure scores on toxic combinations
Risk Engine calculates an attack exposure score for each toxic combination. These attack exposure scores are also called toxic combination scores in some contexts, such as the Findings page of the Google Cloud console. The score is a measure of how much a toxic combination exposes one or more of the resources in your high-value resource set to potential attacks.
Toxic combination scores are similar to attack exposure scores on other types of findings, but are applied to a set of attack steps rather than a finding of an individual software vulnerability or misconfiguration.
By default, toxic combinations are classified as critical severity findings and critical priority cases. Compare the toxic combination scores to help you prioritize between toxic combination cases.
Like attack exposure scores for other findings, toxic combination scores are derived from the following:
- The number of resources in your high-value resource set that are exposed and the priority values and attack exposure scores of those resources.
- The likelihood that a determined attacker could succeed in reaching a high-value resource by leveraging the toxic combination
For more information, see Attack exposure scores.
Attack path visualizations for toxic combinations
Risk Engine provides a visual depiction of the attack paths that a toxic combination creates to resources in your high-value resource set. An attack path represents series of attack steps and their related security issues and resources that a potential attacker could use to reach your resources.
The attack path helps you understand the relationships between the issues in a toxic combination and how together they form paths to resources in your high-value resource set. The path visualization also shows you how many valued resources are exposed and their relative importance to your cloud environment.
In the Security Operations console, the resources with security issues that make up the toxic combination are highlighted by a bold yellow diamond-shaped border on the attack path. In the Google Cloud console, the attack paths look the same as the attack paths for other finding types.
In the Security Operations console, Security Command Center provides two versions of a toxic combination attack path. The first is a simplified version that appears on the case overview tab in a toxic combination case. The second version shows the full attack paths. You can open the full attack paths by clicking Explore full attack paths in the simplified attack path or by clicking Explore toxic combination attack path in the upper right corner of the case view.
The following screenshot is an example of a simplified attack path.
In the Google Cloud console, the full attack path is always displayed.
For more information, see Attack paths.
Toxic combination cases
Security Command Center Enterprise opens a case in the Security Operations console for each toxic combination finding that Risk Engine issues.
The case is the primary way to investigate and track the remediation of a toxic combination. In the case view, you can find the following information:
- A description of the toxic combination
- The attack exposure score of the toxic combination
- A visualization of the attack path that the toxic combination creates
- Information about the affected resource
- Information about the steps you can take to remediate the toxic combination
- Information about any related findings from other Security Command Center detection services, including links to their associated cases
- Any applicable playbooks
- Any associated tickets
In the Security Operations console, the Security Command Center Posture Overview page provides an overview of all of the toxic combination cases for your environment. The Posture Overview page contains widgets that show you toxic combinations cases by priority, attack exposure score, and by the time left in their service level agreement (SLA).
On the Cases page in the Security Operations console, you can query or
filter toxic combination cases by using the TOXIC_COMBINATION
tag that
they include. You can also visually identify toxic
combination cases by the following icon:
In the Google Cloud console, the Security Command Center Risk Overview page also displays the Top risk cases table, which can include a mix of toxic combination cases with the highest attack exposure score and individual cases with the highest priority. The listed findings include a link to the corresponding case in the Security Operations console.
For more information about viewing toxic combination cases, see View toxic combination cases.
Case priority
By default, toxic combination cases have a priority of Critical
to match
the severity of the toxic combination finding and its associated alert
in the toxic combination case.
After a case is opened, you can change the priority of the case or of the alert.
Changing the priority of a case or an alert does not change the severity of the finding.
Closing cases
The disposition of toxic combination cases is determined by the state of
the underlying finding. When a finding is first issued, its state is Active
.
If you remediate the toxic combination, Risk Engine automatically detects the remediation during the next attack path simulation and closes the case. Simulations run approximately every six hours.
Alternatively, if you determine that the risk posed by the toxic combination is acceptable or unavoidable, you can close a case by muting the toxic combination finding.
When you mute a toxic combination finding, the finding remains active, but Security Command Center closes the case and omits the finding from default queries and views.
For more information, see the following information:
Related findings
Many of the individual security issues that make up a toxic combination that Risk Engine detects, are also detected by other Security Command Center detection services. These other detection services issue separate findings for these issues. These findings are listed in a toxic combination case as related findings.
Because related findings are issued separately from the toxic combination finding, separate cases are opened for them, different playbooks are run for them, and other members of your team may be working on their remediation independently from the remediation of the toxic combination finding.
Check the status of the cases for these related findings and, if necessary, ask the owners of the cases to prioritize their remediation to help resolve the toxic combination.
In a toxic combination case, any related findings are listed in the Findings widget on the overview tab. For each related finding, the widget includes a link to its corresponding case.
Related findings are also identified in the toxic combination attack path.
How Risk Engine detects toxic combinations
Risk Engine runs attack path simulations on all of your cloud resources approximately every six hours.
During the simulations, Risk Engine identifies potential attack paths to the high-value resource set in your cloud environment and calculates attack exposure scores for findings and your valued resources. If Risk Engine detects a toxic combination during the simulations, it issues a finding.
For more information about attack path simulations, see Attack path simulations.