Suspicious GCP API calls indicating GKE intra-node visibility modification
Description
AlphaSOC detected that intra-node visibility was disabled on a GKE cluster via
google.container.v1beta1.ClusterManager.UpdateCluster. Intra-node visibility
enables network flow logging between pods on the same node, providing visibility
into pod-to-pod communication that would otherwise be invisible to VPC flow
logs.
Adversaries may disable intra-node visibility to reduce monitoring coverage and hide lateral movement between pods on the same node.
Impact
Disabling intra-node visibility removes visibility into network traffic between pods on the same node. This can hide malicious lateral movement, data exfiltration between pods, or communication with compromised containers. Security teams lose the ability to detect suspicious pod-to-pod traffic patterns.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the UpdateCluster action with
desiredIntraNodeVisibilityConfig changes. Identify the principal that disabled
intra-node visibility and verify if this was an authorized change.
If unauthorized, re-enable intra-node visibility on the cluster. Investigate the compromised identity for additional defense evasion activities. Review pod network policies and consider implementing additional monitoring for suspicious container behavior.