GCIH · Question #773
An attacker with GCP cloud administrative access uses the Google gcloud and gsutil utilities to create a backup of a sensitive database for download. How would this attack be identified?
The correct answer is C. Audit logs. GCP audit logs record all API calls and administrative actions, making them the primary mechanism for detecting misuse of gcloud and gsutil by privileged users.
Question
An attacker with GCP cloud administrative access uses the Google gcloud and gsutil utilities to create a backup of a sensitive database for download. How would this attack be identified?
Options
- AThreat Intelligence
- BNetwork Monitoring
- CAudit logs
- DPacket Capture
How the community answered
(65 responses)- A9% (6)
- B3% (2)
- C83% (54)
- D5% (3)
Why each option
GCP audit logs record all API calls and administrative actions, making them the primary mechanism for detecting misuse of gcloud and gsutil by privileged users.
Threat Intelligence identifies known malicious IPs, domains, or TTPs externally; it would not flag legitimate GCP admin tool usage from an authorized account.
Network Monitoring detects anomalous traffic patterns, but gcloud/gsutil traffic uses standard HTTPS to GCP endpoints and would not stand out from normal API usage.
Google Cloud Audit Logs (Cloud Audit Logs - Admin Activity and Data Access logs) capture every API call made by gcloud and gsutil, including storage bucket creation, database export operations, and object downloads. Because the attacker is using legitimate administrative credentials, the activity bypasses network anomaly detection but leaves a detailed, timestamped trail in the audit log. Reviewing Cloud Audit Logs for unusual export or copy operations against sensitive datasets would expose this insider or compromised-credential attack.
Packet Capture would only show encrypted HTTPS traffic to GCP APIs; decrypting and parsing this traffic at scale is impractical and would not reliably identify the specific data exfiltration action.
Concept tested: GCP Cloud Audit Logs detecting insider data exfiltration
Source: https://cloud.google.com/logging/docs/audit
Topics
Community Discussion
No community discussion yet for this question.