10-18, 10:00–10:50 (America/New_York), Track 1 (206b)
Language: English
This talk provides a comprehensive, attacker-focused exploration of Google Cloud Platform (GCP) security, mapping a full offensive kill chain against the MITRE ATT&CK® framework. We will demonstrate practical techniques for initial access, lateral movement, privilege escalation, and data exfiltration within complex GCP environments. The presentation culminates by pivoting to the defender's view, where we will visualize the entire attack path using Prisma Cloud. From this unified perspective, we will derive actionable best practices and introduce detection and response strategy, empowering attendees to better secure their own cloud infrastructure.
This talk will present offensive operations within Google Cloud Platform (GCP) environments following the MITRE Framework and will offer a comprehensive exploration from an attacker's perspective. Drawing upon past experiences, research, and an analysis of the latest techniques employed by threat actors within the GCP ecosystem, attendees will gain valuable insights into understanding GCP attack surface and securing their cloud infrastructure.
Throughout this presentation, we will start by presenting GCP structure/hierarchy and better understand specific IAM model within GCP, permissions, roles.
We will delve into aspects of reconnaissance and initial access methods specifically tailored for GCP environments. We will explore a spectrum of techniques, ranging from OAuth2-based phishing attacks and targeted spear phishing campaigns facilitated through external communication applications to the exploitation of service accounts and cloud components, all designed to procure an initial foothold within the GCP infrastructure.
Focusing on exploitation path and attack lifecycle within GCP Environment we will then present lateral movement techniques within GCP cloud components and resources, uncovering at the same time multiple persistence techniques and procedures, alongside opportunities for privileges escalation. This part of the talk will also present some IAM roles and permissions abuses using overprivileged primitives and predefined roles.
Following the presentation, the talk will delve into specific credential access techniques within GCP Environments, shedding light on the capabilities an attacker would be able to obtain within GCP.
The offensive demonstration will conclude with high-impact techniques like GCP Domain-Wide Delegation and the abuse of Google Workspace integrations. We will then pivot to the defender's view, bringing the entire narrative together. The complete attack chain, from the first foothold to the final exfiltration, will be presented through Prisma Cloud's attack path view, showing how a modern security platform can connect the dots in real-time. From this visualization, we will derive actionable best practices to secure, detect, and defend against these very threats, showing attendees how to turn threat intelligence into hardened infrastructure.
This talk will introduce TTP tailored for red team operators, penetration testers but also for security operation team to assess and monitor their GCP environments and identify misconfigurations within it.
As a Cybersecurity Solution Consultant at Palo Alto Networks, Clément Cruchet is backed by experience in offensive security, network security, and incident response. This provides a holistic view of the full attack lifecycle. In this talk, he applies this expertise to GCP to show how to attack the platform and how to build a modern defense.