Skip to main content

New GCP Service

This alert occurs when Lacework detects a new GCP service was used for the first time.

Why this Alert is Important

A new GCP service used for the first time may indicate an unauthorized change or malicious activity. An attacker may use a new GCP service to gain access to your environment, exfiltrate data or execute malicious code. Detecting the first use of a new GCP service can help you identify and investigate potential security risks.

Investigation

If you suspect that a new GCP service may be malicious, here are some steps you can take to investigate:

  1. Review logs of the GCP service that was used for the first time. Look for any unusual activity or patterns, such as unusual IP addresses or unusual user accounts. Look for signs of data exfiltration or other malicious activity.
  2. Review access controls to ensure that only authorized users and services have access. Look for any unusual or unauthorized access attempts.
  3. Check the GCP service configurations to ensure they are configured properly. Misconfigured services can be a target for attackers and can lead to security vulnerabilities.
  4. Investigate the source to determine if an authorized user added the service or if it was added maliciously.
  5. Check if any third-party integrations have been added to the GCP service. These integrations can be a target for attackers and can lead to security vulnerabilities.

Resolution

After identifying unauthorized usage of a new GCP service, Lacework recommends acting immediately to resolve the issue and mitigate the threat to your environment. Here are some suggested steps:

  1. Remove the service immediately to eliminate the security risk and help ensure compliance with regulatory requirements.
  2. Investigate the source to determine how and by whom the unauthorized GCP service was added. This will help you understand how the security breach occurred and how to prevent similar incidents in the future.
  3. Check for other unauthorized access to your GCP environment. This may involve reviewing access logs, user accounts, and other security-related data to ensure there are no other security breaches.
  4. Implement security controls to prevent similar security incidents from occurring in the future. This may include strengthening access controls, implementing multi-factor authentication, and using encryption to protect sensitive data.