“Google Cloud announced an expansion of its security capabilities to include detection for cryptocurrency mining in virtual machines (VMs) – addressing a common but difficult-to-spot threat for customers,” said Sunil Potti, Google Cloud Executive.
Attacks that exploit compute resources to mine cryptocurrencies such as Bitcoin continue to be a popular form of malicious cyber activity: A November report from Google Cloud found that 86 per cent of compromised instances on the public cloud platform included crypto mining activities. But traditionally, “it’s tough to detect that unless you instrument your app,” said Potti, vice president and general manager for Google Cloud’s security business, in an interview.
Leveraging Google security
The announcement brings Virtual Machine Threat Detection (VMTD) to Google Cloud’s Security Command Centre Premium, offering customers a public preview. Like other security solutions that Google Cloud has introduced, VMTD leverages technology that was originally developed to stop threats in Google’s properties, Potti said.
“We’re just bringing all that knowledge, with a little bit of enterprise consumption, to any enterprise customer who wants to move their VMs over,” he said.
Hackers can quickly run up a customer’s compute bill when it comes to crypto mining. Crypto mining can also end up being the first stage of a broader attack, according to Roger Koehler, vice president of threat ops at managed detection and response firm Huntress.
“They can go and sell that access on the black market. And somebody bigger and worse may buy that and do something more detrimental,” said Koehler.
In its November report, Google Cloud said that “data theft did not appear to be the objective” of compromises for crypto mining – but that “in some instances, multiple malicious actions were performed from within a single compromised instance.” Thus, data theft “remains a risk associated with the cloud asset compromises as bad actors start performing multiple forms of abuse,” Google Cloud said.
Google Cloud’s Virtual Machine Threat Detection will be expanded to include other capabilities during the next few months “as we move VMTD towards general availability,” Google Cloud said in a blog post.
While containerisation is surging in popularity, “VM-based architectures continue to make up a significant portion of computer-centric workloads,” Google Cloud said.
Key capabilities
Crucially, in detecting crypto mining activities in virtual machines, VMTD will work without needing any additional software agent, according to Google Cloud.
This agentless approach results in “less performance impact, lowered operational burden for agent deployment and management, and exposing less attack surface to potential adversaries,” Google Cloud said in its blog post.
Rather than using an agent, VMTD instructs the underlying VM orchestration software – the hypervisor – “to include nearly universal and hard-to-tamper-with threat detection,” the cloud platform said.
“What we’ve done is found a way to look under the cover for signatures and patterns that are very suspicious in the way that attackers use infrastructure,” said Potti.
Using heuristics, Google Cloud is “able to identify that this is a suspicious activity — so you can just quickly pinpoint it and take action,” he said.
This action could involve simply throttling capacity while an investigation takes place rather than shutting it off entirely, he said.
Ultimately, “we want to make sure that your environment is protected from threats associated with someone hacking into an account and spinning up other services,” Potti said.
Simplifying security
Google Cloud aims to make security “invisible,” he said — to “automatically provide a lot of good hygiene under the cover, and only tell you things that you need to pay attention to.” The cloud platform is investing heavily in cybersecurity as it seeks to compete with its larger rivals in the public cloud space, Amazon Web Services (AWS) and Microsoft Azure.
The launch of VMTD follows other significant security expansions capabilities by Google Cloud, including Cloud IDS, which went into general availability in December. The cloud-native network security offering aims to simplify deployment and use compared to existing options.
The company said that Cloud IDS offers protection against malware and spyware, command and control attacks, and other vulnerabilities, including illegal code execution and buffer overflow.
Meanwhile, in January, Google announced the acquisition of Siemplify to bolster security operations and enhance threat response for customers of Google Cloud.
A recent survey of cloud engineering professionals found that 36 per cent of organisations suffered a serious cloud security data leak or a breach in the past 12 months. And 64 per cent said they expect the problem to get worse or remain the same over the next year, according to the report from Fugue and Sonatype.
More updates planned
For VMTD, Google Cloud said it’s planning a “steady release” of new detection capabilities in the lead up to general availability. According to the blog post, Google Cloud also plans to roll out integrations for VMTD with other parts of the cloud platform in the coming months.
In the platform’s Security Command Centre (SCC), VMTD “complements the existing threat detection capabilities enabled by the Event Threat Detection and Container Threat Detection built-in services in SCC Premium,” Google Cloud said.
The premium version of SCC is a “comprehensive” platform for security and risk management, featuring built-in services to provide visibility into cloud assets, discovery for vulnerabilities and misconfigurations, and assistance with meeting compliance requirements, Google Cloud said.
