Introduction to Threat Detection in SCC Premium
While Security Health Analytics (SHA) focuses on misconfigurations (the "prevention" side), SCC Premium's threat detection modules focus on active attacks (the "detection" side). For a Professional Cloud Security Engineer (PSE), understanding these modules is critical for identifying and responding to real-time security breaches.
SCC Premium uses three primary engines to detect threats at different layers of the stack: Event, Container, and Virtual Machine.
白話文解釋(Plain English Explanation)
1. The Audit Trail Monitor (Event Threat Detection - ETD)
Imagine a bank's ledger where every transaction is recorded. ETD is an automated auditor who watches this ledger in real-time. If they see a series of failed login attempts from a suspicious country (Brute force) or a large amount of money moving to an unknown offshore account (Data exfiltration), they immediately raise an alarm.
2. The Prison Guard (Container Threat Detection - CTD)
Think of a container as a high-security prison cell. The guard (CTD) stands outside and watches the inmates' behavior. If an inmate tries to dig a tunnel (Execute a malicious binary) or use a hidden phone (Establish a reverse shell), the guard intervenes. CTD watches the runtime behavior inside the container.
3. The X-Ray Machine (Virtual Machine Threat Detection - VMTD)
Imagine a doctor using an X-ray to look inside a patient's body without performing surgery. VMTD is like that X-ray for your VMs. It scans the VM's memory from the outside (at the hypervisor level) to find hidden "tumors" like cryptomining malware, without needing to install any software or agents inside the VM itself.
Event Threat Detection (ETD)
ETD analyzes Cloud Audit Logs and network logs to find threats.
- Log-Based Analysis: It processes logs from Cloud Logging in near real-time.
- Detection Examples:
- Brute Force: Repeated failed logins to a service account.
- IAM Anomalies: Granting high-privilege roles to external users.
- Data Exfiltration: Large transfers of data to external buckets or IP addresses.
- Persistence: Creating new, unauthorized service accounts or keys.
Event Threat Detection (ETD) is a managed service that monitors log streams to detect known indicators of compromise and suspicious activity within your Google Cloud organization.
Container Threat Detection (CTD)
CTD provides runtime security for GKE (Google Kubernetes Engine).
- Runtime Visibility: It monitors the internal state of containers and the host kernel.
- Detection Examples:
- Added Binary: A new executable was added and run inside a container (often a sign of an exploit).
- Malicious Script: Execution of known malicious Python or Shell scripts.
- Reverse Shell: A container establishing an outbound connection to a command-and-control (C2) server.
CTD is specifically designed for GKE and requires the SCC agent or GKE integration to be enabled.
Virtual Machine Threat Detection (VMTD)
VMTD is a "zero-agent" detection service for Compute Engine.
- Agentless Scanning: It scans the RAM of running VMs from the hypervisor. This means it cannot be "fooled" or disabled by an attacker who has compromised the VM's guest OS.
- Detection Examples:
- Cryptomining: Detects the specific memory signatures of mining software like XMRig.
- Kernel Rootkits: Detects modifications to the guest OS kernel.
Since VMTD runs at the hypervisor level, it has zero performance impact on your running workloads.
PSE scenarios that mention a compromised root account hiding processes on Compute Engine expect VMTD, not ETD or CTD — only VMTD scans VM RAM from the hypervisor and can spot XMRig cryptomining memory signatures and kernel rootkits that an in-guest agent would be blinded to. Pick ETD for IAM Anomalous Grant / Data Exfiltration patterns sourced from Cloud Audit Logs, and CTD when the finding category is Added Binary or Reverse Shell inside a GKE pod.
SCC Premium ships 100+ ETD detectors vs. Standard's basic-log subset, and the three engines map cleanly to finding sources: ETD → Cloud Audit Logs + network logs (Brute Force, IAM Anomalous Grant, Persistence, Data Exfiltration), CTD → GKE runtime (Added Binary, Malicious Script, Reverse Shell to C2), VMTD → hypervisor memory scan (XMRig signatures, kernel rootkits). CTD and VMTD are Premium-only; Standard does not include them.
SCC Premium vs. Standard: Threat Detection
| Feature | SCC Standard | SCC Premium |
|---|---|---|
| Event Threat Detection | Limited (Basic logs) | Advanced (100+ detectors) |
| Container Threat Detection | Not Available | Included |
| VM Threat Detection | Not Available | Included |
| Vulnerability Scanning | Basic | Continuous & Deep |
Analyzing and Investigating Findings
When a threat is detected, SCC generates a Finding.
Analyzing Findings
A finding contains:
- Category: e.g.,
Persistence: IAM Anomalous Grant. - Source: Which module detected it (ETD, CTD, VMTD).
- Resource: The specific VM, Project, or Service Account affected.
- Evidence: The specific log entry or memory signature that triggered the alert.
Investigation with SCC API
You can use the SCC API to pull findings into your own tools for deeper analysis.
- Filtering: Use the API to find all "Critical" threats across all projects.
- Automation: Trigger a Python script when a specific threat type is found.
Integrating with SIEM/SOAR (Chronicle)
For enterprise security operations, SCC findings should be sent to a SIEM (Security Information and Event Management) system.
- Google Chronicle: SCC has native integration with Chronicle. Findings are automatically ingested, enriched with global threat intelligence, and correlated with other data sources.
- Pub/Sub Export: For non-Google SIEMs (like Splunk or Sentinel), you can export findings to a Pub/Sub topic and then use a "sink" to push them to your tool.
Configuring Threat Detection Modules
- Enable SCC Premium at the Organization level.
- Activate Modules: In the SCC settings, ensure ETD, CTD, and VMTD are "Enabled."
- Configure Logs: For ETD, ensure that Data Access Audit Logs are enabled for the services you want to monitor.
ETD depends on logs. If you haven't enabled Data Access Audit Logs for a service (like BigQuery), ETD won't be able to detect data exfiltration from that service.
Security Best Practices for PSE
- Prioritize High-Severity Findings: Focus on "Critical" and "High" findings from VMTD and CTD first, as these usually indicate an active compromise.
- Combine with Cloud IDS: Use Cloud IDS for network-layer threat detection (IDS/IPS) alongside SCC's application and host-level detection.
- Automate Response: Use SCC Notification Configs to send high-severity alerts to a Slack channel or PagerDuty immediately.
- Use Chronicle for Correlation: Don't look at SCC findings in isolation. Use Chronicle to see if a "Small" SCC finding is part of a larger, coordinated attack.
PSE Exam Scenarios
Scenario 1: Cryptomining Detection
"An organization suspects that an attacker has gained access to their Compute Engine instances and is running cryptomining software. The attacker has root access and is likely hiding their processes. What is the best way to detect this?" Answer: Enable Virtual Machine Threat Detection (VMTD) in SCC Premium. Because VMTD scans VM memory from the hypervisor, the attacker cannot hide the software's memory signature, even with root access.
Scenario 2: Container Runtime Security
"A DevOps team wants to know if any unauthorized code is being executed inside their GKE production pods. They are concerned about 'Zero Day' exploits. Which SCC feature should they use?" Answer: Container Threat Detection (CTD). It monitors runtime behavior and will trigger a finding if an unauthorized binary is added or if a reverse shell is established, regardless of how the attacker gained entry.
Summary Checklist
- Differentiate between ETD, CTD, and VMTD.
- Explain why VMTD is "agentless."
- Identify which logs are required for ETD to function.
- Describe the workflow for sending SCC findings to a SIEM.
- Understand the impact of SCC Premium on GKE and Compute Engine.