Toxic combinations are a group of security issues that, when they occur together in a particular pattern, create a path to one or more of your high-value resources that a determined attacker could potentially use to compromise those resources.
The Risk Engine of Security Command Center Enterprise detects toxic combinations during the attack path simulations that it runs. For each toxic combination that Risk Engine detects, it generates a finding. Each toxic combination includes a unique attack exposure score, called a toxic combination score, that measures the risk of the toxic combination to the high-value resource set in your cloud environment. Risk Engine also generates a visualization of the attack path that the toxic combination creates to the resources in your high-value resource set.
Chokepoints (Preview) are similar to toxic combinations, but focus on common resources or resource groups where multiple attack paths converge. As a consequence, remediating a chokepoint can remediate multiple toxic combinations.
Toxic combinations can be found for Google Cloud and Amazon Web Services (AWS) (Preview). Chokepoints can be found for Google Cloud.
View toxic combinations and chokepoints
The highest risk toxic combinations and chokepoints are displayed as issues (Preview) on the Risk > Overview page in the Security Operations console.
You can view all toxic combinations and chokepoints in greater detail on the Risk > Issues page. Toxic combinations can also be viewed on the Cases page.
To view findings related to toxic combinations and chokepoints in the Google Cloud console, go to the Findings page and filter by the Toxic combination or Chokepoint finding class.
Attack exposure scores on toxic combinations and chokepoints
Risk Engine calculates an attack exposure score for each toxic combination and chokepoint. This score is a measure of how much a toxic combination or chokepoint exposes one or more of the resources in your high-value resource set to potential attacks. The higher the score, the higher the risk.
Attack exposure scores for toxic combinations and chokepoints are derived from the following:
- The number of resources in your high-value resource set that are exposed and the priority values and attack exposure scores of those resources.
- The likelihood that a determined attacker could succeed in reaching a high-value resource by leveraging the toxic combination or chokepoint.
Based on the attack exposure score, toxic combinations can have one of the following severities assigned to them:
- Critical: Toxic combinations with an attack exposure score ≥ 10.
- High: Toxic combinations with an attack exposure score < 10.
Chokepoints always have an attack exposure score ≥ 10, and so always have a critical severity rating.
For more information, see Attack exposure scores.
Attack path visualizations for toxic combinations and chokepoints
Risk Engine provides a visual depiction of the toxic combination and chokepoint attack paths that lead to your high-value resource set. An attack path represents a series of attack steps, that include related security issues and resources that a potential attacker could use to reach your resources.
Attack paths help you to understand the relationships between individual security issues in a toxic combination or chokepoint, and how they form paths to resources in your high-value resource set. The path visualization also shows you how many valued resources are exposed and their relative importance to your cloud environment.
In the Security Operations console, resources on an attack path are color-coded in the following way:
- Resources with security issues that contribute to a toxic combination are highlighted with a yellow border.
- Resources that are identified as a chokepoint are highlighted with a red border.
There are multiple places in the Security Operations console where you can view attack paths. A simplified version of the attack path is shown in the following places:
- The Risk > Overview page, for items in the Riskiest issues widget.
- The Risk > Issues page, when an issue is selected. You can access the simplified attack path in the Overview tab of the issue.
- The Cases page, when a case is selected. You can access the simplified
attack path in the
Case overview tab.
To view the full version of an attack path, view the simplified version, and then click Explore full attack paths.
The following screenshot is an example of a simplified attack path for a toxic combination:
The following screenshot is an example of a simplified attack path for a chokepoint:
In the Google Cloud console, the full attack path is always displayed.
For more information, see Attack paths.
Related findings
Many of the individual risks that make up toxic combinations and chokepoints are also detected by other Security Command Center detection services. These other detection services generate separate findings for these risks, which are listed in issues (Preview) and cases as related findings. Related findings are also identified in attack paths.
For toxic combinations, separate cases are opened for the related findings, different playbooks are run, and other members of your team might be working on their remediation independently from the remediation of the toxic combination finding. Check the status of the cases for these related findings and, if necessary, ask the owners of the cases to prioritize their remediation to help resolve the toxic combination.
Cases
Security Command Center Enterprise opens a case in the Security Operations console for each toxic combination finding that's generated. Chokepoints don't generate cases.
In the case view, you can find the following information related to toxic combinations:
- A description of the toxic combination
- The attack exposure score of the toxic combination
- A visualization of the attack path that the toxic combination creates
- Information about the affected resources
- Information about the steps you can take to remediate the toxic combination
- Information about any related findings from other Security Command Center detection services, including links to their associated cases
- Applicable playbooks
- Associated tickets
On the Cases page in the Security Operations console, you can query or filter
toxic combination cases by using the Toxic Combination tag. You can also
visually identify toxic combination cases in the case list by the following
icon:
.
For more information about viewing toxic combination cases, see View toxic combination cases.
Case priority
By default, toxic combination cases have their priority set to the same value as
the severity of the toxic combination finding and its associated alert in the
related case. This means that all toxic combination cases initially have a
priority of Critical or High.
After a case is opened, you can change the priority of the case or of the alert. Changing the priority of a case or an alert does not change the severity of the finding.
Closing cases
When a finding is first generated for a toxic combination, its state is
Active.
If you remediate the toxic combination, Risk Engine automatically detects the remediation during the next attack path simulation and closes the case. Simulations run approximately every six hours.
Alternatively, if you determine that the risk posed by a toxic combination is acceptable or unavoidable, you can close a case by muting the finding.
When you mute a finding, the finding remains active, but Security Command Center closes the case and omits the finding from default queries and views.
For more information, see the following information: