Toxic combinations are a group of security issues that, when they occurtogether in a particular pattern, create a path to one or more of yourhigh-value resources that a determined attacker could potentially use tocompromise those resources.

The Risk Engine detects toxic combinations during theattack path simulationsthat it runs. For each toxic combination that Risk Enginedetects, it generates a finding. Each toxic combination includes a unique attackexposure score, called atoxic combination score, that measures the risk ofthe toxic combination to the high-value resource set in your cloud environment.Risk Engine also generates a visualization of theattackpath that the toxic combination creates to theresources in your high-value resource set.

Chokepoints are similar to toxic combinations, but focus oncommon resources or resource groups where multiple attack paths converge. As aconsequence, remediating a chokepoint can remediate multiple toxic combinations.

Toxic combinations and chokepoints are detected for the following cloudservice provider platforms:

• Google Cloud. Available for Premium and Enterprise service tiers.
• Amazon Web Services (AWS) (Preview). Available for Enterprise service tier.
• Microsoft Azure (Preview). Available for Enterprise service tier.

For the list of supported resources, seeRisk Engine feature support.

View toxic combinations and chokepoints

The highest risk toxic combinations andchokepoints are displayed asissues on theRisk Overview(Premium service tier) orOverview (Enterprise service tier)page, and you can view all toxic combinations and chokepoints in greater detailon the following pages, depending on your Security Command Center tier:

• Issues page in thePremium service tier
• Risk> Issues page in theEnterprise service tier

Toxic combinations can also be viewed ontheCases page in the Enterprise service tier.

To view findings that are related to toxic combinations and chokepoints in theGoogle Cloud console, go to theFindings page andfilter by theToxic combination orChokepoint finding class.

Findings that are related to toxic combinations and chokepoints are captured inrisk reports. For more information, seeRisk reportsoverview.

Attack exposure scores on toxic combinations and chokepoints

Risk Engine calculates an attack exposure score for each toxiccombination and chokepoint. This score is a measure of how much a toxiccombination or chokepoint exposes one or more of the resources in yourhigh-value resource set to potential attacks. The higher the score, the higherthe risk.

For more information, seeAttack exposurescores.

Attack path visualizations for toxic combinations and chokepoints

Risk Engine provides a visual depiction of the toxic combinationand chokepoint attack paths that lead to your high-value resource set. An attackpath represents a series of attack steps, that include related security issuesand resources that a potential attacker could use to reach your resources.

Attack paths help you to understand the relationships between individualsecurity issues in a toxic combination or chokepoint, and how they form paths toresources in your high-value resource set. The path visualization also shows youhow many valued resources are exposed and their relative importance to yourcloud environment.

Resources on an attack path are color-coded in the following way:

• Resources with security issues that contribute to a toxic combination arehighlighted with a yellow border.
• Resources that are identified as a chokepoint are highlighted with a redborder.

There are multiple places where you can view attack paths.

In the Premium service tier, viewthe full attack path on theAttack paths page. For more information, seeAttack paths.Also, view a simplified version of the attack path in the following places:

• TheRisk Overview page, for items in theRiskiestissues widget.
• TheIssues page, when an issueis selected. You can access the simplified attack path in theOverviewtab of the issue.

In the Enterprise service tier, view asimplified version of the attack path in the following places:

• TheRisk> Overview page, for items in theRiskiestissues widget.
• TheRisk> Issues page, when an issueis selected. You can access the simplified attack path in theOverviewtab of the issue.
• TheRisk> Cases page, when a case is selected. You canaccess the simplified attack path in theCase overview tab.

To view the full version of an attack path, view the simplified version, andthen clickExplore full attack paths.

The following screenshot is an example of a simplified attack path for a toxiccombination:

The following screenshot is an example of a simplified attack path for achokepoint:

Related findings

Many of the individual risks that make up toxic combinations and chokepoints arealso detected by other Security Command Center detection services. These otherdetection services generate separate findings for these risks, which are listedin issues and cases as related findings. Relatedfindings are also identified inattack paths.

For toxic combinations, separate cases are opened for the related findings,different playbooks are run, and other members of your team might be working ontheir remediation independently from the remediation of the toxic combinationfinding. Check the status of the cases for these related findings and, ifnecessary, ask the owners of the cases to prioritize their remediation to helpresolve the toxic combination.

Cases

In the Enterprise service tier, Security Command Center opens a case for eachtoxic combination finding that's generated. Chokepoints don't generate cases.

In the case detail view, you can find the following information related to toxiccombinations:

• A description of the toxic combination
• Theattack exposure score of thetoxic combination
• A visualization of theattack path thatthe toxic combination creates
• Information about the affected resources
• Information about the steps you can take to remediate the toxic combination
• Information about any related findings from other Security Command Centerdetection services, including links to their associated cases
• Applicable playbooks
• Associated tickets

On theRisk> Cases Security Operations console page, you can queryor filter toxic combination cases by using theToxic Combination tag. Youcan also visually identify toxic combination cases in the case list by thefollowing icon:.

For more information about viewing toxic combination cases, seeView toxiccombination cases.

Case priority

By default, toxic combination cases have their priority set to the same value asthe severity of the toxic combination finding and its associated alert in therelated case. This means that all toxic combination cases initially have apriority ofCritical orHigh.

After a case is opened, you can change the priority of the case or of the alert.Changing the priority of a case or an alert does not change the severity of thefinding.

Closing cases

When a finding is first generated for a toxic combination, its state isActive.

If you remediate the toxic combination, Risk Engine automaticallydetects the remediation during the next attack path simulation and closes thecase. Simulations run approximatelyevery six hours.

Alternatively, if you determine that the risk posed by a toxic combination isacceptable or unavoidable, you can close a case by muting the finding.

When you mute a finding, the finding remains active, but Security Command Centercloses the case and omits the finding from default queries and views.

For more information, see the following information:

• How to close toxic combination cases
• Cases overview
• Mute findings in Security Command Center