This page provides an overview of the concept of a toxic combination and of the findings and cases that vulnerability analysts can use to identify, prioritize, and remediate the toxic combinations in Security Command Center Enterprise.
Toxic combination findings and cases help you to more effectively identify risk and improve security in your cloud environments.
Definition of a toxic combination
A toxic combination is a group of security issues that, when they occur together in a particular pattern, create a path to one or more of your high-value resources that a determined attacker could potentially use to reach and compromise those resources.
A security issue is anything that contributes to the exposure of your cloud resources, such as a particular configuration of resources, a misconfiguration, or a software vulnerability.
The Risk Engine of Security Command Center Enterprise detects toxic combinations during the attack path simulations it runs. For each toxic combination that Risk Engine detects, it issues a finding. Each finding includes an attack exposure score that measures the risk of the toxic combination to the high-value resources in your cloud environment. Risk Engine also generates a visualization of the attack path that the toxic combination creates to the high-value resources.
Attack exposure scores on toxic combinations
Risk Engine calculates an attack exposure score for each toxic combination finding. The score is an estimation of the amount of risk that the toxic combination poses to your high-value resources.
A score on a toxic combination finding is similar to attack exposure scores on other types of findings, but can be thought of as applying to a path rather than a finding of an individual software vulnerability or misconfiguration.
Generally, a toxic combination represents a greater risk to your cloud deployment than an individual security issue. However, compare the score of a toxic combination finding to the scores of other toxic combination and posture findings to determine which you should act on first.
If the score of a finding of an individual security issue is significantly higher than the score of a toxic combination finding, you should prioritize the finding with the higher score.
Like attack exposure scores for other findings, attack exposure scores on toxic combinations are derived from the following:
- The number of high-value resources that are exposed and the priority values and attack exposure scores of those resources
- The likelihood that a determined attacker could succeed in reaching a high-value resource by leveraging the toxic combination
For more information, see Attack exposure scores.
Attack path visualizations for toxic combinations
Risk Engine provides a visual depiction of the attack paths that a toxic combination creates to your high-value resources. An attack path represents series of security issues and resources that a potential attacker could use to reach a high-value resource.
The attack path helps you understand the relationships between the issues in a toxic combination and how together they form a path to your high-value resources. The path visualization also shows you how many high-value resources are exposed and what the relative priorities are of the exposed resources.
In the Security Operations console, the security issues that make up the toxic combination are highlighted by a bold yellow diamond-shaped border on the attack path.
In the Security Operations console, Security Command Center provides two versions of a toxic combination attack path. The first is a simplified version that appears on the case overview tab in a toxic combination case. The second version shows the full attack path. You can open the full attack path by clicking Explore full attack paths in the simplified attack path or by clicking Explore toxic combination attack path in the upper right corner of the case view.
The following screenshot is an example of a simplified attack path.
For more information, see Attack paths.
Toxic combination cases
Security Command Center Enterprise opens a case in the Security Operations console
for each toxic combination finding that Risk Engine issues.
You can query or filter toxic combination cases by using the
TOXIC_COMBINATION tag that they include. You can also visually identify toxic
combination cases in the Security Operations console by the following icon:
A toxic combination case never contains more than one toxic combination finding or alert.
The case is the primary way to investigate and track the remediation of a toxic combination. In the case view, you can find the following information:
- A description of the toxic combination
- The attack exposure score of the toxic combination
- A visualization of the attack path that the toxic combination creates
- Information about the affected resource
- Information about the steps you can take to remediate the toxic combination
- Information about any related findings from other Security Command Center detection services, including links to their associated cases
- Any applicable playbooks
- Any associated tickets
You can view at a glance the toxic combination cases in your environment on the Security Command Center Posture Overview page in the Security Operations console. The Posture Overview page contains widgets that show you toxic combinations cases by priority, attack exposure score, and by the time left in their service level agreement (SLA).
For more information about viewing toxic combination cases, see View toxic combination cases.
Case priority
By default, toxic combination cases have a priority of Critical to match
the severity of the toxic combination finding and its associated alert
in the toxic combination case.
After a case is opened, you can change the priority of the case or of the alert.
Changing the priority of a case or an alert does not change the severity of the finding.
Closing cases
The disposition of toxic combination cases is determined by the state of
the underlying finding. When a finding is first issued, its state is Active.
If you remediate the toxic combination, Risk Engine automatically detects the remediation during the next attack path simulation and closes the case. Simulations run approximately every six hours.
Alternatively, if you determine that the risk posed by the toxic combination is acceptable or unavoidable, you can close a case by muting the toxic combination finding.
When you mute a toxic combination finding, the finding remains active, but Security Command Center closes the case and omits the finding from default queries and views.
For more information, see the following information:
Related findings
Many of the individual security issues that make up a toxic combination that Risk Engine detects, are also detected by other Security Command Center detection services. These other detection services issue separate findings for these issues. These findings are listed in a toxic combination case as related findings.
Because related findings are issued separately from the toxic combination finding, separate cases are opened for them, different playbooks are run for them, and other members of your team may be working on their remediation independently from the remediation of the toxic combination finding.
Check the status of the cases for these related findings and, if necessary, ask the owners of the cases to prioritize their remediation to help resolve the toxic combination.
In a toxic combination case, any related findings are listed in the Findings widget on the overview tab of a toxic combination case. For each related finding, the widget includes a link to its corresponding case.
Related findings are also identified in the toxic combination attack path.
How Risk Engine detects toxic combinations
Risk Engine runs attack path simulations on all of your cloud resources approximately every six hours.
During the simulations, Risk Engine identifies potential attack paths to the high-value resources in your cloud environment and calculates attack exposure scores for findings and high-value resources. If Risk Engine detects a toxic combination during the simulations, it issues a finding.
For more information about attack path simulations, see Attack path simulations.