VPC Service Controls define a security perimeter around Google Cloud resources to constrain data within a VPC and mitigate data exfiltration risks. VPC Service Controls can be used to define security policies that create perimeters for specific resources and data of services, prevent access to Google-managed services outside of a trusted perimeter, and block access to data from untrusted locations.
| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| vpc_service_controls | VPC Service Controls | protect | significant | T1018 | Remote System Discovery |
Comments
VPC security perimeters can segment private resources to deny traffic based on organizational policy.
References
|
| vpc_service_controls | VPC Service Controls | detect | minimal | T1021.004 | SSH |
Comments
This control can be used to detect adversaries that may try to use Valid Accounts to log into remote machines using Secure Shell (SSH).
References
|
| vpc_service_controls | VPC Service Controls | protect | significant | T1046 | Network Service Discovery |
Comments
VPC security perimeters can limit the impact from active scanning and lateral movement techniques used to exploit the target environment.
References
|
| vpc_service_controls | VPC Service Controls | protect | significant | T1078 | Valid Accounts |
Comments
This control is able to mitigate against abuse of compromised valid accounts by restricting access from those accounts to resources contained within the VPC perimeter the account belongs to. Resources and services contained in other VPC networks also cannot be accessed by user accounts that are not within the VPC network perimeter.
References
|
| vpc_service_controls | VPC Service Controls | protect | significant | T1098 | Account Manipulation |
Comments
VPC further segments the environment by providing configurable granular access controls which help limit user communications to critical systems.
References
|
| vpc_service_controls | VPC Service Controls | protect | partial | T1098.001 | Additional Cloud Credentials |
Comments
VPC further segments the environment by providing configurable granular access controls which help limit user permissions to communicate with critical systems.
References
|
| vpc_service_controls | VPC Service Controls | protect | significant | T1135 | Network Share Discovery |
Comments
VPC security perimeters can limit the impact from active scanning and lateral movement techniques used to exploit the target environment.
References
|
| vpc_service_controls | VPC Service Controls | protect | significant | T1190 | Exploit Public-Facing Application |
Comments
VPC security perimeters can segment private resources to further reduce user access and operate in a logically separate hosting environment.
References
|
| vpc_service_controls | VPC Service Controls | protect | significant | T1530 | Data from Cloud Storage |
Comments
This control may mitigate against access to cloud storage objects by limiting access to accounts and services contained within the VPC network perimeter that contains those cloud storage objects.
References
|
| vpc_service_controls | VPC Service Controls | protect | significant | T1537 | Transfer Data to Cloud Account |
Comments
This control may mitigate against exfiltration attempts to external cloud accounts by limiting egress of data from accounts and services contained within the VPC network perimeter.
References
|
| vpc_service_controls | VPC Service Controls | protect | significant | T1552.007 | Container API |
Comments
VPC security perimeters can segment private resources to provide access based on user identity or organizational ingress/egress policies (e.g., instance, subnet).
References
|
| vpc_service_controls | VPC Service Controls | protect | partial | T1557 | Adversary-in-the-Middle |
Comments
VPC security perimeter mitigates the impact from Adversary-in-the-Middle by creating virtual segmentation that limits the data and information broadcast on the network.
References
|
| vpc_service_controls | VPC Service Controls | protect | partial | T1567 | Exfiltration Over Web Service |
Comments
This control is able to mitigate against exfiltration of data over a web service. Data contained within a VPC network perimeter can not be moved to a Google cloud resource or service outside of the perimeter but may be moved to third party services or storage.
References
|
| vpc_service_controls | VPC Service Controls | protect | minimal | T1570 | Lateral Tool Transfer |
Comments
VPC security perimeters can segment private resources to deny ingress and egress traffic based on organizational policies. Because this tool does not prevent attacks from valid accounts or compromised machines, it was scored as minimal.
References
|
| vpc_service_controls | VPC Service Controls | protect | significant | T1590 | Gather Victim Network Information |
Comments
VPC security perimeters can limit the impact from active scanning techniques used to gain further information about the target environment.
References
|
| vpc_service_controls | VPC Service Controls | protect | significant | T1590.004 | Network Topology |
Comments
VPC security perimeters can limit the impact from active scanning techniques used to gain further information about the target environment.
References
|
| vpc_service_controls | VPC Service Controls | protect | significant | T1590.005 | IP Addresses |
Comments
VPC security perimeters can limit the impact from active scanning techniques used to gain further information about the target environment.
References
|
| vpc_service_controls | VPC Service Controls | protect | significant | T1595 | Active Scanning |
Comments
VPC security perimeters can limit the impact from active scanning and lateral movement techniques used to exploit the target environment.
References
|
| vpc_service_controls | VPC Service Controls | protect | significant | T1595.001 | Scanning IP Blocks |
Comments
VPC security perimeters can limit the impact from active scanning on private networks and lateral movement techniques used to exploit target environments.
References
|
| vpc_service_controls | VPC Service Controls | protect | significant | T1602 | Data from Configuration Repository |
Comments
VPC security perimeters can isolate resources and limit the impact from lateral movement techniques used to access sensitive data.
References
|
| vpc_service_controls | VPC Service Controls | protect | partial | T1619 | Cloud Storage Object Discovery |
Comments
This control may mitigate against discovery of cloud storage objects. This control is not able to protect metadata, such as cloud storage bucket names but can protect against discovery of the contents of a storage bucket.
References
|