nerdexam
GIAC

GCIH · Question #773

An attacker with GCP cloud administrative access uses the Google gcloud and gsutil utilities to create a backup of a sensitive database for download. How would this attack be identified?

The correct answer is C. Audit logs. GCP audit logs record all API calls and administrative actions, making them the primary mechanism for detecting misuse of gcloud and gsutil by privileged users.

Cloud Incident Response & Threat Hunting

Question

An attacker with GCP cloud administrative access uses the Google gcloud and gsutil utilities to create a backup of a sensitive database for download. How would this attack be identified?

Options

  • AThreat Intelligence
  • BNetwork Monitoring
  • CAudit logs
  • DPacket Capture

How the community answered

(65 responses)
  • A
    9% (6)
  • B
    3% (2)
  • C
    83% (54)
  • D
    5% (3)

Why each option

GCP audit logs record all API calls and administrative actions, making them the primary mechanism for detecting misuse of gcloud and gsutil by privileged users.

AThreat Intelligence

Threat Intelligence identifies known malicious IPs, domains, or TTPs externally; it would not flag legitimate GCP admin tool usage from an authorized account.

BNetwork Monitoring

Network Monitoring detects anomalous traffic patterns, but gcloud/gsutil traffic uses standard HTTPS to GCP endpoints and would not stand out from normal API usage.

CAudit logsCorrect

Google Cloud Audit Logs (Cloud Audit Logs - Admin Activity and Data Access logs) capture every API call made by gcloud and gsutil, including storage bucket creation, database export operations, and object downloads. Because the attacker is using legitimate administrative credentials, the activity bypasses network anomaly detection but leaves a detailed, timestamped trail in the audit log. Reviewing Cloud Audit Logs for unusual export or copy operations against sensitive datasets would expose this insider or compromised-credential attack.

DPacket Capture

Packet Capture would only show encrypted HTTPS traffic to GCP APIs; decrypting and parsing this traffic at scale is impractical and would not reliably identify the specific data exfiltration action.

Concept tested: GCP Cloud Audit Logs detecting insider data exfiltration

Source: https://cloud.google.com/logging/docs/audit

Topics

#GCP audit logs#cloud forensics#gcloud gsutil#data exfiltration detection

Community Discussion

No community discussion yet for this question.

Full GCIH Practice