GCP User Logged In From Bad Source
This alert occurs when Lacework detects a user has logged in from a known bad source.
Why this Alert is Important
This detection indicates sign-in from a malicious IP address. An IP address is considered malicious based on high failure rates because of invalid credentials received from this IP address or other IP reputation sources.
Investigation
Login from a bad source indicates potential unauthorized access or a compromise of the user's credentials. If an attacker gains access to a user's account, they can potentially access sensitive information or take malicious actions within your organization's GCP environment.
Here are some inquiries you can leverage to investigate:
- Confirm if the IP address shows suspicious behavior in your environment.
- What service or resource was accessed from this IP address?
- Are there any logs or audit trails of the actions taken from this IP address?
- Was multi-factor authentication enabled for the user account that was used to access GCP from this IP address?
- Are there any other user accounts that have been accessed from this IP address?
- Has this IP address been used to access other services or resources within my organization?
- Are there other indications of malicious activity or compromise within your GCP environment?
Resolution
To prevent unauthorized access to your GCP environment from a bad source, implement the following:
- Configure IP allowlisting to allow access only from specific IP addresses or IP address ranges. This ensures that only authorized users can access your GCP resources.
- Enable multi-factor authentication (MFA) for your GCP account. This adds an extra layer of security to your account, making it more difficult for an attacker to gain access even if they have your login credentials.
- Use a virtual private network (VPN) to connect to your GCP resources. A VPN creates a secure, encrypted connection between your device and your GCP resources, which helps protect against unauthorized access.
- Implement strong password policies.
- Regularly monitor and review access logs for your GCP resources to detect unauthorized access attempts.