Cloud Run Threat Detection is a built-in service of Security Command Center that continuously monitors the state of supported Cloud Run resources to detect the most common runtime attacks. If Cloud Run Threat Detection detects an attack, it generates a finding in Security Command Center in near real-time.
Cloud Run Threat Detection runtime detectors monitor Cloud Run resources for suspicious binaries and libraries and use natural language processing (NLP) to detect malicious Bash and Python code.
In addition, control plane detectors are available through Event Threat Detection. These detectors monitor the Cloud Logging stream of your organization or projects to detect potential attacks to the control plane of your Cloud Run resources.
Supported resources
Cloud Run Threat Detection monitors the following resources:
Supported execution environments
The supported execution environments differ for runtime detectors and control plane detectors.
Supported execution environments for runtime detectors
Cloud Run Threat Detection runtime detectors support only Cloud Run resources that run on the second generation execution environment. Consider the following before enabling Cloud Run Threat Detection:
When you enable Cloud Run Threat Detection, you can't create a Cloud Run service or service revision that runs on the first generation execution environment. The Cloud Run service must use the second generation execution environment. We recommend that you test your workloads on the second generation execution environment before enabling Cloud Run Threat Detection.
To enable runtime threat detection for a service, deploy a revision that sets the execution environment of the service to either the second generation or the default execution environment.
Supported execution environments for control plane detectors
The control plane detectors support both first and second generation execution environments.
How Cloud Run Threat Detection runtime threat detection works
When you enable Cloud Run Threat Detection, it collects telemetry from the supported Cloud Run resources to analyze processes, scripts, and libraries that might indicate a runtime attack. The following is the execution path when events are detected:
- Cloud Run Threat Detection uses a watcher process to collect container and event information for the complete duration of a Cloud Run workload. It can take up to 20 seconds for the watcher process to start.
Cloud Run Threat Detection analyzes the collected event information to determine whether an event is indicative of an incident. It uses NLP to analyze Bash and Python scripts for malicious code.
If Cloud Run Threat Detection identifies an incident, it reports the incident as a finding in Security Command Center.
If Cloud Run Threat Detection doesn't identify an incident, no information is stored.
All data collected is ephemeral and isn't persistently stored.
For information about how to review Cloud Run Threat Detection findings in the Google Cloud console, see Review findings.
Known issues
- Instances of your Cloud Run services or jobs that live longer than seven days stop sending telemetry information.
- If the watcher process prematurely stops in a running instance of your Cloud Run service or job, the watcher process doesn't restart. The instance stops sending telemetry information to Cloud Run Threat Detection. Cloud Run Threat Detection logs are absent from the instance logs. There is no indicator that a watcher process has stopped.
Detectors
This section lists the runtime and control plane detectors that are available. We regularly add new detectors as new cloud threats emerge.
Runtime detectors
Cloud Run Threat Detection includes the following runtime detectors:
Display name | API name | Description |
---|---|---|
Execution: Added Malicious Binary Executed | CLOUD_RUN_ADDED_MALICIOUS_BINARY_EXECUTED |
A binary that meets the following conditions was executed:
If an added malicious binary is executed, it's a strong sign that an attacker has control of the workload and they are executing malicious software. |
Execution: Added Malicious Library Loaded | CLOUD_RUN_ADDED_MALICIOUS_LIBRARY_LOADED |
A library that meets the following conditions was loaded:
If an added malicious library is loaded, it's a strong sign that an attacker has control of the workload and they are executing malicious software. |
Execution: Built in Malicious Binary Executed | CLOUD_RUN_BUILT_IN_MALICIOUS_BINARY_EXECUTED |
A binary that meets the following conditions was executed:
If a built-in malicious binary is executed, it's a sign that the attacker is deploying malicious containers. They may have gained control of a legitimate image repository or container build pipeline and injected a malicious binary into the container image. |
Execution: Container Escape | CLOUD_RUN_CONTAINER_ESCAPE |
A process was executed within the container that attempted to break out of the container's isolation, using known escape techniques or binaries. This type of attack can give the attacker access to the host system. These processes are identified as potential threats based on intelligence data. If a container escape attempt is detected, it might indicate that an attacker is exploiting vulnerabilities to break out of the container. As a result, the attacker might gain unauthorized access to the host system or broader infrastructure, compromising the entire environment. |
Execution: Kubernetes Attack Tool Execution | CLOUD_RUN_KUBERNETES_ATTACK_TOOL_EXECUTION |
A Kubernetes-specific attack tool was executed within the environment, which can indicate that an attacker is targeting Kubernetes cluster components. These attack tools are identified as potential threats based on intelligence data. If an attack tool is executed within the Kubernetes environment, it can suggest that an attacker has gained access to the cluster and is using the tool to exploit Kubernetes-specific vulnerabilities or configurations. |
Execution: Local Reconnaissance Tool Execution | CLOUD_RUN_LOCAL_RECONNAISSANCE_TOOL_EXECUTION |
A local reconnaissance tool not typically associated with the container or environment was executed, suggesting an attempt to gather internal system information. These reconnaissance tools are identified as potential threats based on intelligence data. If a reconnaissance tool is executed, it suggests that the attacker may be trying to map out the infrastructure, identify vulnerabilities, or collect data on system configurations to plan their next steps. |
Execution: Malicious Python executed (Preview) | CLOUD_RUN_MALICIOUS_PYTHON_EXECUTED |
A machine learning model identified the specified Python code as malicious. Attackers can use Python to transfer tools or other files from an external system into a compromised environment and execute commands without binaries. The detector uses NLP techniques to evaluate the content of executed Python code. Because this approach is not based on signatures, detectors can identify known and novel Python code. |
Execution: Modified Malicious Binary Executed | CLOUD_RUN_MODIFIED_MALICIOUS_BINARY_EXECUTED |
A binary that meets the following conditions was executed:
If a modified malicious binary is executed, it's a strong sign that an attacker has control of the workload and they are executing malicious software. |
Execution: Modified Malicious Library Loaded | CLOUD_RUN_MODIFIED_MALICIOUS_LIBRARY_LOADED |
A library that meets the following conditions was loaded:
If a modified malicious library is loaded, it's a strong sign that an attacker has control of the workload and they are executing malicious software. |
Malicious Script Executed | CLOUD_RUN_MALICIOUS_SCRIPT_EXECUTED |
A machine learning model identified the specified Bash code as malicious. Attackers can use Bash to transfer tools or other files from an external system into a compromised environment and execute commands without binaries. The detector uses NLP techniques to evaluate the content of executed Bash code. Because this approach is not based on signatures, detectors can identify known and novel malicious Bash code. |
Malicious URL Observed | CLOUD_RUN_MALICIOUS_URL_OBSERVED |
Cloud Run Threat Detection observed a malicious URL in the argument list of a running process. The detector checks URLs that are observed in the argument list of running processes against the lists of unsafe web resources that are maintained by the Google Safe Browsing service. If a URL is incorrectly classified as a phishing site or malware, report it at Reporting Incorrect Data. |
Reverse Shell | CLOUD_RUN_REVERSE_SHELL |
A process started with stream redirection to a remote connected
socket. The detector looks for With a reverse shell, an attacker can communicate from a compromised workload to an attacker-controlled machine. The attacker can then command and control the workload—for example, as part of a botnet. |
Unexpected Child Shell | CLOUD_RUN_UNEXPECTED_CHILD_SHELL |
A process that does not normally invoke shells spawned a shell process. The detector monitors all process executions. When a shell is invoked, the detector generates a finding if the parent process is known to not typically invoke shells. |
Control plane detectors
The following control plane detectors are available through Event Threat Detection. These detectors are enabled by default. You manage these detectors the same way you do other Event Threat Detection detectors. For more information, see Use Event Threat Detection.
Display name | API name | Log source types | Description |
---|---|---|---|
Impact: Cryptomining Commands (Preview) | CLOUD_RUN_JOBS_CRYPTOMINING_COMMANDS |
Cloud Audit Logs: IAM System Event audit logs |
Identifies when specific cryptomining commands are attached to a Cloud Run job during execution. |
Execution: Cryptomining Docker Image (Preview) | CLOUD_RUN_CRYPTOMINING_DOCKER_IMAGES |
Cloud Audit Logs: IAM System Event audit logs |
Identifies when specific known bad docker images are attached to a new or existing Cloud Run service or job. |
Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy (Preview) | CLOUD_RUN_SERVICES_SET_IAM_POLICY |
Cloud Audit Logs: Admin Activity logs |
Detects when the default Compute Engine service account is used to set the IAM policy for a Cloud Run service. This is a potential post exploit action when a Compute Engine token is compromised from a serverless service. |
What's next
- Learn how to use Cloud Run Threat Detection.
- Learn how to use
Event Threat Detection.