Basic Information

Google Cloud Platform (GCP) Security encompasses a comprehensive suite of tools and practices designed to ensure the security of resources and data within the Google Cloud environment, divided into four main sections: Security Command Center, Detections and Controls, Data Protection and Zero Turst.

Security Command Center

The Google Cloud Platform (GCP) Security Command Center (SCC) is a security and risk management tool for GCP resources that enables organizations to gain visibility into and control over their cloud assets. It helps detect and respond to threats by offering comprehensive security analytics, identifying misconfigurations, ensuring compliance with security standards, and integrating with other security tools for automated threat detection and response.

• Overview: Panel to visualize an overview of all the result of the Security Command Center.

• Threats: [Premium Required] Panel to visualize all the detected threats. Check more about Threats below

• Vulnerabilities: Panel to visualize found misconfigurations in the GCP account.

• Compliance: [Premium required] This section allows to test your GCP environment against several compliance checks (such as PCI-DSS, NIST 800-53, CIS benchmarks...) over the organization.

• Assets: This section shows all the assets being used, very useful for sysadmins (and maybe attacker) to see what is running in a single page.

• Findings: This aggregates in a table findings of different sections of GCP Security (not only Command Center) to be able to visualize easily findings that matters.

• Sources: Shows a summary of findings of all the different sections of GCP security by section.

• Posture: [Premium Required] Security Posture allows to define, assess, and monitor the security of the GCP environment. It works by creating policy that defines constraints or restrictions that controls/monitor the resources in GCP. There are several pre-defined posture templates that can be found in https://cloud.google.com/security-command-center/docs/security-posture-overview?authuser=2#predefined-policy

Threats

From the perspective of an attacker, this is probably the most interesting feature as it could detect the attacker. However, note that this feature requires Premium (which means that the company will need to pay more), so it might not be even enabled.

There are 3 types of threat detection mechanisms:

• Event Threats: Findings produced by matching events from Cloud Logging based on rules created internally by Google. It can also scan Google Workspace logs.

  • It's possible to find the description of all the detection rules in the docs

• Container Threats: Findings produced after analyzing low-level behavior of the kernel of containers.

• Custom Threats: Rules created by the company.

It's possible to find recommended responses to detected threats of both types in https://cloud.google.com/security-command-center/docs/how-to-investigate-threats?authuser=2#event_response

Enumeration

# Get a source
gcloud scc sources describe <org-number> --source=5678
## If the response is that the service is disabled or that the source is not found, then, it isn't enabled

# Get notifications
gcloud scc notifications list <org-number>

# Get findings (if not premium these are just vulnerabilities)
gcloud scc findings list <org-number>

Post Exploitation

Detections and Controls

• Chronicle SecOps: An advanced security operations suite designed to help teams increase their speed and impact of security operations, including threat detection, investigation, and response.

• reCAPTCHA Enterprise: A service that protects websites from fraudulent activities like scraping, credential stuffing, and automated attacks by distinguishing between human users and bots.

• Web Security Scanner: Automated security scanning tool that detects vulnerabilities and common security issues in web applications hosted on Google Cloud or another web service.

• Risk Manager: A governance, risk, and compliance (GRC) tool that helps organizations assess, document, and understand their Google Cloud risk posture.

• Binary Authorization: A security control for containers that ensures only trusted container images are deployed on Kubernetes Engine clusters according to policies set by the enterprise.

• Advisory Notifications: A service that provides alerts and advisories about potential security issues, vulnerabilities, and recommended actions to keep resources secure.

• Access Approval: A feature that allows organizations to require explicit approval before Google employees can access their data or configurations, providing an additional layer of control and auditability.

• Managed Microsoft AD: A service offering managed Microsoft Active Directory (AD) that allows users to use their existing Microsoft AD-dependent apps and workloads on Google Cloud.

Data Protection

• Sensitive Data Protection: Tools and practices aimed at safeguarding sensitive data, such as personal information or intellectual property, against unauthorized access or exposure.

• Data Loss Prevention (DLP): A set of tools and processes used to identify, monitor, and protect data in use, in motion, and at rest through deep content inspection and by applying a comprehensive set of data protection rules.

• Certificate Authority Service: A scalable and secure service that simplifies and automates the management, deployment, and renewal of SSL/TLS certificates for internal and external services.

• Key Management: A cloud-based service that allows you to manage cryptographic keys for your applications, including the creation, import, rotation, use, and destruction of encryption keys. More info in:

• Certificate Manager: A service that manages and deploys SSL/TLS certificates, ensuring secure and encrypted connections to your web services and applications.

• Secret Manager: A secure and convenient storage system for API keys, passwords, certificates, and other sensitive data, which allows for the easy and secure access and management of these secrets in applications. More info in:

Zero Trust

• BeyondCorp Enterprise: A zero-trust security platform that enables secure access to internal applications without the need for a traditional VPN, by relying on verification of user and device trust before granting access.

• Policy Troubleshooter: A tool designed to help administrators understand and resolve access issues in their organization by identifying why a user has access to certain resources or why access was denied, thereby aiding in the enforcement of zero-trust policies.

• Identity-Aware Proxy (IAP): A service that controls access to cloud applications and VMs running on Google Cloud, on-premises, or other clouds, based on the identity and the context of the request rather than by the network from which the request originates.

• VPC Service Controls: Security perimeters that provide additional layers of protection to resources and services hosted in Google Cloud's Virtual Private Cloud (VPC), preventing data exfiltration and providing granular access control.

• Access Context Manager: Part of Google Cloud's BeyondCorp Enterprise, this tool helps define and enforce fine-grained access control policies based on a user's identity and the context of their request, such as device security status, IP address, and more.