Cloud security threats are always evolving. While many focus on the network layer, insidious threats like cryptocurrency miners, rootkits, and sophisticated malware target the heart of your virtual machines (VMs). Google Cloud's Security Command Center (SCC) offers a powerful solution: VM Threat Detection.

VM Threat Detection findings are high-severity threats that we recommend you fix immediately

What is VM Threat Detection?

• VM Threat Detection is a built-in service within SCC Premium. It goes beyond traditional endpoint agents by working at the hypervisor level of your Google Cloud infrastructure.
• This means it scans your VM memory and disks for malicious applications, even if those threats try to hide themselves.
• Key targets include cryptocurrency mining software, kernel-mode rootkits, and other advanced malware.

How VM Threat Detection Works

• Under the Hood: VM Threat Detection is embedded in Google Cloud's secure hypervisor, ensuring deep visibility into VMs without installing agents.
• Scanning: It regularly scans Compute Engine projects and VM instances for signs of malicious activity.
• Analysis: Data from VM guest memory is analyzed, and findings are reported directly to your Security Command Center dashboard.

How cryptocurrency mining detection works

Powered by Google Cloud's threat detection rules, VM Threat Detection analyzes information about software running on VMs, including a list of application names, per-process CPU usage, hashes of memory pages, CPU hardware performance counters, and information about executed machine code to determine whether any application matches known cryptocurrency mining signatures. When possible, VM Threat Detection then determines the running process associated with the detected signature matches and includes information about that process in the finding.

New Preview Features: Rootkits and Malware on Disk

The power of VM Threat Detection is expanding! Now in preview, it can detect kernel-mode rootkits and scan your VM’s persistent disk for malware.

Kernel-mode rootkit detection

VM Threat Detection infers the type of operating system running on the VM and uses that information to determine the kernel code, read-only data regions, and other kernel data structures in memory. VM Threat Detection applies various techniques to determine if those regions are tampered with, by comparing them to precomputed hashes that are expected for the kernel image and verifying the integrity of important kernel data structures.

Malware detection on disk

VM Threat Detection takes short-lived clones of your VM's persistent disk, without disrupting your workloads, and scans the disk clones. This service analyzes executable files on the VM to determine whether any files match known malware signatures. The generated finding contains information about the file and the malware signatures detected.

Benefits of VM Threat Detection

• Agentless = Hassle-Free: No software to install or manage on VMs, reducing deployment time and complexity.
• Invisible to Attackers: Working at the hypervisor level makes it difficult for malware to detect and evade.
• Seamless with SCC: Findings and insights integrate directly into your central security monitoring and workflow.

If you activate the Premium tier of Security Command Center, VM Threat Detection scans are automatically enabled. If needed, you can disable the service and/or enable the service at the project level.

https://cloud.google.com/security-command-center/docs/concepts-vm-threat-detection-overview

Are you using VM Threat Detection? Share your experiences in the comments!

Remember, this exciting rootkit and disk scanning feature is in preview. Your feedback is valuable to make VM Threat Detection even better!