Welcome to the second Cloud CISO Perspectives for January 2024. In this edition, I’m turning the mic over to Yousif Hussin, who as a member of Google’s Vulnerability Coordination Center led our response to the recent serious zero-day CPU vulnerability Reptar. He talks about what important lessons executives can learn from how Google responds to critical zero-day vulnerabilities.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
–Phil Venables, VP, TI Security & CISO, Google Cloud
- aside_block
- <ListValue: [StructValue([('title', 'Board of Directors Insights Hub'), ('body', <wagtail.rich_text.RichText object at 0x3e759ce5d310>), ('btn_text', 'Visit the Hub'), ('href', 'https://cloud.google.com/solutions/security/board-of-directors'), ('image', <GAEImage: GCAT-replacement-logo-A>)])]>
What Reptar can teach executives about critical zero-day vulnerability response
By Yousif Hussin, Cybersecurity Expert
While security vulnerability research is an essential area for Google, our commitment to effective vulnerability response, where we address and rectify critical vulnerabilities, is also of paramount importance. Our focus encompasses securing our products and users, and plays a vital role in securing millions of devices connected to the Internet.
As a member of Google’s Vulnerability Coordination Center team, which leads responses to critical vulnerabilities affecting Alphabet, I took the lead in responding to Reptar, a recent critical and complex CPU vulnerability. We published the details of the response to Reptar as well as a high-level overview.
The response to Reptar
Reptar is an architectural CPU vulnerability discovered by security researchers at Google and which we responsibly reported to Intel. We collaborated with industry partners, including Intel, on the successful remediation of the vulnerability that ensured the security of our products, including Google Cloud and ChromeOS devices. We also collaborated with Intel to securely share the vulnerability mitigation information with other large industry players to ensure they too could respond and protect all users globally (not only Google users). Of the affected Google products, Reptar posed the highest risk to Google Cloud.
We use the Incident Management at Google (IMAG) framework to respond to critical vulnerabilities. Based on the Incident Command System (ICS) used by firefighters and medical first responders, the IMAG framework teaches how to appoint an incident commander (IC) to create a hierarchical structure for a response team, with clear roles and responsibilities for the response team members led by the IC through the response effort. When time is of the utmost importance, there’s little room for error, so relying on the IMAG structure was essential to effectively manage the complex response for Reptar — or any critical vulnerability requiring a complex response.
In order to maintain strict control over access to sensitive vulnerability information, a coordinated embargo period was implemented in conjunction with industry partners. During this embargo, the response was managed based on a strict need-to-know principle because a leak of any information related to the response effort could be used by attackers against our users or others globally.
Technical capabilities are vital but aren’t enough
We’re enhancing our technical capabilities that support vulnerability responses. We use robust technologies, which undergo rigorous testing, to guarantee the extensive evaluation of a vulnerability’s impact across our systems. Our engineering capabilities and the efficiency of our tools can facilitate the successful deployment of vulnerability remediation across the entire fleet of systems, at a huge scale, without affecting the user experience.
For the Reptar response, established lines of communication enabled cross-industry collaboration. The collaboration facilitated the collective development and execution of a successful mitigation strategy that safeguards Google, our users, and technology users globally beyond Google's ecosystem.
However, adequate tools for managing vulnerability response within an organization is not enough. The establishment, testing, and use of an effective incident response methodology specifically tailored to address critical vulnerabilities, supported by senior leadership, is of paramount significance to achieving success. This is especially true in the case of high-priority vulnerabilities such as Reptar.
An organization’s leadership should foster active internal collaboration between partner security teams. While the response team manages the remediation process, in some cases it is essential to implement appropriate monitoring mechanisms to promptly identify any activities indicative of potential exploitation of the vulnerability.
In certain engagements, such as Reptar’s, proper incident management and communication extends beyond an organization’s walls. Communication channels had been proactively established with pivotal industry partners, such as Intel, to prepare for future critical vulnerabilities.
For the Reptar response, established lines of communication enabled cross-industry collaboration. The collaboration facilitated the collective development and execution of a successful mitigation strategy that safeguards Google, our users, and technology users globally beyond Google’s ecosystem.
Key takeaways
Google’s response to Reptar demonstrates that a well-orchestrated vulnerability response should rely on tested and repeatable steps. Organizations should use effective and scalable technologies, follow established methodologies and frameworks such as IMAG, and have ready lines of communication to support and grow internal and external collaboration.
While there’s no single way of building and leading a vulnerability response team, it’s clear that forethought, testing, and a strong desire to successfully protect everybody who uses the Internet and information technology are required to rapidly remediate critical zero-day vulnerabilities at scale. If your organization is interested in discussing its critical vulnerability response plan, you can contact our Office of the CISO.
- aside_block
- <ListValue: [StructValue([('title', 'Join the Google Cloud CISO Community'), ('body', <wagtail.rich_text.RichText object at 0x3e756a54e340>), ('btn_text', 'Learn more'), ('href', 'https://rsvp.withgoogle.com/events/ciso-community-interest?utm_source=cgc-blog&utm_medium=blog&utm_campaign=2024-cloud-ciso-newsletter-events-ref&utm_content=-&utm_term=-'), ('image', <GAEImage: GCAT-replacement-logo-A>)])]>
In case you missed it
Here are the latest updates, products, services, and resources from our security teams so far this month:
- IDC study: Customers cite 407% ROI with Chronicle Security Operations: IDC determined that Google Cloud’s SecOps platform delivers ROI of 407% over three years, with a payback period under 7 months. Read more.
- Announcing Custom Org Policy to help tailor resource guardrails with confidence: Custom Organization Policies is now generally available. The powerful new extension to Org Policies can create granular resource policies to address cloud governance requirements. Read more.
- Our first Trust & Safety Research Awards grantees: We’re announcing the recipients of our Trust & Safety Research Awards, which supports academics working to create positive societal impact with technology. Read more.
- Spotlighting ‘shadow AI’: How to protect against risky AI practices: The emerging trend of “shadow AI” -using consumer-grade AI in business settings, poses risks to organizations. Here’s why you should favor enterprise-grade AI. Read more.
News from Mandiant
- Chinese espionage group found exploiting critical vulnerability for two years: Mandiant and VMware Product Security have found that UNC3886, a highly advanced China-nexus espionage group, has been exploiting a critical vulnerability publicly reported and patched in October 2023 as far back as late 2021. Read more.
- Suspected APT targets Ivanti VPN in new zero-day exploitation: VPN provider Ivanti has been working with Mandiant to mitigate two new vulnerabilities in Ivanti appliances that are being actively exploited. Of the more than 10,000 deployments around the globe, we’ve identified hundreds of organizations that have been impacted. Organizations should follow the recommended mitigation steps from Ivanti. Read more.
Now hear this: Google Cloud Security and Mandiant podcasts
- Worlds collide: What happens when SecOps meets cloud: How does Cloud Detection and Response (CDR) differ from traditional, on-premises detection and response? What is this new CIRA thing that Gartner just cooked up? Arie Zilberstein, CEO and co-founder, Gem Security, joins our Cloud Security podcast hosts Anton Chuvakin and Tim Peacock to talk CDR, CIRA, and what they mean for SecOps. Listen here.
- Living off the land and attacking critical infrastructure: A recent power disruption incident involved cyberattacks that used existing tools in the hacked system, and attacks on operational technology. Sandra Joyce, vice president, Mandiant Intelligence joins Anton and Tim to explain what we know about the incident and how it impacts cloud security. Listen here.
- Hacktivists continue to use DDoS: For the first Threat Trends episode of 2024, host Luke McNamara is joined by Mandiant Senior Technical Director Jose Nazario and Principal Analysts Alden Wahlstrom and Josh Palatucci, who go deep on the hacktivist distributed denial-of-service activity they tracked over the last year. Listen here.
- Tales from the 2023 trenches: Doug Bienstock and Josh Madelay, regional leads for Mandiant Consulting, join Luke to walk through some of the trends they have witnessed responding to breaches in 2023. Josh and Doug cover what is happening with business email compromise (BEC), common initial infection vectors, social engineering tactics, and more. Listen here.
To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.