MITRE ATT&CK in Google Cloud Platform (GCP) – A defender’s cheat sheet by expel

A helpful way to map MITRE ATT&CK tactics to GCP API calls
This guide contains a breakdown of tactics we see attackers use most often during attacks in Google Cloud Platform (GCP).
To give you a jump start on your own GCP environment, we’ve mapped the GCP services where these tactics often originate (thanks, crafty attackers) along with the API calls they make to execute on these techniques.
As a bonus, we’re throwing in some of our own tips and tricks for you to use when investigating an incident in GCP that’s related to any of these attack tactics.
How to use this cheat sheet

This cheat sheet is intended as a resource to help inform GCP alert triage, investigations, and incident response. It helps by quickly identifying potential attacks and maps them to MITRE ATT&CK tactics.
Depending on which phase of an attack you’re investigating, you can also use it to identify other potential attack paths and MITRE ATT&CK tactics the attacker might have used. This provides you with a bigger picture perspective and identifies risky activity and behaviors that can indicate compromise and require remediation.
For example, if you see suspected credential access, you can investigate by checking how that identity authenticated to GCP, if they’ve assumed any other roles, and if there are other suspicious API calls indicating the presence of an attacker. Other tactics that an attacker may execute prior to credential access include discovery, persistence, and privilege escalation.

Leave a Reply

Your email address will not be published.