GCP Virtual Private Cloud Route Deletion

calendar Jan 22, 2025 · Domain: Cloud Data Source: GCP Data Source: Google Cloud Platform Use Case: Configuration Audit Tactic: Defense Evasion Resources: Investigation Guide  ·
Share on: linkedin copy

Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/09/22"
  3integration = ["gcp"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes
 11define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These
 12destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the
 13flow of network traffic in their target's cloud environment.
 14"""
 15false_positives = [
 16    """
 17    Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was
 18    expected. Exceptions can be added to this rule to filter expected behavior.
 19    """,
 20]
 21index = ["filebeat-*", "logs-gcp*"]
 22language = "kuery"
 23license = "Elastic License v2"
 24name = "GCP Virtual Private Cloud Route Deletion"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating GCP Virtual Private Cloud Route Deletion
 31
 32In GCP, VPC routes dictate network traffic paths between VM instances and other destinations. Adversaries may delete these routes to disrupt traffic flow, potentially evading defenses or impairing network operations. The detection rule monitors audit logs for successful route deletions, flagging potential misuse by identifying specific actions linked to route removal, thus aiding in timely threat response.
 33
 34### Possible investigation steps
 35
 36- Review the audit logs for the specific event.dataset:gcp.audit and event.action:v*.compute.routes.delete to identify the exact time and user account associated with the route deletion.
 37- Check the event.outcome:success field to confirm the deletion was successful and not an attempted action.
 38- Investigate the user account or service account that performed the deletion to determine if it was authorized to make such changes, including reviewing recent activity and permissions.
 39- Assess the impact of the route deletion by identifying which VPC and network traffic paths were affected, and determine if any critical services were disrupted.
 40- Correlate the route deletion event with other security events or alerts around the same timeframe to identify potential coordinated actions or broader attack patterns.
 41- Contact the relevant stakeholders or system owners to verify if the route deletion was intentional and part of a planned change or if it was unauthorized.
 42
 43### False positive analysis
 44
 45- Routine maintenance activities by network administrators can trigger route deletions. To manage this, create exceptions for known maintenance windows or specific administrator accounts.
 46- Automated scripts or tools used for network configuration updates may delete and recreate routes as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts.
 47- Cloud infrastructure changes during deployment processes might involve temporary route deletions. Document these processes and exclude related events from detection during deployment periods.
 48- Scheduled network reconfigurations that involve route deletions should be logged and excluded from alerts by correlating with change management records.
 49- Test environments often undergo frequent network changes, including route deletions. Exclude events from test environments by filtering based on project or environment tags.
 50
 51### Response and remediation
 52
 53- Immediately isolate the affected VPC to prevent further unauthorized network traffic disruptions. This can be done by temporarily disabling external access or applying restrictive firewall rules.
 54- Review the audit logs to identify the user or service account responsible for the route deletion. Verify if the action was authorized and investigate any anomalies in user behavior or access patterns.
 55- Restore the deleted route using the latest backup or configuration management tools to re-establish normal network traffic flow. Ensure that the restored route aligns with the intended network architecture.
 56- Implement additional access controls and monitoring for the affected VPC, such as enabling more granular IAM roles and setting up alerts for any future route modifications.
 57- Conduct a security review of the affected environment to identify any other potential misconfigurations or vulnerabilities that could be exploited in a similar manner.
 58- Escalate the incident to the security operations team for further investigation and to determine if the route deletion was part of a larger attack campaign.
 59- Document the incident, including the root cause analysis and remediation steps taken, to enhance organizational knowledge and improve future incident response efforts.
 60
 61## Setup
 62
 63The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 64references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"]
 65risk_score = 47
 66rule_id = "a17bcc91-297b-459b-b5ce-bc7460d8f82a"
 67severity = "medium"
 68tags = [
 69    "Domain: Cloud",
 70    "Data Source: GCP",
 71    "Data Source: Google Cloud Platform",
 72    "Use Case: Configuration Audit",
 73    "Tactic: Defense Evasion",
 74    "Resources: Investigation Guide",
 75]
 76timestamp_override = "event.ingested"
 77type = "query"
 78
 79query = '''
 80event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success
 81'''
 82
 83
 84[[rule.threat]]
 85framework = "MITRE ATT&CK"
 86[[rule.threat.technique]]
 87id = "T1562"
 88name = "Impair Defenses"
 89reference = "https://attack.mitre.org/techniques/T1562/"
 90[[rule.threat.technique.subtechnique]]
 91id = "T1562.007"
 92name = "Disable or Modify Cloud Firewall"
 93reference = "https://attack.mitre.org/techniques/T1562/007/"
 94
 95
 96
 97[rule.threat.tactic]
 98id = "TA0005"
 99name = "Defense Evasion"
100reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating GCP Virtual Private Cloud Route Deletion

In GCP, VPC routes dictate network traffic paths between VM instances and other destinations. Adversaries may delete these routes to disrupt traffic flow, potentially evading defenses or impairing network operations. The detection rule monitors audit logs for successful route deletions, flagging potential misuse by identifying specific actions linked to route removal, thus aiding in timely threat response.

Possible investigation steps

  • Review the audit logs for the specific event.dataset:gcp.audit and event.action:v*.compute.routes.delete to identify the exact time and user account associated with the route deletion.
  • Check the event.outcome:success field to confirm the deletion was successful and not an attempted action.
  • Investigate the user account or service account that performed the deletion to determine if it was authorized to make such changes, including reviewing recent activity and permissions.
  • Assess the impact of the route deletion by identifying which VPC and network traffic paths were affected, and determine if any critical services were disrupted.
  • Correlate the route deletion event with other security events or alerts around the same timeframe to identify potential coordinated actions or broader attack patterns.
  • Contact the relevant stakeholders or system owners to verify if the route deletion was intentional and part of a planned change or if it was unauthorized.

False positive analysis

  • Routine maintenance activities by network administrators can trigger route deletions. To manage this, create exceptions for known maintenance windows or specific administrator accounts.
  • Automated scripts or tools used for network configuration updates may delete and recreate routes as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts.
  • Cloud infrastructure changes during deployment processes might involve temporary route deletions. Document these processes and exclude related events from detection during deployment periods.
  • Scheduled network reconfigurations that involve route deletions should be logged and excluded from alerts by correlating with change management records.
  • Test environments often undergo frequent network changes, including route deletions. Exclude events from test environments by filtering based on project or environment tags.

Response and remediation

  • Immediately isolate the affected VPC to prevent further unauthorized network traffic disruptions. This can be done by temporarily disabling external access or applying restrictive firewall rules.
  • Review the audit logs to identify the user or service account responsible for the route deletion. Verify if the action was authorized and investigate any anomalies in user behavior or access patterns.
  • Restore the deleted route using the latest backup or configuration management tools to re-establish normal network traffic flow. Ensure that the restored route aligns with the intended network architecture.
  • Implement additional access controls and monitoring for the affected VPC, such as enabling more granular IAM roles and setting up alerts for any future route modifications.
  • Conduct a security review of the affected environment to identify any other potential misconfigurations or vulnerabilities that could be exploited in a similar manner.
  • Escalate the incident to the security operations team for further investigation and to determine if the route deletion was part of a larger attack campaign.
  • Document the incident, including the root cause analysis and remediation steps taken, to enhance organizational knowledge and improve future incident response efforts.

Setup

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

  • Routes  |  VPC  |  Google Cloud

    Routes Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside your Google Cloud Virtual Private...


    Read More

  • Use routes  |  VPC  |  Google Cloud

    Use routes This page describes how to create and manage routes for Virtual Private Cloud (VPC) networks in Google Cloud. This page assumes that you are familiar with the different types of Google C...


    Read More

Related rules

to-top