Analytics Story: GCP Account Takeover

Date: 2022-10-12 ID: 8601caff-414f-4c6d-9a04-75b66778869d Author: Mauricio Velazco, Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with Account Takeover attacks against Google Cloud Platform tenants.

Why it matters

Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Google cloud accounts.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
GCP Authentication Failed During MFA Challenge	Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation	TTP
GCP Multi-Factor Authentication Disabled	Multi-Factor Authentication, Cloud Accounts	TTP
GCP Multiple Failed MFA Requests For User	Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation	TTP
GCP Multiple Users Failing To Authenticate From Ip	Password Spraying, Credential Stuffing, Cloud Accounts	Anomaly
GCP Successful Single-Factor Authentication	Cloud Accounts, Cloud Accounts	TTP
GCP Unusual Number of Failed Authentications From Ip	Password Spraying, Credential Stuffing, Cloud Accounts	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Google Workspace login_failure	N/A	`gws:reports:admin`	`gws:reports:admin`
Google Workspace login_success	N/A	`gws:reports:admin`	`gws:reports:admin`

References

Source: GitHub | Version: 1