After decades of managing and securing identities in data centers, security and IT operations teams face new challenges when detecting identity compromise in their public cloud environments. Protecting cloud service accounts against leaked keys, privilege escalation in complex authorization systems, and insider threats are vital tasks when considering the threat landscape.

Security Command Center Premium, our built-in security and risk management solution for Google Cloud, has released new capabilities to help detect compromised identities and protect against risks from external attackers and malicious insiders. 

Why identity security is complex

In Google Cloud, there are three types of principals used to manage identities:

  • Google accounts: Human end users of Google Cloud
  • Service accounts: Used by applications and workloads to access resources
  • Groups: Collections of Google accounts or service accounts  

Once a principal has been defined, the IT team needs to assign it the correct permissions to access Google Cloud resources. Permissions are assigned based on roles, which govern what resources may be accessed. In some cloud environments, it makes sense for one principal to legitimately act with the permissions of another principal. This is referred to as service account impersonation.

Using Groups can make managing identities even more complex. For example, Groups can consist of users that are either inside or outside the organization. Further, Groups can contain other Groups, including those from outside the organization.

While this framework offers organizations flexibility and efficiency in managing cloud identities and resources, the potential complexity, especially at scale, can be a source of risk.

Importance of identity threat detection in cloud

Identity Access Management (IAM) policies govern how principals can access data, create new compute instances, and modify security settings in Google Cloud projects, folders, and organizations. Security Command Center Premium can detect risky IAM policy changes and behavior by principals that may indicate possible account takeover. Detection happens over the full attack chain, from initial credential access and discovery, thorough privilege escalation, and finally attacker persistence. 

Security Command Center Premium is able to provide these differentiated detection capabilities because it is engineered into the Google Cloud infrastructure, and has first-party access to core platform services such as Google Groups. It operates within carefully reviewed security and privacy controls to keep Google Cloud customer data private. 

New identity threat detectors in Security Command Center Premium

Security Command Center Premium includes new detections for:

  • Excessive failed attempts: This detector analyzes the logs created when a principal attempts to access a resource and is denied per the policy. While some number of denied attempts is normal, Security Command Center looks for cases that are anomalously high. These anomalies potentially can indicate an adversary attempting to enumerate their privileges or explore a privileged environment. 
  • Anomalous service account impersonation: Service account impersonation allows one principal to act with the permissions of another. While this is a normal approach to permission management for some organizations, this new Security Command Center detector is designed to identify anomalously long impersonation chains, which are often a sign of an adversary engaging in privilege escalation. 
  • Dormant service account activity: Managing the sprawl of service accounts is difficult in any cloud environment, but Google Cloud helps with Google policy intelligence service. In addition to making proactive recommendations about which service accounts are no longer in regular use, Security Command Center now alerts users about activity taken by a service account that has been dormant for a meaningful period of time. 

These new detectors augment Security Command Center’s existing defenses against common identity threats:

  • UEBA (User and Entity Behavior Analytics) new geography, user agent, and client library: Security Command Center can identify when a principal makes a change in Google Cloud configurations from a new geographical location, or with a new client library. While these are not conclusive proof of account compromise, they are signals that help an analyst understand the state of an account in the context of other findings pertaining to the same principal.  
  • UEBA new API method: This Security Command Center feature is designed to detect over-permissioned accounts that deviate from their established pattern of behavior. It fires when a service account uses an API, or method on an API, that it had not used in its first seven days after creation. 
  • Discovery: Service account self investigation: It is normal for a human user to look up their own IAM policy before embarking on a project so they can ensure they are equipped with necessary permissions. It is far less common for a service account to resolve its own IAM policy. When a service account resolves its own IAM policy, it is often a sign that an adversary has compromised a service account key and is engaging in discovery tactics to see their permissions.
  • Persistence: Grants and Groups: Adversaries can attempt to establish backup or hidden administrative accounts in Groups to gain persistence in a cloud environment. Security Command Center automatically inspects group membership and alerts if there are external members inside of groups that have received sensitive privileges.
  • Defense evasion: Access from anonymizing proxy: Security Command Center detects when principals make changes to cloud environments from anonymizing proxies. While it is not unusual to browse the web from anonymizing proxies, such as Tor exit nodes, there are few legitimate purposes to using these proxies when managing cloud environments. Security Command Center uses a list of anonymizing proxies that is regularly updated by our Google Cloud Threat Intelligence team.

Securing a cloud environment requires the ability to detect identity-based threats. Security Command Center continues to augment detection and remediation capabilities for Google Cloud customers. Go to your Google Cloud console to get started today with these new capabilities in Security Command Center.