Analytics Story: GCP Account Takeover
Description
Monitor for activities and techniques associated with Account Takeover attacks against Google Cloud Platform tenants.
Why it matters
Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Google cloud accounts.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Google Workspace login_failure | N/A | gws:reports:admin |
gws:reports:admin |
| Google Workspace login_success | N/A | gws:reports:admin |
gws:reports:admin |
References
- https://cloud.google.com/gcp
- https://cloud.google.com/architecture/identity/overview-google-authentication
- https://attack.mitre.org/techniques/T1586/
- https://www.imperva.com/learn/application-security/account-takeover-ato/
- https://www.barracuda.com/glossary/account-takeover
Source: GitHub | Version: 1