This page explains best practices for detectingcryptocurrency mining (cryptomining) attacks on Compute Engine virtualmachines (VMs) in your Google Cloud environment.
These best practices also serve as the eligibility requirements for theGoogle Cloud Cryptomining Protection Program. For more information about the program,see the Security Command Center Cryptomining Protection Program overview.
Activate the Premium tier of Security Command Center for your organization
The Premium tier of Security Command Center (Security Command Center Premium) is afoundational element of detecting cryptomining attacks on Google Cloud.
Security Command Center Premium provides two detection services that arecritical for detecting cryptomining attacks: Event Threat Detection andVM Threat Detection.
Because cryptomining attacks can occur on any VM in any project within yourorganization, activating Security Command Center Premium for your entireorganization with Event Threat Detection and VM Threat Detection enabledis both a best practice and a requirement of the Security Command CenterCryptomining Protection Program.
For more information, see Activate Security Command Center for an organization.
Enable key threat detection services on all projects
Enable the Event Threat Detection and VM Threat Detection detection servicesof Security Command Center Premium on all projects in your organization.
Together, Event Threat Detection and VM Threat Detection detectevents that can lead to a cryptomining attack (stage-0 events) and eventsthat indicate an attack is in progress (stage-1 events). The specific eventsthese detection services detect are described in the following sections.
For more information, see the following:
- Overview of Event Threat Detection
- Overview of VM Threat Detection
Enable stage-0 event detection
Stage-0 events are events in your environment that often precede, or arethe first step of, common cryptomining attacks.
Event Threat Detection, a detection service available with Security Command CenterPremium, issues findings to alert you when it detects certain stage-0 events.
If you can detect and remediate these issues quickly, you can preventmany cryptomining attacks before you incur significant costs.
Event Threat Detection uses the following finding categories to alert youto these events:
- Account_Has_Leaked_Credentials:A finding in this category indicates that a service account key wasleaked on GitHub. Acquiring service account credentials is a commonprecursor to cryptomining attacks.
- Evasion: Access from Anonymizing Proxy:A finding in this category indicates that a modification to aGoogle Cloud service originated from an anonymous proxy, like aTor exit node.
- Initial Access: Dormant Service Account Action:A finding in this category indicates that a dormant service accounttook action in your environment. Security Command Center usesPolicy Intelligence to detect dormant accounts.
Enable stage-1 event detection
Stage-1 events are events that indicate that a cryptomining applicationprogram is running in your Google Cloud environment.
Both Event Threat Detection and VM Threat Detection issue Security Command Centerfindings to alert you when they detect certain stage-1 events.
Investigate and remediate these findings immediately to avoid incurringsignificant costs that are associated with the resource consumption ofcryptomining applications.
A finding in any of the following categories indicates that acryptomining application is running on a VM in one of the projects inyour Google Cloud environment:
- Execution: Cryptomining YARA Rule:Findings in this category indicate that VM Threat Detection detected amemory pattern, such as a proof-of-work constant, that is used by acryptomining application.
- Execution: Cryptomining Hash Match:Findings in this category indicate that VM Threat Detection detecteda memory hash that is used by a cryptomining application.
- Execution: Combined Detection:Findings in this category indicate that VM Threat Detection detectedboth a memory pattern and a memory hash that are used by a cryptominingapplication.
- Malware: Bad IP:Findings in this category indicate that Event Threat Detection detecteda connection to, or a lookup of, an IP address that is known to be usedby cryptomining applications.
- Malware: Bad Domain:Findings in this category indicate that Event Threat Detection detecteda connection to, or a lookup of, a domain that is known to be used bycryptomining applications.
Enable Cloud DNS logging
To detect calls made by cryptomining applications to known bad domains,enable Cloud DNS Logging.Event Threat Detection processes theCloud DNS logs and issues findings when it detects resolution of adomain that is known to be used for cryptomining pools.
Integrate your SIEM and SOAR products with Security Command Center
Integrate Security Command Center with your existing security operations tools,such as your SIEM or SOAR products, to triage and respond to theSecurity Command Center findings for stage-0 and stage-1 events that indicatepotential or actual cryptomining attacks.
If your security team does not use a SIEM or SOAR product, the team needs tofamiliarize themselves with working with Security Command Center findingsin the Google Cloud console and how to set up finding notificationsand exports by using Pub/Sub or the Security Command Center APIs to routefindings for cryptomining attacks effectively.
For the specific findings that you need to export to your security operationstools, see Enable key threat detection services on all projects.
For information about how to integrate SIEM and SOAR products withSecurity Command Center, see Setting up SIEM and SOAR integrations.
For information about setting up finding notifications or exports, see thefollowing information:
- Enabling real-time email and chat notifications
- Enable finding notifications for Pub/Sub
So that your company can respond as quickly as possible to any securitynotifications from Google, specify to Google Cloud which teamsin your company, such as IT security or operations security, shouldreceive security notifications. When you specify a team, you enter itsemail address in Essential Contacts.
To ensure reliable delivery of these notifications over time, westrongly encourage teams to configure delivery to a mailing list, group,or other mechanism that ensures consistency of delivery and distributionto the responsible team at your organization. We recommend that you donot specify the email addresses of individuals as essential contactsbecause communication can be interrupted if the individuals changeteams or leave the company.
After setting up your essential contacts, ensure that the email inboxis monitored by your security teams continuously. Continuous monitoringis a critical best practice, because adversaries frequently initiatecryptomining attacks when they expect you to be less vigilant, such ason weekends, holidays, and at night.
Designating your essential contacts for security, and thenmonitoring the essential contacts email address, are botha best practice and a requirement of the Security Command CenterCryptomining Protection Program.
Maintain required IAM permissions
Your security teams, and Security Command Center itself, require authorizationto access resources in the Google Cloud environment. You manageauthentication and authorization by using Identity and Access Management (IAM).
As a best practice and, in the case of Security Command Center, a basicrequirement, you need to maintain or preserve the IAMroles and permissions that are required to detect and respond to cryptominingattacks.
For general information about IAM on Google Cloud,see IAM overview.
Authorizations that are required by your security teams
To be able to view Security Command Center findings and respond immediatelyto a cryptomining attack or other security issue on Google Cloud,the Google Cloud user accounts of yoursecurity personnel need to be authorized ahead of time to respond to,remediate, and investigate the issues that might come up.
On Google Cloud, you can manage authentication and authorization byusing IAM roles and permissions.
Roles required to work with Security Command Center
For information about the IAM roles that users need towork with Security Command Center, see Access control with IAM.
Roles required to work with other Google Cloud services
To properly investigate a cryptomining attack, you are likely to needother IAM roles, such asCompute Engine roles that allow you to view and manage the affected VM instance and theapplications that are running on it.
Depending on where the investigation of an attack leads, you might needother roles as well, such as Compute Engine network roles or Cloud Logging roles.
You also need the proper IAM permissions to create andmanage your Essential Contacts for security. For informationabout the IAM roles that are required tomanage security contacts, see Required roles.
Authorizations that are required by Security Command Center
When you activate Security Command Center, Google Cloud automaticallycreates a service account that Security Command Center usesfor authentication and authorization when running scans and processinglogs. During the activation process, you confirm the permissions thatare granted to the service account.
Do not remove or modify this service account, its roles, or its permissions.
Confirm implementation of the cryptomining detection best practices
You can see if your organization implements the bestpractices for detecting cryptomining by running a script that checksyour organization's metadata. The script is available on GitHub.
To review the README and download the script, seeSCC cryptomining detection best practices validation script.
