top of page
Search

Insufficient Forensic Visibility Into Google Cloud Platform



A recent report from cloud incident response firm Mitiga reveals that GCP does not provide adequate visibility in its storage logs to allow for effective forensic investigation, which can make organizations blind to potential attacks.


The attack scenario relies on the adversary gaining control of an identity and access management (IAM) entity within the targeted organization through methods like social engineering. Once access is gained, the attacker can access the GCP environment and potentially exfiltrate sensitive data. The issue is compounded by GCP's storage access logs, which do not provide enough transparency with regards to file access and read events. Instead, these events are grouped together as a single "Object Get" activity, which can make it difficult to differentiate between legitimate and malicious user activity.


Object Get activity is an important aspect of Google Cloud Platform (GCP) that allows users to retrieve data from storage buckets within the platform. When a user requests data from a storage bucket, GCP logs this event as an "Object Get" activity. This activity is essential for tracking usage and monitoring data access within the platform.


The issue with GCP's storage access logs is that they do not provide adequate transparency with regards to file access and read events. Instead, all of these events are grouped together under the single "Object Get" activity. This can make it difficult to differentiate between legitimate user activity and malicious activity, as there is no way to distinguish between different types of data access.


This lack of granularity in the storage access logs can be a major challenge for organizations seeking to secure their GCP environment against data exfiltration attacks. Without the ability to distinguish between different types of data access, organizations may struggle to detect and respond to potential threats effectively.


To address this issue, organizations using GCP should consider implementing additional monitoring and logging capabilities. This may involve using third-party security tools that can provide more granular visibility into data access events within the platform. Additionally, regular audits of IAM policies and monitoring for suspicious activity can help organizations identify and respond to potential threats more effectively. By taking a proactive approach to security, organizations can help to minimize the risk of data exfiltration attacks and other security incidents within their GCP environment.

bottom of page