GCP Virtual Private Cloud Route Creation

Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/09/22"
  3integration = ["gcp"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes
 11define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These
 12destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the
 13flow of network traffic in their target's cloud environment.
 14"""
 15false_positives = [
 16    """
 17    Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was
 18    expected. Exceptions can be added to this rule to filter expected behavior.
 19    """,
 20]
 21index = ["filebeat-*", "logs-gcp*"]
 22language = "kuery"
 23license = "Elastic License v2"
 24name = "GCP Virtual Private Cloud Route Creation"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating GCP Virtual Private Cloud Route Creation
 31
 32In Google Cloud Platform, VPC routes dictate the network paths for traffic from VM instances to various destinations, both within and outside the VPC. Adversaries may exploit this by creating routes to reroute or intercept traffic, potentially disrupting or spying on network communications. The detection rule identifies such activities by monitoring specific audit events related to route creation, aiding in the early detection of unauthorized network modifications.
 33
 34### Possible investigation steps
 35
 36- Review the audit logs for the specific event.dataset:gcp.audit and event.action values (v*.compute.routes.insert or "beta.compute.routes.insert") to identify the exact time and user account associated with the route creation.
 37- Examine the details of the newly created route, including the destination IP range and next hop, to determine if it aligns with expected network configurations or if it appears suspicious.
 38- Check the IAM permissions and roles of the user account that created the route to assess if they had the necessary privileges and if those privileges are appropriate for their role.
 39- Investigate any recent changes in the environment that might explain the route creation, such as new deployments or changes in network architecture.
 40- Correlate the route creation event with other security events or alerts in the same timeframe to identify potential patterns or coordinated activities that could indicate malicious intent.
 41- Consult with the network or cloud infrastructure team to verify if the route creation was part of an authorized change or if it was unexpected.
 42
 43### False positive analysis
 44
 45- Routine network configuration changes by authorized personnel can trigger alerts. To manage this, maintain a list of known IP addresses and users who frequently make legitimate changes and exclude their activities from triggering alerts.
 46- Automated deployment tools that create or modify routes as part of their normal operation may cause false positives. Identify these tools and their associated service accounts, then configure exceptions for these accounts in the monitoring system.
 47- Scheduled maintenance activities often involve creating or updating routes. Document these activities and set temporary exceptions during the maintenance window to prevent unnecessary alerts.
 48- Integration with third-party services might require route creation. Verify these integrations and whitelist the associated actions to avoid false positives.
 49- Development and testing environments may have frequent route changes. Consider applying different monitoring thresholds or rules for these environments to reduce noise.
 50
 51### Response and remediation
 52
 53- Immediately isolate the affected VM instances by removing or disabling the suspicious route to prevent further unauthorized traffic redirection.
 54- Conduct a thorough review of recent route creation activities in the GCP environment to identify any other unauthorized or suspicious routes.
 55- Revoke any unauthorized access or permissions that may have allowed the adversary to create the route, focusing on IAM roles and service accounts with route creation privileges.
 56- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
 57- Implement network monitoring and logging to detect any future unauthorized route creation attempts, ensuring that alerts are configured for similar activities.
 58- Review and update the GCP VPC network security policies to enforce stricter controls on route creation and modification, limiting these actions to trusted administrators only.
 59- If applicable, report the incident to Google Cloud support for further assistance and to understand if there are any additional security measures or advisories.
 60
 61## Setup
 62
 63The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 64references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"]
 65risk_score = 21
 66rule_id = "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8"
 67severity = "low"
 68tags = [
 69    "Domain: Cloud",
 70    "Data Source: GCP",
 71    "Data Source: Google Cloud Platform",
 72    "Use Case: Configuration Audit",
 73    "Tactic: Defense Evasion",
 74    "Resources: Investigation Guide",
 75]
 76timestamp_override = "event.ingested"
 77type = "query"
 78
 79query = '''
 80event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert")
 81'''
 82
 83
 84[[rule.threat]]
 85framework = "MITRE ATT&CK"
 86[[rule.threat.technique]]
 87id = "T1562"
 88name = "Impair Defenses"
 89reference = "https://attack.mitre.org/techniques/T1562/"
 90[[rule.threat.technique.subtechnique]]
 91id = "T1562.007"
 92name = "Disable or Modify Cloud Firewall"
 93reference = "https://attack.mitre.org/techniques/T1562/007/"
 94
 95
 96
 97[rule.threat.tactic]
 98id = "TA0005"
 99name = "Defense Evasion"
100reference = "https://attack.mitre.org/tactics/TA0005/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

In Google Cloud Platform, VPC routes dictate the network paths for traffic from VM instances to various destinations, both within and outside the VPC. Adversaries may exploit this by creating routes to reroute or intercept traffic, potentially disrupting or spying on network communications. The detection rule identifies such activities by monitoring specific audit events related to route creation, aiding in the early detection of unauthorized network modifications.

  • Review the audit logs for the specific event.dataset:gcp.audit and event.action values (v*.compute.routes.insert or "beta.compute.routes.insert") to identify the exact time and user account associated with the route creation.
  • Examine the details of the newly created route, including the destination IP range and next hop, to determine if it aligns with expected network configurations or if it appears suspicious.
  • Check the IAM permissions and roles of the user account that created the route to assess if they had the necessary privileges and if those privileges are appropriate for their role.
  • Investigate any recent changes in the environment that might explain the route creation, such as new deployments or changes in network architecture.
  • Correlate the route creation event with other security events or alerts in the same timeframe to identify potential patterns or coordinated activities that could indicate malicious intent.
  • Consult with the network or cloud infrastructure team to verify if the route creation was part of an authorized change or if it was unexpected.
  • Routine network configuration changes by authorized personnel can trigger alerts. To manage this, maintain a list of known IP addresses and users who frequently make legitimate changes and exclude their activities from triggering alerts.
  • Automated deployment tools that create or modify routes as part of their normal operation may cause false positives. Identify these tools and their associated service accounts, then configure exceptions for these accounts in the monitoring system.
  • Scheduled maintenance activities often involve creating or updating routes. Document these activities and set temporary exceptions during the maintenance window to prevent unnecessary alerts.
  • Integration with third-party services might require route creation. Verify these integrations and whitelist the associated actions to avoid false positives.
  • Development and testing environments may have frequent route changes. Consider applying different monitoring thresholds or rules for these environments to reduce noise.
  • Immediately isolate the affected VM instances by removing or disabling the suspicious route to prevent further unauthorized traffic redirection.
  • Conduct a thorough review of recent route creation activities in the GCP environment to identify any other unauthorized or suspicious routes.
  • Revoke any unauthorized access or permissions that may have allowed the adversary to create the route, focusing on IAM roles and service accounts with route creation privileges.
  • Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
  • Implement network monitoring and logging to detect any future unauthorized route creation attempts, ensuring that alerts are configured for similar activities.
  • Review and update the GCP VPC network security policies to enforce stricter controls on route creation and modification, limiting these actions to trusted administrators only.
  • If applicable, report the incident to Google Cloud support for further assistance and to understand if there are any additional security measures or advisories.

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top