Risk Engine
This article gives you, as a vulnerability analyst or other role in charge of securing your cloud environment, an explanation of the idea of a toxic combination as well as the results and cases you can use to locate, prioritize, and fix any toxic combinations.
You can enhance security in your cloud systems and more accurately identify danger with the use of toxic combination findings and cases.
Definition of a toxic combination
A toxic combo is a collection of security flaws that, when they coexist in a specific way, open up a way for a determined attacker to potentially access and compromise one or more of your valuable resources.
Anything that makes your cloud resources more vulnerable, whether a software vulnerability, a misconfiguration, or a specific resource configuration, is considered a security concern.
During its attack path simulations, Security Command Center Enterprise’s Risk Engine identifies combinations that are harmful. Every harmful combination that Risk Engine finds results in a finding. An attack exposure score that gauges the danger of the hazardous combo reaching the high-value resources in your cloud environment is included with every finding. The assault path that the toxic combination provides for the high-value resources is likewise visualized by Risk Engine.
You deal with toxic combination findings through cases; however, if you need to view the findings directly, you can do so by filtering the findings by the toxic combination finding class or sorting the findings by toxic combination score on the Findings page of the Google Cloud console.
Attack exposure scores for harmful mixtures
Every toxic combination finding is given an attack exposure score by Risk Engine. The score is an approximation of the level of risk that your valuable resources are exposed to from the poisonous combo.
Similar to attack exposure scores on other sorts of findings, a score on a toxic combo finding applies to a path rather than a specific software vulnerability or misconfiguration finding.
A toxic combination usually poses a bigger threat to your cloud deployment than does a single security flaw. To decide which finding to address first, however, compare the scores of a toxic combination finding to those of other toxic combinations and posture discoveries.
You ought to give priority to the discovery with the higher score if it identifies a single security vulnerability or a toxic combination of vulnerabilities.
Attack exposure scores on tocxic Combinations are obtained from the following, same like attack exposure scores for other findings:
- The quantity of highly valuable resources that are exposed, along with their priority ratings and attack exposure scores
- The possibility that a determined attacker could use it to successfully access a high-value resource
Cases of toxic combinations
For every harmful combination that the Risk Engine detects, Security Command Center Enterprise opens a case in the Security Operations panel.
The main method for looking into and monitoring the cleanup of a hazardous combination is through the case. You can see the following details in the case view:
- An explanation of the harmful mixture
- The poisonous mixture’s attack exposure score
- An illustration of the attack route that the harmful mixture produces
- Details regarding the impacted resource
- Details regarding the actions you can take to remove the harmful mixture
- Details regarding any relevant discoveries made by other Security Command Center detection services, along with connections to the cases that go along with them
- Any playbooks that apply
- Any related tickets
There is never more than one toxic combination finding or alert in a toxic combination case.
An overview of all the hazardous combo instances for your environment may be found on the Security Command Center Posture Overview page in the Security Operations console. Widgets on the Posture Overview page allow you to view toxic combinations cases sorted by priority, attack exposure score, and remaining service level agreement time (SLA).
Using the TOXIC_COMBINATION tag that they carry, you can query or filter toxic combination cases on the Cases page in the Security Operations console.
The toxic combo results with the highest attack exposure scores are also shown on the Security Command Center Risk Overview page in the Google Cloud dashboard. A link to the relevant case in the Security Operations interface is included in the mentioned findings.
Priority case
To match the seriousness of the toxic combination discovery and the related alert in the toxic combination case, toxic combination cases by default have a priority of Critical.
Once an alert or case has been opened, you can modify its priority.
The severity of the finding remains unaltered by altering the priority of a case or an alert.
Cosing the cases
The underlying finding’s condition dictates how toxic combination situations should be handled. A finding is in the status of Active when it is initially released.
Risk Engine will automatically recognize and close the case if the hazardous combination is remedied during the subsequent attack path simulation. Approximately every six hours, simulations run.
As an alternative, you can close a case by muting the toxic combination finding if you decide that the danger posed by the combination is tolerable or unavoidable.
When you mute a toxic combination finding, Security Command Center dismisses the case and removes the finding from default views and queries, but the finding stays alive.
Relevant discoveries
Several of the specific security flaws that Risk Engine identifies are also picked up by other Security Command Center detection services, forming a toxic mix. For these problems, these additional detection services provide distinct conclusions. As related findings, these findings are listed in a toxic combination case.
As a result of related findings being issued apart from the toxic combination finding, various playbooks are run for them, separate cases are opened, and other team members can be working on their remediation apart from the toxic combination finding’s remediation.
Examine the cases’ current state for these relevant discoveries and, if required, request that the owners of the cases give their cleanup top priority in order to assist in resolving the hazardous combination.
Any relevant findings in a case of a toxic mixture are displayed in the Findings widget on the overview tab. The widget contains links to the relevant cases for each linked finding.
Related discoveries are also noted in the attack path for the poisonous combo.
How Toxic Combinations Are Identified by Risk Engine
Approximately every six hours, Risk Engine simulates an attack on all of your cloud resources.
Risk Engine computes attack exposure scores for findings and high-value resources, as well as possible attack paths to the high-value resources in your cloud environment, during the simulations. Risk Engine issues a finding if it finds a harmful combination when running the simulations.