Skip to main content

VPC Network Changed

This alert occurs when Lacework detects a change in the configuration of a Virtual Private Cloud (VPC) network.

A VPC network is a virtual network that enables resources in a Google Cloud project to communicate with each other securely and privately.

Related policy: LW_AT_VPC_50: VPC Network Changed

Why this alert is important

Changes to a VPC network can impact the security, performance, and availability of your Google Cloud resources. For example, unauthorized changes to firewall rules, subnets, or routes could allow malicious actors to access your network or resources or disrupt normal network traffic. Similarly, changes to the IP address range of a subnet or network peering connections could cause connectivity issues or disrupt applications that rely on specific IP addresses.

By monitoring this alert, you can quickly identify when changes are made to your VPC network configuration and take appropriate action to investigate and mitigate any potential security or operational risks.

Investigation

Follow these steps to investigate the alert:

  1. Review the Audit Logs to identify the changes, when they were made, and who made them.
  2. Malicious changes to your VPC network configuration could result in unusual traffic or behavior. Check your VPC Flow Logs to identify any unusual network traffic patterns that may indicate unauthorized access or activity.
  3. Malicious actors may attempt to modify firewall rules or network routes to gain unauthorized access to your environment or to redirect traffic to malicious destinations. Review your firewall rules and network routes to ensure that they are configured correctly and that there are no unauthorized changes.
  4. Malicious actors may also attempt to modify network peering connections to gain access to your environment or to redirect traffic to malicious destinations. Review your network peering connections to ensure they are configured correctly and that there are no unauthorized changes.
  5. If a user account made the malicious change, investigate the user's activity to determine if their account has been compromised. Check the user's login history and review their activity in other areas of your Google Cloud environment to determine any other suspicious activities.

Resolution

Use the following steps to resolve an unauthorized change in the VPC network:

  1. Revert the unauthorized change to restore the VPC network to its previous state. You can do this by restoring from a backup or manually reverting the change using VPC network configuration tools.
  2. Review your security controls to ensure that they are appropriately configured and that there are no other vulnerabilities that malicious actors could exploit. This may include reviewing firewall rules, network routes, and network peering connections.
  3. Reset the credentials for any user accounts that may have been compromised due to the unauthorized change. This may include resetting passwords or disabling compromised accounts.
  4. Enhance your monitoring and logging capabilities to better detect and respond to future security incidents. This may include setting up alerts for suspicious activity, regularly reviewing your Audit Logs, and implementing additional security controls such as multi-factor authentication or network segmentation.
  5. Conduct a post-incident review to evaluate your response's effectiveness and identify improvement areas. Document any lessons learned and update your incident response plan accordingly.