A defender’s MITRE ATT&CK cheat sheet for Google Cloud Platform (GCP)

· 2 MIN READ · KYLE PELLETT · AUG 5, 2022 · TAGS: Cloud security / MDR

Our security operations center (SOC) sees its share of attackers in Google Cloud Platform (GCP). Seriously—check out this recent incident report to see what we mean.

Attackers commonly gain unauthorized access to a customer’s cloud environment through misconfigurations and long-lived credentials—100% of cloud incidents we identified in the first quarter of 2022 stemmed from this root cause.

As we investigated these incidents, we noticed patterns emerge in the tactics attackers use most often in GCP. We also noticed those patterns map nicely to the MITRE ATT&CK Framework… (See where we’re going with this?)

Cue: our new defender’s cheat sheet to MITRE ATT&CK in GCP.

What’s inside?

In this handy guide, we mapped the GCP services where these common tactics often originate to the API calls they make to execute on these techniques, giving you a head start on protecting your own GCP environment.

We also sprinkled in a few tips and tricks to help you investigate incidents in GCP. It’s an easy-to-use resource that informs your organization’s GCP alert triage, investigations, and incident response.

Our goal? Help you identify potential attacks and quickly map them to ATT&CK tactics by providing the lessons learned and takeaways from our own investigations.

Depending on which phase of an attack you’re investigating, you can also use the cheat sheet to identify other potential attack paths and tactics the cyber criminal used, painting a bigger (clearer) picture of any risky activity and behaviors that can indicate compromise and require remediation.

For example, if you see suspected credential access, you can investigate by checking how that identity authenticated to GCP, if they’ve assumed any other roles, and if there are other suspicious API calls indicating the presence of an attacker. Other tactics that an attacker may execute prior to credential access include discovery, persistence, and privilege escalation.

What’s the bottom line?

Chasing down GCP alerts and combing through audit logs isn’t easy if you don’t know what to look for (and even if you do).

Full disclosure: the cheat sheet doesn’t cover every API call and the associated ATT&CK tactic. But it can serve as a resource during incident response and help you tell the story (to your team and customers) after the fact.

Knowing which API calls are associated with which attack tactics isn’t intuitive, and we don’t think you should have to go it alone. We hope this guide serves as a helpful tool as you and your team tackle GCP incident investigations.

Want a defender’s cheat sheet of your own? Click here to get our GCP mind map!

P.S. Operating in Amazon Web Services (AWS) or Azure too? We didn’t forget about you—check out this AWS Mind Map and Azure Guidebook for more helpful guidance.

Special thanks to Ryan Gott for his contributions to this defender’s cheat sheet and mind map.