Google Cloud announced the preview of Sensitive Actions Service, a premium security feature to identify potentially risky behaviors on the cloud. The service detects when actions are taken in a GCP organization that could be damaging if taken by a malicious actor.
When the Sensitive Actions Service detects a potentially harmful action, it creates a finding and a log entry. The findings are classified as observations and can be viewed on the Security Command Center dashboard. Among the possible findings, the service detects when an organization-level billing administrator IAM role is removed, or when many instances are created or deleted by the same principal in one day. The display name for each one starts with the MITRE ATT&CK tactic, for example, "Persistence: Project SSH Key Added" or "Impact: Many Instances Created."
Timothy Peacock, senior product manager at Google, and Rosemary McCloskey, software engineer at Google, write:
At Google Cloud, we operate in a shared fate model, working in concert with our customers to help achieve stronger security outcomes. One of the ways we do this is to identify potentially risky behavior to help customers determine if action is appropriate. To this end, we now provide insights on what we are calling Sensitive Actions.
The cloud provider defines the shared fate model as an evolution of the shared responsibility model to better secure deployments, moving away from checklists towards a continuous interaction approach. The model includes secure-by-default configurations, secure blueprints and policy hierarchies, and consistent availability of advanced security features. Forrest Brazeal, head of developer media at Google Cloud, tweets:
Sensitive Actions is an under-the-radar Google Cloud launch that I really like. I love seeing these alerts show up on-by-default for actions in your account that carry what I would call a high "Hmmm" factor.
Google Cloud released a document on how to investigate and develop response plans for threats. Peacock and McCloskey add:
To ensure that adversaries do not have mechanisms to disable this protection or hide logs from users, Sensitive Actions is an on-by-default service now enabled for Cloud customers. In cases where customers have certain privacy controls or policy restrictions applied to their logging pipeline, their logs will not be analyzed by this service.
The cloud provider warns:
In most cases, the actions that are detected (...) do not represent threats, because they are taken by legitimate users for legitimate purposes. However, the Sensitive Actions Service cannot conclusively determine legitimacy.
Currently in preview, the new service is available only with the Security Command Center Premium Tier and cannot be disabled. Furthermore, it cannot detect sensitive actions in environments that are secured by Assured Workloads.