Skip to main content

New GCP Organization

This alert occurs when Lacework detects a new GCP organization for the first time.

Why this Alert is Important

Monitoring the creation of new organizations can help you ensure that they are created following your security policies and best practices. This can include verifying that the organization is configured with appropriate access controls and permissions, ensuring that the organization's members are appropriately assigned, and validating that the organization's resources are secured and monitored.

Investigation

If you suspect that a malicious organization has been created, you should investigate the event as soon as possible to determine the nature and scope of the threat. Here are some steps you can take to investigate a new malicious GCP organization:

  1. Review audit logs: Start by reviewing your GCP audit logs to identify any anomalous behavior that may be related to the creation of the malicious organization. Look for any unusual activity, such as a large number of API calls or unauthorized access attempts that may indicate that an attacker is attempting to gain access to your environment.
  2. Identify the user or IP address: Use your audit logs to identify the user or IP address that created the malicious organization. This can help you determine whether an internal or external actor initiated the activity and allow you to track down the source of the attack.
  3. Conduct a forensic investigation: If the threat is severe or you suspect that sensitive data may have been compromised, you may need to conduct a forensic investigation to determine the extent of the damage. This may involve examining system logs, analyzing network traffic, and reviewing access controls and permissions to determine how the attacker gained access and what data may have been compromised.

Resolution

After identifying the creation of a malicious GCP organization, Lacework recommends acting immediately to resolve the issue and mitigate the threat to your environment. Here are some suggested steps:

  1. Disable the malicious organization.
  2. Revoke access to any accounts or users associated with the malicious organization to prevent further unauthorized access to your environment.
  3. Implement additional security controls such as updating access controls and permissions, implementing multi-factor authentication, and deploying security monitoring and alerting tools.
  4. Review and update security policies and procedures to identify any gaps or weaknesses that may have allowed the malicious organization to be created.