Attack exposure scores and attack paths

Premium and Enterpriseservice tiers (requiresorganization-level activation)

This page explains key concepts, principles, and restrictionsto help you learn about, refine, and use the attack exposurescores and attack paths that are generated by the Risk Engineof Security Command Center.

Attack path scores and attack paths are generated for the following:

  • Vulnerability and misconfiguration findings (vulnerability findings,collectively) that expose the resource instances in your effective high-valueresource set.
  • The resources in your effective high-value resource set.
  • Issues in Security Command Center Premium or Enterprise, which containtoxic combinationsand chokepoints.

Support statement: Risk Engine attack path simulations are subject to certain supportability constraints and limits. For more information, seeAttack exposure feature support.

To use attack exposure scores and attack paths, you must activate theSecurity Command Center Premium or Enterprise tier at the organization level.You can't use attack exposure scores and attack paths with project-levelactivations.

Attack paths represent possibilities

You won't see evidence of an actual attack in an attack path.

Risk Engine generates attack paths and attack exposure scoresby simulating what hypothetical attackers could do if they gained accessto your Google Cloud environment and discovered the attack pathsand vulnerabilities that Security Command Center has already found.

Each attack path shows you one or more attack methods an attacker coulduse if they gained access to a particular resource. Do notconfuse these attack methods with actual attacks.

Similarly, a high attack-exposure score on any of the following does not meanthat an attack is in progress:

  • A Security Command Center finding or resource
  • A Security Command Center Premium or Enterprise issue

To watch for actual attacks, monitor theTHREAT class findingsproduced by the threat detection services, likeEvent Threat DetectionandContainer Threat Detection.

For more information, see the following sections on this page:

Attack exposure scores

An attack exposure score appears for the following:

  • A Security Command Center finding or resource
  • A Security Command Center Premium or Enterprise issue

Anattack exposure score is a measure of how exposed resources are to potentialattack if a malicious actor were to gain access to your Google Cloudenvironment.

An attack exposure score on atoxic combination or chokepoint finding isreferred to as atoxic combination score in some contexts, such as theFindings page in the Google Cloud console.

In descriptions of how scores are calculated, in general guidance aboutprioritizing finding remediation, and in certain other contexts, the termattack exposure score also applies to toxic combination scores.

On a finding, the score is a measure of how much a detected security issueexposes one or morehigh-value resourcesto potential cyberattacks.On a high-value resource, the score is a measure ofhow exposed the resource is to potential cyberattacks.

Use the scores on software vulnerability, misconfiguration, and toxiccombination or chokepointPreviewfindings to prioritize the remediation of those findings.

Use attack exposure scores on resources to proactively secure theresources that are the most valuable to your business.

Caution: To get scores that accurately reflect yoursecurity priorities, you must define a high-value resource set. For moreinformation, seeHigh-value resource sets.

In the attack path simulations, Risk Engine always startsthe simulated attacks from the public internet. Consequently, theattack exposure scores don't account for any possible exposure tomalicious or negligent internal actors.

Findings that receive attack exposure scores

Attack exposure scores are applied to active finding classes that are listed inSupported finding categories.

Attack path simulations include only active and unmuted findings in their calculations. Findings that havea status ofINACTIVE orMUTED are not included in the simulations, don'treceive scores, and are not included in attack paths.

Note: Muting findings does not generally affect the environment state during simulations. For example, muting anOverprivileged Service Account finding won't remove the Service Account or its permissions from the simulations; this action only causes the finding to not get scored. The exception to this is muting vulnerability findings, in which case theMUTED status is considered an indication that the vulnerability is not exploitable. Be careful not to expose your environment to unnecessary risk by disabling vulnerability findings that might still be exploitable.

Resources that receive attack exposure scores

Attack path simulations calculate attack exposure scores forsupported resource types in your high-value resource set. You specify whichresources belong in the high-value resource set by creatingresource value configurations.

If a resource in a high-value resource set has an attack exposure scoreof 0, the attack path simulations did not identify any paths to the resourcethat a potential attacker could leverage.

Attack path simulations support the following resource types:

  • aiplatform.googleapis.com/Dataset
  • aiplatform.googleapis.com/Featurestore
  • aiplatform.googleapis.com/MetadataStore
  • aiplatform.googleapis.com/Model
  • aiplatform.googleapis.com/TrainingPipeline
  • artifactregistry.googleapis.com/Repository
  • bigquery.googleapis.com/Dataset
  • cloudbuild.googleapis.com/BitbucketServerConfig
  • cloudbuild.googleapis.com/BuildTrigger
  • cloudbuild.googleapis.com/Connection
  • cloudbuild.googleapis.com/GithubEnterpriseConfig
  • cloudbuild.googleapis.com/Repository
  • cloudbuild.googleapis.com/WorkerPool
  • cloudfunctions.googleapis.com/CloudFunction
  • compute.googleapis.com/Instance
  • container.googleapis.com/Cluster
  • run.googleapis.com/Job
  • run.googleapis.com/Service
  • spanner.googleapis.com/Instance
  • sqladmin.googleapis.com/Instance
  • storage.googleapis.com/Bucket

Score calculation

Each time the attack path simulations run, they recalculate the attackexposure scores. Each attack path simulation actually runs several simulationsin which a simulated attacker tries known attack methods and techniquesto reach and compromise the valued resources.

Attack path simulations run approximately every six hours. As your organizationgrows, simulations take longer, but they will always run at least once a day.Simulation runs are not triggered by the creation, modification, or deletion ofresources or resource value configurations.

The simulations calculate the scores using a variety of metrics, includingthe following:

  • Thepriority valuethat is assigned to the high-value resources thatare exposed.The priority values that you can assign have the following values:
    • HIGH = 10
    • MED = 5
    • LOW = 1
  • The number of possible paths an attacker could take to reach a givenresource.
  • The number of times in which a simulated attacker is able to reachand compromise a high-value resource at the end of a given attack path,expressed as a percentage of the total number of simulations.
  • For findings only, the number of high-value resources that are exposed by thedetected vulnerability or misconfiguration.

For resources, attack exposure scores can be in the range from 0 to 10.

At a high level, the simulations calculate resource scores bymultiplying the percentage of successful attacks by thenumerical priority value of the resources.

For findings, scores don't have a fixed upper limit.The more often a finding occurs on attack paths to exposed resourcesin the high-value resource set, and the higher the priorityvalues of those resources, the higher the score is.

At a high level, the simulations calculate finding scores by using thesame calculation as they do for resource scores, but for finding scores,the simulations then multiply the result of the calculation by the numberof high-value resources the finding exposes.

Changing scores

The scores can change each time an attack path simulation runs. A findingor resource that has a score of zero today might have a non-zeroscore tomorrow.

Scores change for a variety of reasons, including the following:

  • The detection or remediation of a vulnerability that directly or indirectlyexposes a high-value resource.
  • The addition or removal of resources in your environment.

Changes to findings or resources after a simulation has run are notreflected in the scores until the next simulation runs.

Using scores to prioritize finding remediations

To effectively prioritize the remediation of findings based on theirattack exposure or toxic combination scores, consider the following points:

  • Any finding that has a score that is greater than zeroexposes a high-value resource to potential attack in some way, so theremediation should be prioritized over findings that have a score of zero.
  • The higher the score of a finding is, the more the finding exposes yourhigh-value resources and the higher you should prioritize its remediation.

Generally, place the highest priority on the remediation of the findingsthat have the highest scores and that most effectively block the attackpaths to your high-value resources.

If the scores of a toxic combination and chokepoint finding and a finding in anotherfinding class are roughly equal, prioritize the remediation of thetoxic combination and chokepoint finding, because it represents a complete path from thepublic internet to one or more high-value resources that anattacker can potentially follow if they gained access to your cloudenvironment.

On the Security Command CenterFindingspage in theGoogle Cloud console,you can sort the findings on the page panelby score by clicking the column heading.

In the Google Cloud console, you can also view the findings withthe highest scores by adding a filterto the findings query that returns only findings with an attack exposurescore greater than a number that you specify.

On theCases page in Security Command Center Enterprise, you can also sortthe toxic combinations and chokepoint cases by the attack exposure score.

Findings that can't be remediated

In some cases, you might not be able to remediate a finding with a highattack exposure score, either because it represents a known andaccepted risk, or because the finding cannot be remediated immediately. Inthese cases, you might need to mitigate the risk in other ways. Reviewingthe associated attack path might give you ideas for other possiblemitigations.

Secure resources by using attack exposure scores

A non-zero attack exposure score on a resource means that theattack path simulations identified one or more attack paths fromthe public internet to the resource.

To see the attack exposure scores for your high-value resources,follow these steps:

  1. In the Google Cloud console, go to theAssets page of Security Command Center.

    Go to Assets

  2. Select the organization where you activated Security Command Center.

  3. Select theHigh value resource set tab. The resources in your high-valueresource set are displayed in descending order of attack exposure score.

  4. Display the attack paths for a resource by clicking the numberon its row in theAttack exposure score column. The attack pathsfrom the public internet to the resource are displayed.

  5. Review the attack paths. For information about how to interpretthe attack paths, seeAttack paths.

  6. To display a detail window with links to view related findings, click a node.

  7. Click a related findings link. TheFinding window opens with detail aboutthe finding and how to remediate it.

You can also view the attack exposure scores of your high-value resourceson theAttack path simulations tab inSettings >Attack Path simulation tab. ClickView valued resources used in last simulation.

TheHigh value resource set tab is also available in theAssets pageof the Security Operations console.

Attack exposure scores of0

An attack exposure score of0 on a resource means that, in the latestattack path simulations, Security Command Center did not identify anypotential paths an attacker could take to reach the resource.

An attack exposure score of0 on a finding means that, in the latestattack simulation, the simulated attacker couldn't reach any high-valueresources through the finding.

However, an attack exposure score of0 does not mean that there is norisk. An attack exposure score reflectsexposure of supported Google Cloud service, resources, andSecurity Command Center findings to potential threats originating fromthe public internet. For example, the scores don't take into accountthreats from internal actors, zero-day vulnerabilities, or third-partyinfrastructure.

No attack exposure score

If a finding or resource does not have a score, it can be for the followingreasons:

  • The finding was generated after the latest attack path simulation.
  • The resource was added to your high-value resource setafter the latest attack path simulation.
  • The attack exposure feature doesn't support the finding category or theresource type.

For a list of the supported finding categories, seeRisk Engine feature support.

For a list of supported resource types, seeResources that receive attack exposure scores.

Resource values

Although all of your resources on Google Cloud have value,Security Command Center identifies attack paths and calculates attackexposure scores for only the resources that you designate ashigh-value resources (sometimes referred to asvalued resources).

High-value resources

A high-value resource on Google Cloud is a resource that isespecially important for your business to protect from potentialattacks. For example, yourhigh-valueresources might be the resources that store your valuable or sensitive dataor that host your business-critical workloads.

You designate a resource as a high-value resource by defining the attributesof the resource in aresource value configuration.Up to a limit of 1,000 resource instances, Security Command Center treats anyresource instance that matches the attributes that you specify in theconfiguration as a high-value resource.

Priority values

Among the resources that you designate as high value, you are likely to needto prioritize the security of some more than others. For example, aset of data resources might contain high-value data, but certain of thosedata resources might contain data that is more sensitive than the rest.

So that your scores reflect your need to prioritizethe security of the resources within your high-value resource set,you assign a priority value in theresource value configurationsthat designates resources as high value.

If you use Sensitive Data Protection, you canalso prioritize resources automatically by the sensitivity of the datathat the resources contain.

Set resource priority values manually

In a resource value configuration, you assign a priority to thematching high-value resources by specifying one of the followingpriority values:

  • LOW = 1
  • MEDIUM = 5
  • HIGH = 10
  • NONE = 0

If you specify a priority value ofLOW in a resource value configuration,the matching resources are still high-value resources; the attack pathsimulations just treat them with a lower priority and assign them a lowerattack exposure score than high-value resources that have apriority value ofMEDIUM orHIGH.

If multiple configurations assign different values for the same resource,the highest value applies, unless a configuration assigns a value ofNONE.

A resource value ofNONE excludes the matching resources from beingconsidered a high-value resource and overrides any other resource valueconfigurations for the same resource. For this reason, make sure thatany configuration that specifiesNONE applies to only a limited set ofresources.

Set resource priority values automatically by data sensitivity

If you useSensitive Data Protection discovery andpublish the data profiles to Security Command Center,then you can configure Security Command Center to automatically set the priorityvalue of certain high-value resources by the sensitivity of the data that theresources contain.

You enable data-sensitivity prioritization when you specify the resources in aresource value configuration.

When enabled, if Sensitive Data Protection discovery classifies thedata in a resource to be eitherMEDIUM orHIGH sensitivity, theattack path simulations by default set the priority value of theresource to that same value.

Thedata sensitivity levelsare defined by Sensitive Data Protection,but you can interpret them as follows:

High sensitivity data
Sensitive Data Protection discovery found at least oneinstance of high-sensitivity data in the resource.
Medium sensitivity data
Sensitive Data Protection discovery found at least one instance ofmedium-sensitivity data in the resource and no instances of high-sensitivitydata.
Low sensitivity data
Sensitive Data Protection discovery did not detect sensitivedata or any freeform text or unstructured data in the resource.

If Sensitive Data Protection discovery identifiesonly low-sensitivity data in a matching data resource,the resource is not designated as a high-value resource.

If you need data resources that contain only low-sensitivity data to bedesignated as high-value resources with a low priority,create a duplicate resource value configuration, but specify a priorityvalue ofLOW instead of enabling data-sensitivity prioritization.The configuration that uses Sensitive Data Protectionoverrides the configuration that assigns theLOW priority value,but only for resources that containHIGH orMEDIUMsensitivity data.

You can change the default priority values that Security Command Center useswhen sensitive data is detected in the resource value configuration.

For more information about Sensitive Data Protection, seeSensitive Data Protection overview.

Data-sensitivity prioritization and the default high-value resource set

Before you create your own high-value resource set, Security Command Centeruses a default high-value resource set to calculate attack exposure scoresand attack paths.

If you use Sensitive Data Protection discovery,Security Command Center automatically adds instances of supported dataresource types that containHIGH orMEDIUM sensitivity data tothe default high-value resource set.

Supported Google Cloud resource types for automated data-sensitivity priority values

Attack path simulations can automatically set priority valuesbased on data-sensitivity classifications fromSensitive Data Protection discoveryfor only the following data resource types:

  • aiplatform.googleapis.com/Dataset
  • bigquery.googleapis.com/Dataset
  • sqladmin.googleapis.com/Instance
  • storage.googleapis.com/Bucket

Supported AWS resource types for automated data-sensitivity priority values

Attack path simulations can automatically set priority valuesbased on data-sensitivity classifications fromSensitive Data Protection discoveryfor only the following AWS data resource types:

  • Amazon S3 bucket

High-value resource sets

Ahigh-value resource set is a defined collection of the resourcesin your Google Cloud environment that are the most importantto secure and protect.

To define your high-value resource set, you need to specify whichresources in your Google Cloud environmentbelong in your high-value resource set. Until you define your high-valueresource set, attack exposure scores, attack paths, and toxic combinationfindings don't accurately reflect your security priorities.

You specify the resources in your high-value resource set by creatingresource value configurations. The combination of all of your resource valueconfigurations defines your high-value resource set. For more information,seeResource value configurations.

Until you define your first resource value configuration, Security Command Centeruses adefault high-value resource set. The default set appliesacross your organization to all of the resource types that attackpath simulations support. For more information, seeDefault high-value resource set.

To view the high-value resource set that was used in the last attack pathsimulation, including the attack exposure scores and matching configurations,seeView the high-value resource set.

Resource value configurations

You manage the resources in your high-value resource set withresource value configurations.

You create resource value configurations on theAttack path simulation tab of the Security Command CenterSettings page in the Google Cloud console.

In a resource value configuration, you specify the attributes that aresource must have for Security Command Center to add it to yourhigh-value resource set.

The attributes that you can specify include the resource type,resource tags, resource labels, and the parent project,folder, or organization.

You also assign a resource value to the resources in a configuration.The resource value prioritizes the resources in a configuration relativeto the other resources in the high-value resource set. For moreinformation, seeResource values.

You can create up to 100 resource value configurations in aGoogle Cloud organization.

Together, all of the resource value configurations that you createdefine the high-value resource set that Security Command Center uses forthe attack path simulations.

Resource attributes

For a resource to be included in your high-value resource set,its attributes must match the attributes that you specify in a resource valueconfiguration.

The attributes that you can specify include:

  • A resource type orAny. WhenAny is specified, the configurationapplies to all of the supported resource types within the specifiedscope.Any is the default value.
  • A scope (the parent organization, folder, or project) within whichthe resources must reside. The default scope is yourorganization. If you specify an organization or folder, the configurationalso applies to the resources in the child folders or projects.
  • Optionally, one or moretagsorlabelsthat each resource must contain.

If you specify one or more resource value configurations, but no resources inyour Google Cloud environment match the attributes specified in any of theconfigurations, Security Command Center generates anSCC Error finding and fallsback to the default high-value resource set.

Default high-value resource set

Security Command Center uses a default high-value resource set to calculateattack exposure scores when no resource value configurations are defined orwhen no defined configurations match any resources.

Security Command Center assigns resources in the default high-value resource apriority value ofLOW, unless you use Sensitive Data Protectiondiscovery, in which case, Security Command Center assigns resources thatcontain high-sensitivity or medium-sensitivity data a correspondingpriority value ofHIGH orMEDIUM.

Risk Engine uses heuristics to identify assets in the defaulthigh-value resource set that are used for non-production purposes. To helpensure that you have information about the most important assets,Risk Engine calculates the attack exposure score for all otherassets in the default high-value resource set before calculating the attackexposure score for these non-production assets.

If you have at least one resource value configuration that matchesat least one resource in your environment, Security Command Centerstops using the default high-value resource set.

To receive attack exposure and toxic combination scores that accuratelyreflect your security priorities, replace the default high-value resourceset with your own high-value resource set. For more information, seeDefine and manage your high-value resource set.

The following list shows the resource types that are included in thedefault high-value resource set:

  • aiplatform.googleapis.com/Model
  • artifactregistry.googleapis.com/Repository
  • bigquery.googleapis.com/Dataset
  • cloudbuild.googleapis.com/BuildTrigger
  • cloudfunctions.googleapis.com/CloudFunction
  • compute.googleapis.com/Instance
  • run.googleapis.com/Job
  • run.googleapis.com/Service
  • spanner.googleapis.com/Instance
  • sqladmin.googleapis.com/Instance
  • storage.googleapis.com/Bucket

Limit on resources in a high-value resource set

Security Command Center limits the number of resources in ahigh-value resource set to 1,000 per cloud service provider.

If the attribute specifications in one or more resource value configurationsare very broad, the number of resources that match the attributespecifications can exceed 1,000.

When the number of matching resources exceeds the limit,Security Command Center excludes resources from the set until the number ofresources is within the limit. Security Command Center excludesresources with the lowest assigned value first. Among resourceswith the same assigned value, Security Command Center excludes resourceinstances by an algorithm that distributes the excluded resources acrossresource types.

A resource that is excluded from the high-value resource set is notconsidered in the calculation of attack exposure scores.

To alert you when the instance limit for the score calculation is exceeded,Security Command Center generates anSCC error finding and displays a message ontheAttack path simulation settings tab in the Google Cloud console.Security Command Center doesn't generate anSCC error finding if the defaulthigh-value set exceeds the instance limit.

To avoid exceeding the limit, adjust your resource value configurations torefine the instances in your high-value resource set.

Some of the things you can do to refine your high-value resource set includethe following options:

  • Usetagsorlabelsto reduce the number matches for a given resource typeor within a specified scope.
  • Create a resource value configuration that assigns a value ofNONE toa subset of the resources that are specified in another configuration.Specifying a value ofNONE overrides any other configurations andexcludes the resource instances from your high-value resource set.
  • Reduce the scope specification in the resource value configuration.
  • Delete resource value configurations that assign a value ofLOW.

High-value resources

To populate your high-value resource set, you need to decide which resourceinstances in your environment are truly high value.

Generally, your true high-value resources are the resources that processand store your sensitive data. For example, on Google Cloud, thesemight be Compute Engine instances, a BigQuerydataset, or a Cloud Storage bucket.

You do not need to designate resources that are adjacentto your high-value resources, such as a jump server, as high value.The attack path simulations account for these adjacent resources already,and if you designate them as high value also, it can make yourattack exposure scores less reliable.

Attack paths

Anattack path is an interactive, visual depiction of one or morepotential paths that a hypothetical attacker could take to get from thepublic internet to one of your high-value resource instances.

Attack path simulations identify potential attack paths by modelingwhat would happen if an attacker applied known attack methods to thevulnerabilities and misconfigurations that Security Command Center hasdetected in your environment to try to reach your high-value resources.

You can view attack paths by clicking on the attack exposure score ona finding or resource in the Google Cloud console.

On the Enterprise tier, when viewing a toxic combination case,you can view a simplified attack path for the toxic combination onthe caseOverview tab. The simplified attack path includes a link to thefull attack path. For more information about attack paths for toxiccombination findings, seeToxic combination attack paths.

When viewing larger attack paths, you can change your view of the attack path bydragging the red square area-of-focus selector around the miniatureview of the attack path at the right side of the display.

In an attack path, resources on an attack pathare represented as boxes ornodes. The lines represent potentialaccessibility between resources. Together, the nodes and lines representthe attack path.

Attack path nodes

The nodes in an attack path represent the resources on anattack path.

Displaying node information

You can display more information about each node in an attack pathby clicking it.

Clicking the resource name in a node displays more information aboutthe resource, as well as any findings that affect the resource.

ClickingExpand node displays possible attack methods thatcould be used if an attacker gained access to the resource.

Types of nodes

There are three different types of nodes:

  • The starting point orentry point of the simulated attack, which isthe public internet. Clicking on an entry point node displays adescription of the entry point along with attack methods an attackercould use to gain access to your environment.
  • Theaffected resources that an attacker can use to move forward on a path.
  • Theexposed resource at the end of a path, which is one of theresources in your high-value resource set. Onlya resource in a defined ordefaulthigh-value resource set can be an exposed resource. You define ahigh-value resource set by creatingresource value configurations.

Upstream and downstream nodes

In an attack path, a node can beupstream ordownstream from theother nodes. An upstream node is closer to the entry point and the topof the attack path. A downstream node is closer to the exposed high-valueresource at the bottom of the attack path.

Nodes representing multiple container resource instances

A node can represent multiple instances of certain container resource typesif the instances share the same characteristics.

Multiple instances of the following container resource types can berepresented by a single node:

  • ReplicaSet Controller
  • Deployment Controller
  • Job Controller
  • CronJob Controller
  • DaemonSet Controller

Attack path lines

In an attack path, lines between the boxes represent potentialaccessibility between resources that an attacker could leverage to reachhigh-value resources.

The lines do not represent a relationship between resources that is defined inGoogle Cloud.

If there are multiple paths pointing to a downstream node from multipleupstream nodes, the upstream nodes can have either anANDrelationship with each other or anOR relationship with each other.

AnAND relationship means that an attacker needs access to both upstreamnodes to access a downstream node on the path.

For example, a direct line from the public internet to a high-valueresource at the end of an attack path has anAND relationship withat least one other line in the attack path. An attacker could not reachthe high-value resource unless they gain access to both yourGoogle Cloud environment and at least one other resourceshown in the attack path.

AnOR relationship means that an attacker needs access to only one ofthe upstream nodes to access the downstream node.

Attack path simulations

To determine all possible attack paths and to calculate attack exposurescores, Security Command Center conducts advanced attack path simulations.

Simulation schedule

Attack path simulations run approximately every six hours. As your organizationgrows, simulations take longer, but they will always run at least once a day.Simulation runs are not triggered by the creation, modification, or deletion ofresources or resource value configurations.

Attack path simulation steps

The simulation consists of the following steps:

  1. Model generation: A model of your Google Cloud environment isautomatically generated based on the environment data. The model is a graphrepresentation of your environment, tailored for attack path analyses.
  2. Attack path simulation: Attack path simulations are conducted on thegraph model. The simulations have a virtual attacker try to reach andcompromise the resources in your high-value resource set. Thesimulations leverage the insights on eachspecific resource and relations, including networking, IAM,configurations, misconfigurations, and vulnerabilities.
  3. Insight reporting: Based on the simulations, Security Command Centerassigns attack exposure scores to your high-value resources and tothe findings that expose them and visualizes the potential paths anattacker could take to those resources.

Simulation execution characteristics

In addition to providing the attack exposure scores, attack pathinsights, and attack paths, attack path simulations havethe following characteristics:

  • They do not touch your live environment: All simulations are conducted on avirtual model and use only read access for model creation.
  • They are dynamic: The model is created without agents through API readaccess only, which enables the simulations to dynamically followchanges to your environment over time.
  • They have a virtual attacker tryas many methods and vulnerabilities as possible to reach and compromiseyour high-value resources. This includes not only "the knowns", such asthe vulnerabilities, configurations, misconfigurations, and networkrelations, but also lower-probability "known unknowns"—risks weknow exist, such as the possibility of phishing or leaked credentials.
  • They are automated: The attack logic is built into the tool. You don'tneed to build or maintain extensive sets of queries or large datasets.

Attacker scenario and capabilities

In the simulations, Security Command Center has a logical representation of anattacker attempt to exploit your high-value resources by gaining accessto your Google Cloud environment and following potential pathsof access through your resources and detected vulnerabilities.

The virtual attacker

The virtual attacker that the simulations use has the followingcharacteristics:

  • The attacker is external: The attacker is not a legitimate user of yourGoogle Cloud environment. The simulations do not model or includeattacks from malicious or negligent users who have legitimate access toyour environment.
  • The attacker starts from the public internet. To start an attack, theattacker must first gain access to your environment from the publicinternet.
  • The attacker is persistent. The attacker will not be discouraged orlose interest due to the difficulty of a particular attack method.
  • The attacker is skilled and knowledgeable. The attacker tries knownmethods and techniques to access your high-value resources.

Initial access

Each simulation has a virtual attacker try the following methods togain access from the public internet to the resources in your Google Cloud environment:

  • Discover and connect to services and resources that areaccessible from the public internet. In a Google Cloud environment, thiscould include the following:
    • Services on Compute Engine virtual machine (VM) instancesand Google Kubernetes Engine nodes
    • Databases
    • Containers
    • Cloud Storage buckets
    • Cloud Run functions
  • Gain access to keys and credentials. In a Google Cloud environment, thiscould include the following:
    • Service account keys
    • User-supplied encryption keys
    • VM instance SSH keys
    • Project-wide SSH keys
    • External key management systems
    • User accounts where multi-factor authentication (MFA) is not enforced
    • Intercepted virtual MFA tokens
  • Gaining access to publicly reachable cloud assets by use of stolencredentials or by exploiting vulnerabilities.

If the simulation finds a possible entry point into the environment,the simulation then has the virtual attacker try to reach and compromiseyour high-value resources from the entry point by consecutively exploringand exploiting security configurations and vulnerabilitieswithin the environment.

Tactics and techniques

The simulation uses a wide variety of tactics and techniques, includingleveraging legitimate access, lateral movement, privilege escalation,vulnerabilities, misconfigurations, and code execution.

Incorporation of CVE data

When calculating attack exposure scores for vulnerability findings,the attack path simulations consider data from the vulnerability'sCVE record,theCVSS scores,as well as assessments of the exploitability of the vulnerability thatare provided by Mandiant.

The following CVE information is considered:

  • Attack vector: The attacker needs to have the level of accessthat is specified in the CVSS attack vector to use the CVE. Forinstance, a CVE with a network attack vector that is found on an assetwith a public IP address and open ports canbe exploited by an attacker with network access. If an attackerhas network access only and the CVE requires physical access, then theattacker cannot exploit the CVE.
  • Attack complexity: Generally, a vulnerability or misconfigurationfinding with a low attack complexity is more likely to get a highattack exposure score than a finding with high attack complexity.
  • Exploitation activity: Generally, a vulnerability finding withwide exploitation activity, as determined by cyber threat intelligenceanalysts at Mandiant, is more likely to get a high attackexposure score than a finding with only anticipated exploitation activity. A vulnerability with no known exploitation activity is not considered in theattack path simulations.

Multicloud risk assessments

Enterprise tier only: This feature is available only with theSecurity Command Center Enterprise tier.

In addition to Google Cloud, Security Command Center can runattack path simulations to assess risk in your deployments on multiplecloud service provider platforms.

After you establish a connection to another platform, you can designateyour high-value resources on the other cloud serviceprovider by creating resource value configurations, as you would for resourceson Google Cloud.

Security Command Center runs simulations for a cloud platform independentlyof simulations that are run for other cloud platforms.

Before you create the first resource value configuration for anothercloud service provider, Security Command Center uses a default high-valueresource set that is specific to each cloud service provider.

For more information, see the following:

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.