Respond to network threat findings

This document offers informal guidance on how you can respond to findings of suspicious activities in your network. The recommended steps might not be appropriate for all findings and might impact your operations. Before you take any action, you should investigate the findings; assess the information that you gather; and decide how to respond.

The techniques in this document aren't guaranteed to be effective against any previous, current, or future threats that you face. To understand why Security Command Center does not provide official remediation guidance for threats, see Remediating threats.

Before you begin

  1. Review the finding. Note the affected resource and the detected network connections. If present, review the indicators of compromise in the finding with threat intelligence from VirusTotal.

  2. To learn more about the finding that you're investigating, search for the finding in the Threat findings index.

General recommendations

  • Contact the owner of the affected resource.
  • Investigate the potentially compromised compute resource and remove any discovered malware.
  • If necessary, stop the compromised compute resource.
  • For forensic analysis, consider backing up the affected virtual machines and persistent disks. For more information, see Data protection options in the Compute Engine documentation.
  • If necessary, delete the affected compute resource.
  • For further investigation, consider using incident response services like Mandiant.

In addition, consider the recommendations in the subsequent sections on this page.

Malware

Cryptocurrency mining threats

If you determine that the application is a miner application, and its process is still running, terminate the process. Locate the application's executable binary in the compute resource's storage, and delete it.

What's next