Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for GCP Cloud Load Balancing

GCP Cloud Load Balancing
GCP Cloud Load Balancing icon

Coralogix Extension For GCP Cloud Load Balancing Includes:

Alerts - 10

Stay on top of GCP Cloud Load Balancing key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

New User Was Added to Backend Service

This alert gets triggered when a new user is added to a backend service. Permissions let you control who can access your shared backend services. Note: Kindly add automated and service accounts/tags in the whitelisting to reduce the false positives. Impact This role permits users to integrate backend services from this project into load balancers within their respective projects. Improper permissions could potentially grant users access to alter, modify, or delete configurations of the designated backend service, including critical settings. Such unauthorized alterations could result in issues such as unauthorized access, data breaches, traffic redirection, downtime, and more. Mitigation Examine the user assigned to the service and verify their permissions and role designation. If there's an approved request ticket from the manager/administrator, you may proceed to close the case. Otherwise, contact the user to provide a ticket with proper approval. If no valid ticket is provided, coordinate with the engineering or administrative team to remove the user accordingly. MITRE Tactic: TA0004 MITRE Technique: T1098

Global Forwarding Rule Was Set to Random Ports

This alert gets triggered when a router forwarding rule is created on random ports. Note- In this alert, 80,443 ports have been whitelisted. Kindly adjust the port numbers according to the requirements. Impact The router's forwarding rule defines the IP address, IP protocol, and the frontend configuration of the load balancer. This configuration encompasses the elements responsible for receiving and managing incoming connections before routing them to the appropriate backends. Implementing this rule on arbitrary or insecure ports could potentially expose the network to attackers, enabling them to execute man-in-the-middle attacks and intercept traffic requests. Such breaches could result in subsequent unauthorized access and further security threats. Mitigation Ensure that the router's forwarding rules are configured to use secure ports and trusted IP addresses. Subsequently, reach out to the user to verify compliance with business requirements. If not confirmed, promptly delete or modify the rule and ensure no suspicious connections were established during this timeframe. MITRE Tactic: TA0006 MITRE Technique: T1557

Traffic Director Backend Service Was Deleted

This alert gets triggered when a traffic director backend service is deleted. A service directs traffic to backends hosting your microservices. The backends are instance groups or network endpoint groups. To start receiving requests, the service needs to be associated with a routing rule map. Impact A backend service dictates how Google Cloud load balancers allocate traffic. Its configuration encompasses various parameters, including the protocol for backend connections, distribution and session settings, health checks, and timeouts. Deleting or misconfiguring any backend service can escalate the load on your load balancer, potentially resulting in its failure. Consequently, this could impede your application's ability to process and respond to customer requests. Mitigation Limit such crucial permissions solely to administrators and authorized users. Scrutinize the logs to determine whether this action was part of testing or production, as indicated by the assigned tags. Additionally, liaise with the user or engineering team to comprehend the business use cases and validate their legitimacy. Conclude the investigation if deemed valid; otherwise, proceed to configure the new service and rectify any affected services. Finally, confirm that the service and traffic flow are operating as expected. MITRE Tactic: TA0040 MITRE Technique: T1489

SSL Policy Was Deleted

This alert gets triggered when an SSL policy was deleted. SSL policies control how load balancers negotiate SSL with clients. Any HTTPS or SSL load balancer that you set up will have a default policy in place, managed by Google. Impact The SSL policy offers two options: global and regional, each with its own profile type and enabled/disabled features. Removing these policies could erase the designated target encryption protection and features allocated to the specific service. Managed profiles are upheld to facilitate new SSL capabilities and safeguard against diverse types of attacks. Mitigation Limit critical permissions exclusively to administrators and authorized users. Analyze the logs to ascertain whether this action was executed as part of testing or production, as indicated by the assigned tags. Additionally, communicate with the user or engineering team to comprehend the business use cases and validate their legitimacy. Conclude the investigation if deemed valid; otherwise, proceed to configure the new service and address any affected services. Finally, confirm that the service and traffic flow operate as expected. MITRE Tactic: TA0005 MITRE Technique: T1562

Routing Rule Maps Was Deleted

This alert gets triggered when a routing rule maps configuration is deleted. A routing rule map defines how your data plane handles traffic. You can specify criteria to match inbound requests (for example, based on HTTP parameters) and perform actions like routing and request transformation. A routing rule map consists of the forwarding rule, target proxy, and URL map to Compute Engine API resources. Impact A URL map comprises rules for directing incoming HTTP(S) requests to designated backend services or buckets. A basic URL map encompasses all incoming request paths ( /* ). If this configuration is flawed or absent, it disrupts the application deployment process lifecycle, preventing traffic from reaching its intended destination bucket or service. Consequently, this could result in service downtime, network disruptions, and cessation of data processing by the application. Mitigation Limit such crucial permissions solely to administrators and authorized users. Examine the logs to determine whether this action was conducted in a testing or production environment, as indicated by the assigned tags. Additionally, communicate with the user or engineering team to comprehend the business use cases and validate their validity. Conclude the investigation if deemed legitimate; otherwise, proceed to configure the new service and rectify any affected services. Finally, confirm that the service and traffic flow are operating as anticipated. MITRE Tactic: TA0040 MITRE Technique: T1489

DNS Policy Rule Was Deleted

This alert gets triggered when a policy rule is deleted. DNS routing policies steer traffic based on query type (for example, weighted round-robin or geolocation). You can configure these policies by creating resource record sets that contain specific routing policy values. These values determine how traffic is routed. Impact These rules dictate whether to accept or deny traffic requests. Therefore, deleting such rules will eliminate all restrictions applied to atypical traffic directed toward your network or services. This means that all suspicious, Tor exit nodes and threat intelligence reputational IPs could potentially access your hosted services. Mitigation Limit crucial permissions to administrators and authorized users exclusively. Examine the logs to determine whether the action was conducted in a testing or production context, as indicated by the assigned tags. Additionally, communicate with the user or engineering team to comprehend the business use cases. If validated, conclude the investigation; otherwise, proceed to configure the new service and address any affected services. Finally, confirm that the service and traffic flow adhere to expectations. MITRE Tactic: TA0005 MITRE Technique: T1562

DNS Response Policy Was Deleted

This alert gets triggered when a response policy was deleted. A response policy is a collection of selectors that apply to queries made against one or more Virtual Private Cloud networks. Impact A website's DNS response policy comprises rules consulted by a DNS resolver during lookups. When a rule in the response policy impacts the incoming query, it undergoes processing; otherwise, the lookup continues as usual. Deleting a response policy will erase all existing rules within it and may consequently eliminate any restrictions and permissions applied to access-specific services. Mitigation Limit critical permissions exclusively to administrators and authorized users. Scrutinize the logs to determine whether the action was conducted in a testing or production environment, as indicated by the assigned tags. Additionally, engage with the user or engineering team to comprehend the business use cases. If validated, conclude the investigation; otherwise, proceed to configure the new service and address any impacted services. Finally, confirm that the service and traffic flow are functioning as anticipated. MITRE Tactic: TA0005 MITRE Technique: T1562

DNS Server Policy Was Deleted

This alert gets triggered when a DNS server policy was deleted. DNS policies control internal DNS server settings. You can apply policies to DNS servers on Google Cloud VPC networks you have access to. Impact Each Virtual Private Cloud (VPC) network allows for the configuration of a single DNS server policy. This policy can define inbound DNS forwarding, outbound DNS forwarding, or both. Deleting these policies could eliminate all restrictions and permissions related to accessing or denying internal and external traffic, depending on their type. Consequently, traffic might fail to reach its destination or be redirected as intended. This could disrupt service workflows and result in downtime due to insufficient data accessibility within internal or external services or databases. Mitigation Limit critical permissions solely to administrators and authorized users. Examine the logs to determine whether the action was conducted in a testing or production environment, as indicated by the assigned tags. Additionally, communicate with the user or engineering team to comprehend the business use cases. If validated, conclude the investigation; otherwise, proceed to configure the new service and address any impacted services. Finally, verify that the service and traffic flow adhere to expectations. MITRE Tactic: TA0040 MITRE Technique: T1489

DNS Zone Was Deleted

This alert gets triggered when a DNS zone was deleted. DNS zones let you define your namespace. You can create public or private zones. Select a zone to set labels or configure permissions. Impact A DNS zone constitutes an administrative domain providing enhanced control over DNS elements, including authoritative nameservers. The domain name space forms a hierarchical tree, with the DNS root domain positioned at its apex. Deleting DNS records could disrupt connected services, such as websites or email addresses, resulting in functionality issues. This disruption may subsequently lead to website downtime, inaccessible services, and potential loss of business revenue. Mitigation Limit crucial permissions exclusively to administrators and authorized users. Analyze the logs to determine whether the action was conducted in a testing or production environment, as indicated by the assigned tags. Subsequently, communicate with the user or engineering team to ascertain the business use cases. If deemed legitimate, conclude the investigation; otherwise, configure the new service and address any affected services. Finally, verify that the service and traffic flow are functioning as anticipated. MITRE Tactic: TA0040 MITRE Technique: T1489

Forwarding Rule Was Deleted

This alert gets triggered when a global forwarding rule was deleted. A forwarding rule specifies how to route network traffic to the backend services of a load balancer. A forwarding rule includes an IP address, an IP protocol, and one or more ports on which the load balancer accepts traffic. Impact Removing forwarding rules could diminish the efficiency of incoming traffic optimization towards the designated load balancer, potentially resulting in service disruption and sluggish response times. This may manifest as web application errors such as "service unreachable." Forwarding rules are responsible for directing traffic to specific ports, IPs, protocols, and internal resources like databases or application servers. Consequently, deleting such rules in a production environment could significantly impact business operations and service delivery. Mitigation Initially, limits crucial permissions solely to individuals possessing the requisite expertise and authorization for executing such actions. Additionally, seek business approval from the user before deleting any rules. If the request is verified as legitimate, proceed to conclude the investigation; otherwise, promptly engage the engineering team to craft a comparable rule based on the examination of existing logs, followed by deployment. Subsequently, ensure mitigation of any impact and verify that traffic resumes its anticipated flow. MITRE Tactic: TA0040 MITRE Technique: T1489

Integration

Learn more about Coralogix's out-of-the-box integration with GCP Cloud Load Balancing in our documentation.

Read More
Schedule Demo