Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for GCP GKE

GCP GKE
GCP GKE icon

Out-of-the-Box Security For GCP GKE Includes:

Alerts - 15

Stay on top of GCP GKE key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Building Block - Multiple Failed Attempts to Delete the ConfigMaps

This alert gets triggered when a user attempts to delete multiple ConfigMaps and fails due to some restrictions. Note- In this alert, the threshold is established for over 3 attempts per user within a 10-minute timeframe. Please feel free to change it as per your requirements. Impact These numerous failed attempts may arise from various issues such as connection problems, restricted permissions, access denial, or malicious attempts by attackers to delete data. Consequently, deleting such data could lead to the loss of future connections, rendering the configured cluster and services useless due to the absence of necessary credentials or tokens. Mitigation Examine the logs to ascertain the user's identity, reach out to the user, and verify the validity of the reasons documented in the logs. Prompt the user to obtain the necessary permissions if needed; otherwise, notify the administrator to delete the specified data with appropriate approval, or address integration issues based on the findings of the root cause analysis. MITRE Tactic: TA0040 MITRE Technique: T1489

Building Block - Multiple Failed Attempts to Delete the Secrets

This alert gets triggered when a user attempts to delete multiple Secrets and fails due to some restrictions. Note- In this alert, the threshold is established for over 3 attempts per user within a 10-minute timeframe. Impact Secrets serve the purpose of storing sensitive data such as passwords, API keys, or TLS certificates. Multiple unsuccessful attempts may stem from diverse issues including connection difficulties, limited permissions, access denial, or malicious endeavors by attackers aiming to delete data. Mitigation Examine the logs to ascertain the user's identity, reach out to user, and verify the validity of the reasons documented in the logs. Prompt the user to obtain the necessary permissions if needed; otherwise, notify the administrator to delete the specified data with appropriate approval, or address integration issues based on the findings of the root cause analysis. MITRE Tactic: TA0040 MITRE Technique: T1489

No Logs From Kubernetes Engine In Last 12 Hours

This alert gets triggered when there are no logs from the Kubernetes Engine in the last 12 hours. Note: Please select the related application and subsystems before enabling it. Impact Google Kubernetes Engine stands as a robust cluster management and orchestration solution tailored for seamlessly running Docker containers. However, a lapse in logging data over the past 12 hours can potentially disrupt DevOps operational oversight and impede timely responses to critical events. This absence of logs heightens the risk of overlooking suspicious connections or irregular deployments, leaving room for undetected incidents that could impact system integrity. Mitigation Please conduct a thorough examination of the logs and consult with the engineering team to verify any findings. If there is a lack of activity reflected in the logs, it is advisable to close the incident. However, if an issue is identified, take the necessary steps to rectify it promptly, ensuring that logging functionality is restored and data flows seamlessly to the designated destination. MITRE Tactic: TA0005 MITRE Technique: T1562

Building Block - Secrets Deleted By a User

This alert gets triggered when secrets are deleted by a user. Secrets are sensitive pieces of information, such as passwords, keys, and tokens. Impact Secrets are specifically crafted for safeguarding sensitive data such as passwords, API keys, or TLS certificates. Should vital secrets be intentionally or inadvertently deleted by the user, this action could result in the shutdown or cessation of the affected service due to the inactivity of essential passwords, tokens, and API keys. Consequently, the user would be unable to access these credentials in the future. Mitigation Make sure that crucial permissions are restricted solely to authorized and administrative users. Moreover, contact the user based on the service type and request justification. If the user presents valid reasoning, the alert can be addressed; if not, liaise with the engineering team to establish new configuration maps, update the connected service, and confirm the connection's successful establishment. MITRE Tactic: TA0040 MITRE Technique: T1489

Building Block - ConfigMaps Deleted By a User

This alert gets triggered when ConfigMaps are deleted by a user. ConfigMaps is a Kubernetes mechanism that lets you inject configuration data into application pods. The ConfigMap concept allows you to decouple configuration artifacts from image content to keep containerized applications portable. Impact ConfigMaps serve as repositories for non-sensitive configuration information, including environment variables or configuration files. ConfigMaps are specifically tailored to efficiently manage strings devoid of sensitive data. Deleting ConfigMaps could potentially disrupt operations, alter variable specifications, or affect certificate files, potentially leading to a permanent disconnection from the affected service. Mitigation Ensure that critical permissions are limited to authorized and administrative users exclusively. Additionally, reach out to the user depending on the service type and request justification. If the user provides valid justification, the alert can be resolved; otherwise, contact the engineering team to configure new config maps, update the connected service, and verify the successful connection. MITRE Tactic: TA0040 MITRE Technique: T1489

Multiple Node Pools Deleted

This alert gets triggered when multiple-node pools are deleted. A node pool is a group of nodes within a cluster that all have the same configuration. Node pools use a Node Config specification. Each node in the pool has a Kubernetes node label, which has the node pool's name as its value. Note: In this alert, the Pool deletion threshold exceeds 5 pools within 10 minutes. Please feel free to change it as per your requirements. Impact When you delete a node pool, it removes both the nodes and any running workloads, disregarding Pod Disruption Budget settings. GKE initiates a node-draining process, which involves deleting and rescheduling all Pods on the nodes within the node pool. This action can potentially disrupt the cluster's health and operations, as well as cause interruptions to associated applications due to scaling unavailability. Mitigation Performing bulk deletions is not considered a genuine activity and can result in significant disruptions to cloud operations. Therefore, it is crucial to thoroughly review any bulk deletion actions across multiple clusters. Additionally, contacting the user to provide business justification is essential. If the deletion is deemed genuine, the activity can proceed as planned. Otherwise, the nodes should be reconfigured and linked to the impacted cluster. MITRE Tactic: TA0040 MITRE Technique: T1489

Possible Slow Password Attack to Access the Secrets

This alert gets triggered when a user attempts to get the secrets using the terminal and fails due to restrictions. Secrets cannot be seen in the Google UI console. So, by default, this will be using Google Cloud Console only. Note: In this alert, failed attempts are set to more than 5 in 15 minutes. Kindly feel free to change the failed threshold as per your corporate policy. Impact It's crucial to monitor unsuccessful attempts by an individual user to access a specific service. These instances suggest potential integration issues, revoked access, or unauthorized users attempting to gain confidential data through various unsuccessful methods. Mitigation Examine the user identity and the type of error displayed in the logs. Verify any recent changes to the user's permissions, and contact the user to request a business justification. If the request is legitimate, instruct the user to submit a ticket to the engineering team for access authorization, and then proceed to close the case accordingly. If the user account is unidentified or unauthorized, remove it immediately. MITRE Tactic: TA0004 MITRE Technique: T1098

Unauthorized Attempts to Update OR Create the Services

This alert gets triggered when a user attempts to configure or update the services and fails due to permissions restrictions or any other issues. Note: In this alert, only monitoring updates and create services, and failed attempts more than 5 in 15 minutes, feel free to edit the methods as per the requirement. Impact Valid users may occasionally create or update services without permissions, typically happening 1-2 times. However, attackers frequently attempt to bypass restrictions using various methods. Therefore, it's advisable to monitor critical alerts for unusual failed login attempts, focusing on genuine failed attempt rates, as a best practice for detection. Mitigation Tracking abnormal failed login attempts signals unauthorized attempts to access the service. In the case of a genuine user account, reaching out to the user and adjusting their access level is recommended. Conversely, if the attempts stem from an unknown user, promptly inform the engineering team and conduct a thorough review of relevant logs to pinpoint the root cause. Subsequently, take measures to block the user account to prevent any further unauthorized attempts. MITRE Tactic: TA0001 MITRE Technique: T1078

Node Pool Size Manually Updated

This alert gets triggered when a node pool size is manually changed. Note - In this alert, the threshold for the node pool size is set to more than 10. Feel free to edit or remove it. Impact Adjusting the node pools unnecessarily, without any actual need or utilization, is an inefficient allocation of resources within a cluster. Such actions can lead to higher resource consumption and increased costs associated with both the cluster and its nodes. Mitigation Maintain the pool size following corporate policy. Any updates to the size should be accompanied by valid justifications and demonstrated usage. Otherwise, any surplus nodes should be promptly deleted or reduced. MITRE Tactic: TA0042 MITRE Technique: T1583

Multiple Autopilot Cluster Launched

This alert gets triggered when multiple autopilot clusters are launched. A GKE cluster consists of a control plane and worker machines called nodes. The control plane and nodes make up the Kubernetes cluster orchestration system. Note - In this alert, the timeline is set to launch more than 10 clusters in 15 minutes. Please feel free to change it as per your requirements. Impact GKE provides a versatile platform for configuring the underlying infrastructure that supports your containerized applications, encompassing aspects like networking, scaling, hardware configuration, and security measures. However, multiple launches could introduce unconventional applications, fluctuate service usage, and potentially result in security misconfigurations, leading to operational disruptions or unauthorized access. Mitigation It's crucial to thoroughly assess the configuration and utilization of the cluster to ensure alignment with best practices and security protocols. Reviewing and validating bulk deployments with users, supported by valid justifications, is essential. Any clusters found to deviate from these standards should be terminated promptly. MITRE Tactic: TA0042 MITRE Technique: T1583

A User Was Added to A Backup Plan with Admin Permission

This alert gets triggered when a new user is added with any type of admin permissions to a cluster backup plan. Please feel free to modify the permissions in the query as required. Impact Granting unauthorized access and permissions could potentially allow unknown users to execute read and write operations on the designated backup plan. With admin-level permissions, these users may also conduct copy and deletion actions, posing a significant risk of data compromise or loss of data integrity. Mitigation Please review the users recently added to the backup plan, and assess their admin permissions. Reach out to the user responsible for this action for clarification. Obtain approval through the designated ticketing process; if approval is not secured, close the case. Alternatively, if unauthorized permissions are confirmed, promptly remove the user and implement safeguards to prevent similar incidents from occurring in the future. MITRE Tactic: TA0001 MITRE Technique: T1078

Flow Alert - Secrets Deleted By User After Multiple Failed Attempts

This alert gets triggered when a user successfully deletes the secrets after multiple failed attempts. Note: This alert condition is set to check for a successful attempt within an hour. So, feel free to modify the timelines as per your requirements. Impact This alert suggests that a user either lacked the necessary permissions or encountered misconfigurations, resulting in multiple failed attempts before ultimately succeeding in deleting the Secrets. This could have been perpetrated by an unauthorized user or an attacker who exploited other vulnerabilities to achieve success. Moreover, such indicators may result in compromised accounts, leaked secrets, privilege escalation, misconfigurations, and other security concerns. Mitigation Examine the event logs to comprehend the sequence of events. Subsequently, reach out to the user to ascertain the cause of the unsuccessful attempts. If a valid explanation exists, address the issues with the failed attempts; otherwise, ensure the deleted Secrets are restored and affected services are reconfigured. Lastly, following corporate policy, consider taking appropriate actions against the user. MITRE Tactic: TA0004 MITRE Technique: T1548

Flow Alert - ConfigMaps Deleted By User After Multiple Failed Attempts

This alert gets triggered when a user successfully deletes the ConfigMaps after multiple failed attempts. Note: This alert condition is set to check for a successful attempt within an hour. So, feel free to modify the timelines as per your requirements. Impact This alert signifies that a user lacked the necessary permissions or encountered misconfigurations, resulting in multiple failed attempts before ultimately succeeding in deleting the ConfigMaps. This could be the result of unauthorized access or an attacker exploiting other vulnerabilities. Such indicators may suggest compromised accounts, leaked secrets, privilege escalation, misconfigurations, and similar security risks. Mitigation Examine the event logs to comprehend the sequence of events. Subsequently, reach out to the user to ascertain the cause of the unsuccessful attempts. If a valid explanation exists, address the issues with the failed attempts; otherwise, ensure the deleted ConfigMaps are restored and affected services are reconfigured. Lastly, following corporate policy, consider taking appropriate actions against the user. MITRE Tactic: TA0004 MITRE Technique: T1548

Restore Plan Was Deleted

This alert gets triggered when a restore plan was deleted by the user. After a backup is created, administrators can create a restore for that backup, which initiates the restoration of some portion of the contents of that backup into a target cluster. Impact In GKE, the Restore plan houses multiple restoration points, each linked to a backup for data recovery in the event of loss. Deleting the Restore plan eliminates the last resort for data retrieval, potentially leading to irreversible data loss. This could significantly impact database availability, operational continuity, and service delivery due to the absence of critical data when needed. Mitigation Ensure that crucial permissions are limited exclusively to administrators and diligently monitor all activities to prevent the deletion of any restore plans without a valid business justification or plan expiration. Reach out to the user for clarification and details, and conclude the investigation accordingly. If necessary, reinitiate the backup process to ensure data restoration capability is restored from the backup. MITRE Tactic: TA0040 MITRE Technique: T1485

Backup Plan Was Deleted

This alert gets triggered when a backup plan was deleted by a user. Backup for GKE consists of two main components: A service that runs in Google Cloud and supports a resource-based REST API. This service serves as the control plane for Backup for GKE. The service includes Google Cloud console UI elements that interact with this API. Impact In GKE, a backup plan encompasses multiple backups, each tailored with its own set of configured files, applications, and data. Deleting a backup plan could result in the removal of numerous backups, leaving your data vulnerable without additional copies to rely on in case of modifications, erasures, or compromises to the original data. Such an action could have significant repercussions on your business operations, infrastructure, and the integrity of data crucial for integrations. Mitigation Ensure that critical permissions are limited exclusively to administrators, and diligently monitor each activity to prevent unauthorized deletion of backups unless a valid business justification or data expiry is provided. Reach out to the user for clarification and details; once the investigation is satisfactorily concluded, proceed with closure. Alternatively, if necessary, promptly restore the backup to its previous state, ensuring it is configured as expected. MITRE Tactic: TA0040 MITRE Technique: T1485

Documentation

Learn more about Coralogix's out-of-the-box integration with GCP GKE in our documentation.

Read More
Schedule Demo