Respond to Compute Engine threat findings

This document offers informal guidance on how you can respond to findings of suspicious activities in your Compute Engine resources. The recommended steps might not be appropriate for all findings and might impact your operations. Before you take any action, you should investigate the findings; assess the information that you gather; and decide how to respond.

The techniques in this document aren't guaranteed to be effective against any previous, current, or future threats that you face. To understand why Security Command Center does not provide official remediation guidance for threats, see Remediating threats.

Before you begin

1. Review the finding. Note the affected Compute Engine instance and the detected principal email and caller IP address (if present). Also review the finding for indicators of compromise (IP, domain, file hash, or signature).
2. To learn more about the finding that you're investigating, search for the finding in the Threat findings index.

General recommendations

• Contact the owner of the affected resource.
• Investigate the potentially compromised instance and remove any discovered malware.
• If necessary, stop the compromised instance and replace it with a new instance.
• For forensic analysis, consider backing up the affected virtual machines and persistent disks. For more information, see Data protection options in the Compute Engine documentation.
• If necessary, delete the VM instance.
• If the finding includes a principal email and caller IP, review other audit logs associated with that principal or IP address for anomalous activity. If necessary, disable or reduce the privileges of the associated account if it has been compromised.
• For further investigation, consider using incident response services like Mandiant.

In addition, consider the recommendations in the subsequent sections on this page.

SSH threats

• Consider disabling SSH access to the VM. For information about disabling SSH keys, see Restrict SSH keys from VMs. This action can interrupt authorized access to the VM, so consider the needs of your organization before you proceed.
• Only use SSH authentication with authorized keys.
• Block malicious IP addresses by updating firewall rules or by using Cloud Armor. Consider enabling Cloud Armor as an integrated service. Depending on data volume, Cloud Armor costs can be significant. For more information, see Cloud Armor pricing.

Lateral movements in Compute Engine instances

• Consider using Secure Boot for your Compute Engine VM instances.

• Consider deleting the potentially compromised service account and rotate and delete all service account access keys for the potentially compromised project. After deletion, applications that use the service account for authentication lose access. Before proceeding, your security team should identify all impacted applications and work with application owners to ensure business continuity.

• Work with your security team to identify unfamiliar resources, including Compute Engine instances, snapshots, service accounts, and IAM users. Delete resources not created with authorized accounts.

• Respond to any notifications from Cloud Customer Care.

What's next

• Learn how to work with threat findings in Security Command Center.
• Refer to the Threat findings index.
• Learn how to review a finding through the Google Cloud console.
• Learn about the services that generate threat findings.