响应按钮事件_红色大按钮，用于事件响应

响应按钮事件

I was faced with a difficult question: in the case of a security incident, one customer desired a “big red button” to completely shut down Google Cloud Platform (GCP). But how to do that? Is there a right way to do it? Let’s see.

我面临一个棘手的问题：在发生安全事件时，一个客户希望有一个“大红色按钮”来完全关闭Google Cloud Platform(GCP)。 但是该怎么做呢？ 有正确的方法吗？ 让我们来看看。

问题 (The problem)

Imagine an attacker could hack our Cloud systems and exfiltrate sensitive data, or abuse the system to launch an attack. How do we keep control? Can we just shut down GCP? Would it stop the attack and contain the damage?

想象一下，攻击者可能会入侵我们的云系统并泄露敏感数据，或者滥用该系统发起攻击。 我们如何保持控制力？ 我们可以关闭GCP吗？ 它会阻止攻击并控制损失吗？

Organizations in regulated industries often feel they are obligated to demonstrate such a level of control, so regulators believe the organization has done their due diligence. This is especially true if GCP communicates with internal systems and could potentially be a channel back to the core on-premise network.

受到监管的行业中的组织通常认为他们有义务表现出这种控制水平，因此监管机构认为组织已尽了其应尽的职责。 如果GCP与内部系统进行通信，并且有可能成为回到核心本地网络的通道，则尤其如此。

Attacks may be carried out via a number of external-facing systems such as web servers or Content Management Systems (CMS). Other scenarios include leaked/stolen SSH keys or stolen IAM credential files left on a public repository. These attacks assume external forces. However, the risk grows when we add internal attackers to the mix.

攻击可以通过许多外部系统进行，例如Web服务器或内容管理系统(CMS)。 其他情况包括泄漏/被盗的SSH密钥或遗留在公共存储库中的IAM凭据文件。 这些攻击是外力。 但是，当我们将内部攻击者添加到组合中时，风险会增加。

Security in the Cloud focuses on a shared responsibility model that proves essential for businesses to succeed with cloud technology. Typically, the Cloud Service Provider is responsible for securing the infrastructure, and the customer is responsible for securing the data and applications. Google Cloud helps you protect your systems and data with products and services. But no matter how many defenses you put in place, you should be prepared for bad things to happen.

云中的安全性专注于共享责任模型，事实证明，共享责任模型对于企业利用云技术成功至关重要。 通常，云服务提供商负责保护基础架构，而客户负责保护数据和应用程序。 Google Cloud可通过产品和服务帮助您保护系统和数据。 但是，无论您采取了多少防御措施，都应该为坏事情做好准备。

If an unfortunate event occurs, the customer wants to keep control and considers shutting down GCP a good mechanism to do so. Wouldn’t this stop the attack and contain the damage?

如果发生不幸事件，客户希望保持控制，并认为关闭GCP是一个很好的机制。 这不会停止攻击并控制损失吗？

Shutting down GCP is more difficult than it may seem. First, we should define what “shutting down” really means. Different customers may have different interpretations, but it can mean blocking access to resources, isolating systems, or destroying resources. Let’s take a deeper look at the problem and possible solutions.

关闭GCP比看起来困难得多。 首先，我们应该定义“关机”的真正含义。 不同的客户可能有不同的解释，但这可能意味着阻止对资源的访问，隔离系统或破坏资源。 让我们更深入地研究问题和可能的解决方案。

技术方面 (The technical side)

We can think about this problem in a traditional way. One of the typical protections that on-premise infrastructure leverages is the network. Much like a user might react by pulling the ethernet cord from a computer if they are attacked, some companies might immediately restrict access to critical systems and the internet when they detect their systems are compromised. In GCP, we might want to label critical firewall rules with a tag such as “ripcord” then, in an emergency situation, we can quickly identify and delete those rules in one pass.

我们可以用传统的方式来考虑这个问题。 网络是本地基础架构所利用的典型保护之一。 就像用户受到攻击时可能会拉动计算机的以太网线做出React一样，某些公司在检测到系统受到威胁时可能会立即限制对关键系统和Internet的访问。 在GCP中，我们可能希望使用诸如“ ripcord”之类的标签标记关键防火墙规则，然后在紧急情况下，我们可以快速识别并删除这些规则。

While this digital version of “pulling the cord” may block traffic from exiting your systems, it may not be clear how it would be implemented and if it would help in all situations. Attackers may use public storage buckets or other managed services to dump sensitive information, which complicates security analysis when strictly considering only firewall rules.

尽管此数字版本的“拉线”可能会阻止流量退出系统，但可能尚不清楚如何实现它以及在所有情况下是否有帮助。 攻击者可能使用公共存储桶或其他托管服务来转储敏感信息，这在严格考虑防火墙规则的情况下使安全分析变得复杂。

Luckily, in Cloud, you can take advantage of how quickly and easily access can be restricted through Cloud IAM. For example, if you are using CMEK, our solution to manage your encryption keys, you have an effective way to block access to your data by revoking IAM permissions to CMEK keychains. You can apply the concept similarly to other critical roles. However, as in the firewall rules example above, it may not be clear how exactly to leverage IAM to block an attack. If you suffer a ransomware attack, which has a goal of preventing data access through encryption, revoking IAM access to CMEK won’t help you. Additionally, if the attackers are using your platform to launch DDoS or other types of targeted attacks to other systems, IAM won’t help either.

幸运的是，在Cloud中，您可以利用Cloud IAM限制访问的速度和便捷性。 例如，如果您使用的是我们的解决方案CMEK来管理您的加密密钥，则您可以通过撤销对CMEK钥匙串的IAM权限来阻止对数据的访问。 您可以将概念类似地应用于其他关键角色。 但是，就像上面的防火墙规则示例一样，可能尚不清楚如何精确地利用IAM来阻止攻击。 如果您遭受了勒索软件攻击(旨在防止通过加密访问数据)，则撤消对CMEK的IAM访问将无济于事。 此外，如果攻击者使用您的平台向其他系统发起DDoS或其他类型的定向攻击，IAM也将无济于事。

Google Cloud offers you VPC Service Controls (VPC SC), which allows the definition of security perimeters to mitigate data exfiltration risks due to misconfigured access controls, malicious users copying data to unauthorized cloud resources, and attackers attempting to access sensitive data in GCP resources from the internet. VPC SC is a powerful mechanism to enhance your security posture, and I encourage you to explore how it can be used in your environment. A word of caution, VPC SC is not a trivial solution and requires adoption at the architecture phase. Assuming a situation in which we are already under attack applying VPC SC after the fact is not realistic.

Google Cloud为您提供VPC服务控件 (VPC SC) ，该控件可以定义安全边界，以减轻由于配置不当的访问控制，恶意用户将数据复制到未经授权的云资源以及攻击者试图从以下位置访问GCP资源中的敏感数据而造成的数据泄露风险：互联网。 VPC SC是增强安全状态的强大机制，我鼓励您探索如何在您的环境中使用它。 提醒一下，VPC SC并非简单的解决方案，需要在架构阶段采用。 假设在事实发生之后我们已经在使用VPC SC的情况下受到攻击。

Besides VPC SC, there are additional, more drastic mechanisms you can put in practice. In a cloud-native environment where Infrastructure as Code is used to manage your deployments, you could consider automating everything to remove all resources with the press of a button, allowing redeployment later. Be aware, this solution refers strictly to infrastructure and not live data, which would be lost.

除了VPC SC，您还可以实践其他更严格的机制。 在使用“ 基础结构即代码”管理部署的云原生环境中，您可以考虑通过按一下按钮来自动化所有操作以删除所有资源，以便稍后进行重新部署。 请注意，此解决方案严格指的是基础架构，而不是指丢失的实时数据。

You may have already realized there is no single solution as every situation requires a different approach, or a mix of them, to be tailored to specific circumstances. One solution may evoke a mechanism which not only fails to address the problem but is also hiding or destroying evidence of what really happened, leaving you exposed. Worse, some solutions may impact future business. Blocking client access to services, losing control of, or access to your systems may have a negative impact on your business reputation that may be worse than those of the attack itself.

您可能已经意识到没有单一的解决方案，因为每种情况都需要针对特定​​情况量身定制的不同方法或混合使用。 一种解决方案可能会唤起一种机制，该机制不仅无法解决问题，而且还隐藏或破坏了实际发生的证据，使您无所适从。 更糟糕的是，某些解决方案可能会影响未来的业务。 阻止客户端访问服务，失去对系统的控制或访问系统可能会对您的企业声誉产生负面影响，其后果可能比攻击本身更糟。

Remember, you should ensure the confidentiality, integrity, and availability of the data when creating a security program. The limited mechanisms discussed so far may help protect your systems, but there are still many loose ends to address:

请记住，创建安全程序时，应确保数据的机密性，完整性和可用性。 到目前为止讨论的有限机制可能有助于保护您的系统，但是仍有许多缺点可以解决：

• What type of incidents or attacks should you plan to address? You can’t protect against something you don’t know.
  您打算应对哪种类型的事件或攻击？ 您无法保护自己不知道的东西。
• How do you identify and qualify incidents?
  您如何识别和确认事件？
• What are the processes to decide if a solution should be applied?
  决定是否应采用解决方案的过程是什么？
• How will you protect your systems and data during the incident?
  事件期间您将如何保护您的系统和数据？
• How will you recover?
  您将如何康复？
• Will you meet regulatory and compliance requirements?
  您会满足法规和合规性要求吗？

If the sole tool you have to manage an incident is a big red button you will eventually press it. This way, your button may become the perfect tool to be weaponized by an attacker, and the fastest way to put your company in the headlines.

如果您要管理事件的唯一工具是红色的大按钮，那么您最终将按下它。 这样，您的按钮可能成为攻击者武器化的完美工具，并且是使公司成为头条新闻的最快方法。

To avoid the catastrophic consequences of a “big red button plan”, you should have an effective Incident Response plan. This plan leverages systems, teams, and processes to manage security incidents. Previous questions and more should be taken into account when defining this plan:

为避免“大红色按钮计划”带来的灾难性后果，您应该有一个有效的事件响应计划 。 该计划利用系统，团队和流程来管理安全事件。 定义此计划时，应考虑以前的问题以及更多其他问题：

• How will you perform a forensic analysis?
  您将如何进行法医分析？
• What teams should be involved, and how will they coordinate?
  应该让哪些团队参与，他们将如何协调？
• How will you communicate the incident to your customers?
  您将如何将此事件告知客户？
• How can you learn from the incident and improve?
  您如何从事件中学习和改进？

Investing in a plan will put you in a much better position to manage security incidents when they happen, lower the associated risks, and improve your confidence and security posture.

投资计划将使您处于更好的位置，可以在安全事件发生时进行管理，降低相关风险并改善您的信心和安全状况。

Google has a rigorous Incident Response process divided into the following phases:

Google的事件响应流程严格，分为以下几个阶段：

• Identification. This phase focuses on monitoring security events to detect potential vulnerabilities and incidents, and report to the incident response team.
  识别。 此阶段的重点是监视安全事件以检测潜在的漏洞和事件，并向事件响应团队报告。
• Coordination. When an incident is reported, a triage will take place to evaluate the nature and severity of the incident and engage the response team if needed.
  协调。 在报告事件后，将进行分类以评估事件的性质和严重性，并在需要时与响应小组合作。
• Resolution. At this phase, we will investigate the root cause, resolve immediate security issues if any, and coordinate tasks to contain and recover. Communication plans are also developed if needed.
  解析度。 在此阶段，我们将调查根本原因，解决紧急的安全问题(如有)，并协调要遏制​​和恢复的任务。 如果需要，还可以制定沟通计划。
• Closure and Continuous improvement. We analyze each incident to gain new insights and learn lessons to improve our tools, training, and processes for our overall security.
  封闭和持续改进。 我们对每个事件进行分析，以获取新的见解，并学习课程，以改善我们的工具，培训和流程，以确保整体安全。

In this white paper, you can gain more insights into Google’s approach to incident response.

在本白皮书中 ，您可以深入了解Google的事件响应方法。

心理方面 (The psychological side)

We have talked about the challenges that come up when dealing with an incident. As explained, technically, the best path is to have an Incident Response plan to manage these situations. Still, having a proper plan is not easy. It requires time, effort, resources, qualified people, and commitment from the CxOs to invest in plan success. In the absence of that, some customers may think they are safer with a big red button than without. We have discussed technical reasons why this is not a good idea. But the problem is not solely a technical one; it is also psychological.

我们已经讨论了处理事件时遇到的挑战。 如上所述，从技术上讲，最好的方法是制定事件响应计划来管理这些情况。 不过，制定适当的计划并不容易。 它需要时间，精力，资源，合格的人员以及CxO的投入才能对计划成功进行投资。 在没有这种情况的情况下，一些客户可能会认为使用红色大按钮比没有使用红色按钮更安全。 我们已经讨论了为什么这不是一个好主意的技术原因。 但是问题不仅仅在于技术上的问题。 这也是心理上的。

Bruce Schneier wrote: “Security is both a feeling and a reality, and they’re different. You can feel secure even though you’re not, and you can be secure even though you don’t feel it.” Regretfully, sometimes people make decisions based on the feeling of security rather than its actuality. When the feeling of security doesn’t correspond to reality, feelings can be an enemy.

布鲁斯·施耐尔( Bruce Schneier) 写道 ：“ 安全既是一种感觉，又是一种现实，而且它们是不同的。 即使您不安全，也可以感到安全，即使您不安全，也可以感到安全。 遗憾的是，有时人们根据安全感而不是安全性来做出决定。 当安全感与现实不符时，感觉就可能成为敌人。

Imagine you discover malicious behavior on your systems or data is compromised. You don’t have an incident response plan nor a lot of information about the attack and what has occurred. But you have that button. This situation, where you are risking your business, is an emotional rollercoaster, especially without a plan.

想象一下，您发现系统上的恶意行为或数据遭到破坏。 您没有事件响应计划，也没有大量有关攻击以及所发生事件的信息。 但是你有那个按钮。 在这种情况下，您冒着业务风险，是一种情绪过高的过山车，尤其是没有计划的时候。

You may feel more secure with the option of pressing a button. You know doing so has risks, but many prefer known to unknown risks. We perceive risks according to several factors like (un)familiarity and fear; we assign higher risk to threats that are new and not well known. This phenomenon of perceived risk applies, even more, when we must make quick decisions under pressure. We can’t help but feel emotional reactions to the various options available. This can lead to a high probability of inappropriate decisions.

您可以通过选择按钮来更加安全。 您知道这样做有风险，但是许多人宁愿知道未知风险。 我们根据(不)熟悉和恐惧等几个因素来感知风险； 我们将较高的风险分配给新的和未知的威胁。 当我们必须在压力下做出快速决策时，这种感知风险现象就更适用了。 我们不禁对各种选择感到情绪激动。 这会导致做出不适当决定的可能性很高。

结论 (Conclusion)

A security incident and how to respond has many consequences. You can improve your security posture if you assess past incidents thoroughly and consider future threats. You should have an Incident Response Plan, including several components. First, include written processes and specific procedures to follow for each situation. Second, train your people to follow the processes and procedures. Provide support when they must execute them and, finally, complete retrospectives to learn from the experience. Your ultimate goal is to plan ahead of time to be safe!

安全事件以及如何响应会带来许多后果。 如果您全面评估过去的事件并考虑将来的威胁，则可以改善安全状况。 您应该有一个突发事件响应计划，包括几个组件。 首先，包括针对每种情况要遵循的书面流程和特定程序。 其次，训练您的人员遵循流程和程序。 在他们必须执行它们时提供支持，最后完成回顾以从经验中学习。 您的最终目标是提前计划安全！

翻译自: https://medium.com/google-cloud/big-red-button-for-incident-response-e17ea72d870f

响应按钮事件