The demo is targeting a passive network detection and response (NDR) scenario with Cloud IDS service in Google Compute Cloud (GCP) environment. Throughout the demo, a breach and attack simulation software Keysight Threat Simulator is used to create conditions resembling real malicious activities. The goals of the demo are:
- Demonstrate Cloud IDS capabilities in detecting threats.
- Create a sandbox environment for evaluate efficacy of Cloud IDS against various attack scenarious.
- Provide a framework for monitoring operational readiness and basic efficacy of Cloud IDS in your environment.
- Fascilitate integration efforts to ingest and process Cloud IDS alerts by downstream SIEM tools.
- Throughout the document, a GCP Project ID parameter
--project=kt-nas-demois used forgcloudcommand syntax. Please changekt-nas-demoto specify a GCP Project ID you intend to use for the deployment - Where applicable, GCP Region
us-central1and/or Zoneus-central1-aTODO CIDS CHECK ZONE are used withing the document. Consider changing to a region and zone that fit your deployment via--region=us-central1and--zone=us-central1-aparameters.
- Create a demo VPC for Threat Simulator agent deployment. If needed, change IP address ranges to fit your design.
| Parameter | Value |
|---|---|
| Name | ts-demo-vpc |
| Description | ThreatSim Demo |
| Subnets | custom |
| Name | ts-demo-app-subnet-us-central1 |
| Region | us-central1 |
| IP address range | 192.168.211.0/24 |
gcloud compute networks create ts-demo-vpc --project=kt-nas-demo --description="ThreatSim Demo" --subnet-mode=custom --mtu=1460 --bgp-routing-mode=regional
gcloud compute networks subnets create ts-demo-app-subnet-us-central1 --project=kt-nas-demo --range=192.168.211.0/24 --network=ts-demo-vpc --region=us-central1Cloud IDS service operates via Private Service Access network connectivity. To start using Cloud IDS, you must enable Private Services Access and allocate an IP address range for private connectivity with Cloud IDS Service Producer. From GCP documentation: "When you create an IDS endpoint, a subnet with a 27-bit mask is allocated from your Private Service Access allocated IP address ranges. The allocated subnet contains an internal load-balancer. Any traffic mirrored or directed to this load-balancer will be inspected by the IDS endpoint."
- Activate the Service Networking API in your project. The API is required to create a private connection.
gcloud services enable servicenetworking.googleapis.com --project=kt-nas-demo- Allocate an IP range for Google-produced Private Services
gcloud compute addresses create google-managed-services-ts-demo-vpc \
--global \
--purpose=VPC_PEERING \
--addresses=172.18.252.0 \
--prefix-length=22 \
--description="Peering range for Google Managed Services" \
--network=ts-demo-vpc \
--project=kt-nas-demoYou can check IP ranges currently allocated using
gcloud compute addresses list --global --filter="purpose=VPC_PEERING AND network=ts-demo-vpc"- Now create a private connection using the IP range
gcloud services vpc-peerings connect \
--service=servicenetworking.googleapis.com \
--ranges=google-managed-services-ts-demo-vpc \
--network=ts-demo-vpc \
--project=kt-nas-demoTo check if the operation was successful list existing connections
gcloud services vpc-peerings list \
--network=ts-demo-vpc \
--project=kt-nas-demo- Create VPC Firewall rules in
ts-demo-vpcto permit HTTP and HTTPS traffic to any target tagged ashttp-serverandhttps-server, as well as a few additional protocols to any target tagged as 'ts-agent'
gcloud compute --project=kt-nas-demo firewall-rules create ts-demo-allow-http --description="Allow http ingress to any instance tagged as http-server" --direction=INGRESS --priority=1000 --network=ts-demo-vpc --action=ALLOW --rules=tcp:80 --source-ranges=0.0.0.0/0 --target-tags=http-server
gcloud compute --project=kt-nas-demo firewall-rules create ts-demo-allow-https --description="Allow https ingress to any instance tagged as https-server" --direction=INGRESS --priority=1000 --network=ts-demo-vpc --action=ALLOW --rules=tcp:443 --source-ranges=0.0.0.0/0 --target-tags=https-server
gcloud compute --project=kt-nas-demo firewall-rules create ts-demo-allow-dcerpc --description="Allow RPC ingress to any instance tagged as ts-agent" --direction=INGRESS --priority=1000 --network=ts-demo-vpc --action=ALLOW --rules=tcp:135 --source-ranges=0.0.0.0/0 --target-tags=ts-agent
gcloud compute --project=kt-nas-demo firewall-rules create ts-demo-allow-smb --description="Allow SMB ingress to any instance tagged as ts-agent" --direction=INGRESS --priority=1000 --network=ts-demo-vpc --action=ALLOW --rules=tcp:445 --source-ranges=0.0.0.0/0 --target-tags=ts-agent
gcloud compute --project=kt-nas-demo firewall-rules create ts-demo-allow-rdp --description="Allow RDP ingress to any instance tagged as ts-agent" --direction=INGRESS --priority=1000 --network=ts-demo-vpc --action=ALLOW --rules=tcp:3389 --source-ranges=0.0.0.0/0 --target-tags=ts-agent- (Optional) Permit SSH access to GCP instances via a browser. See https://cloud.google.com/iap/docs/using-tcp-forwarding for more information.
gcloud compute --project=kt-nas-demo firewall-rules create allow-ssh-from-browser-default-vpc --description="https://cloud.google.com/iap/docs/using-tcp-forwarding" --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:22 --source-ranges=35.235.240.0/20
gcloud compute --project=kt-nas-demo firewall-rules create allow-ssh-from-browser-ts-demo-vpc --description="https://cloud.google.com/iap/docs/using-tcp-forwarding" --direction=INGRESS --priority=1000 --network=ts-demo-vpc --action=ALLOW --rules=tcp:22 --source-ranges=35.235.240.0/20- Create an IDS endpoint under Network Security > CLoud IDS by clicking on “Create Endpoint”
| Parameter | Value |
|---|---|
| Endpoint name | ts-demo-ids-us-central1 |
| Description | IDS endpoint for ts-demo-vpc |
| Network | ts-demo-vpc |
| Region | us-central1 |
| Region | us-central1-a |
| Minimum threat severity alert | Informational |
Click “Create”: This creates the IDS endpoint and this step could take 10-15 mins.
- Attach a Packet Mirroring policy to this endpoint that will mirror the traffic from the associated VPC and send it to this IDS endpoint.
| Parameter | Value |
|---|---|
| Name | ts-demo-ids-mirror |
| Region | us-central1 |
| Policy enforcement | Enabled |
| Mirrored source - Select with network tags | cids-mirror |
| Select mirrored traffic | Mirror all traffic |
- If you do not have an active Threat Simulator account, request evaluation access at https://threatsimulator.cloud/login
- Once the eval is approved, login to Theat Simulator console, navigate to Deployment page, and open "Anywhere" for a deployment type
- Scroll down to AGENT INSTALLATION to a CURL command line, which looks similar to the following. In your case, there will be a different
OrganizationID. Agent version would vary with time as well.
curl "https://api.threatsimulator.cloud/agent/download?OrganizationID=1234567890abcdef1234567890abcdef&Type=onpremise-linux" > agent-21.3.0.2325.run- Copy the 32-character value of
OrganizationIDstring from the line above and paste it to the script below on the lineorganizationIDright after the=sign. Deploy a Threat Simulator Agent instance on GCP by running the following command in GCP Console.
gcloud compute instances create ts-demo-workload-usc1a \
--zone=us-central1-a \
--machine-type=e2-small \
--subnet=ts-demo-app-subnet-us-central1 \
--image-family=ubuntu-2004-lts \
--image-project=ubuntu-os-cloud \
--boot-disk-size=10GB \
--boot-disk-device-name=ts-demo-workload-usc1a \
--tags=ts-agent,http-server,https-server,cids-mirror \
--metadata=startup-script='#!/bin/bash -xe
if [ ! -f /home/threatsim/.tsinstalled ]; then
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
apt update
apt -y install docker.io
systemctl restart docker
systemctl enable docker
useradd -m -G google-sudoers threatsim
organizationID="1234567890abcdef1234567890abcdef"
name="GCP-Cloud-IDS-Demo-1"
APIbaseURL="https://api.threatsimulator.cloud"
curl $APIbaseURL/agent/download\?OrganizationID\=${organizationID}\&Type\=onpremise-linux >/home/threatsim/agent-init.run
chown threatsim:threatsim /home/threatsim/agent-init.run
sudo -u threatsim /bin/bash /home/threatsim/agent-init.run --quiet -- -y -n "${name}"
if [ `docker ps -qf name=ts-filebeat | wc -l` -ge 1 ]; then touch /home/threatsim/.tsinstalled; fi
fi'- After about 5 minutes the Threat Simulator workload should appear in Threat Simulator UI under Agents section
- Login to Threat Simulator web interface https://threatsimulator.cloud/
- Navigate to Assesment tab, enter "CISA" in the assesment filter
- Locate an assesment named "CISA Top 10, 2016-2019 Server Attacks", and launch a new scenario form from it:
- On the Create Scenario form, for Step 2, select a Threat Simulator agent you previously deployed as "GCP-Cloud-IDS-Demo-1"
- Click Advanced and change a protocol from default HTTPS to HTTP (port 80)
- Name the scenario as "GCP-Cloud-IDS-CISA-Top10-Server" and click "Add and Run Scenario"
- As the scenario is being executed, monitor Cloud IDS alarms and compare them with audits executed by Threat Simulator on Dashboard tab:
- Cloud IDS should be able to detect each threat from the scenario:
Now you have a sandbox environment to validate if threat vectors that are relevant to your environment could be effectively detected by Cloud IDS. Explore Threat Simulator assesments library to identify those of interest and run them against Cloud IDS. Note, that some assesments use ports that were not previously permitted. You would need to adjust your GCP Firewall rules to allow them.