Who Touched My GCP Project? Understanding the Principal Part in Cloud Audit Logs - Gabriel Fried

00:00

all right we're going to uh we're going

00:01

to get right back into it uh our next

00:04

talk is uh who touched my gcp project

00:07

understanding the principal part in

00:09

Cloud audit logs uh before we get

00:11

started I'd like to thank our sponsors

00:13

specifically per

00:15

miso uh permiso is a threat detection

00:18

company that finds evil in cloud-based

00:20

environments detection in identity cloud

00:22

and SAS environments have suffered too

00:23

long from a one siiz fits-all sim

00:25

approach modern environments require a

00:27

purpose-built platform periso uses human

00:30

non-human identity attribution to pair

00:31

runtime and static data in cloud and SAS

00:33

into complete sessions where detections

00:35

no longer have to rely on single events

00:38

pera's platform provides High Fidelity

00:40

High resiliency and maximum content for

00:42

actionable detections that cut through

00:43

the Noise by analyzing human and

00:45

non-human entitlements and behavior

00:47

across authentication boundaries periso

00:49

gives companies a complete picture of

00:51

every entity operating in and across

00:52

their Cloud environments and does not

00:54

allow threat actors to hide in silos of

00:56

overwhelming Cloud activity data please

00:58

welcome Gabrielle

01:00

[Applause]

01:03

hello can you hear me awesome hey

01:06

everyone and welcome to who touch my gcp

01:08

project where today we're going to learn

01:10

about the principal part in gcp audit

01:13

logs every day in our environment we

01:15

could have gcp buckets being accessed

01:18

jobs being created and unfortunately

01:20

cyber security incidents now sadly we

01:23

could lose a lot of time and

01:25

unfortunately money on false

01:27

investigations when we can understand

01:29

who who did what and how so in order to

01:33

resolve this and have lower time loss

01:36

and possibly not any loss of money it's

01:39

critical for us to understand who

01:40

touched our gcp project so in order to

01:44

do so I'd like to go today over some gcp

01:47

principles and logs we have service

01:50

accounts and Service agents where do

01:52

they come into play workload identities

01:54

and Workforce identities what solution

01:57

they provide and we'll mention some

01:59

cases that Google redacts caller

02:01

identities and IP

02:05

identities I'm Gabriel freed I'm a

02:08

senior security researcher at mtiga I

02:10

have 10 years experience in cyber

02:11

security this is my first conference I'm

02:13

talking in and I'm a whiskey dude so if

02:16

anyone knows where I could get a drink

02:17

please let me

02:19

know so let's talk about gcp principle

02:22

and logs we

02:23

have in gcp we could categorize three

02:26

main identity types we have users

02:28

workload identity and service accounts

02:31

where Workforce identities which I

02:32

mentioned are somehow a hybrid between

02:34

the first two users are like human

02:37

entities like me and you logging in with

02:39

our emails to access our gcp resources

02:42

workload identities provide external

02:44

entities coming from things like

02:47

external Cloud providers in SAS access

02:49

to our gcp resources and service

02:52

accounts are for service to service

02:54

operations meaning if we have some

02:56

resource needing tax as another it will

02:58

use this as as its

03:01

entity in gcp we have four kind of log

03:05

categories we could which we could

03:06

categorize we have service logs which

03:09

are for standard error and outputs we

03:12

have agent logs which are for agents

03:15

which we could install on certain gcp

03:17

resources and get information from that

03:20

agent we have Network logs which are for

03:24

VPC flow logs Nat gateways and firewall

03:28

rules and what will focus on

03:30

today the cloud audit logs the cloud

03:33

audit logs tell us who did what and

03:36

where and they could be categorized into

03:39

two sections data access and admin

03:41

activity where data access is stuff

03:44

we're using to access certain data and

03:46

admin activity is about administrative

03:48

operations an example for this could be

03:51

a creation of a bucket would be under

03:53

admin activity but accessing the data in

03:56

the bucket would be under data access so

03:58

these are the four types of logs you

04:02

could categorize in

04:04

gcp in our Cloud audit logs we have a

04:06

section called authentication info this

04:09

tells us who did what and

04:12

how and it tells us the authentication

04:15

method a principal email a service

04:18

account key information which we'll talk

04:20

about in service account section it will

04:22

tell us about third party information

04:25

and some delegation info for delegated

04:27

impersonations which we'll talk about

04:29

later later on this structure looks

04:31

something like

04:33

this we could see in this structure we

04:35

have another structure called service

04:37

account delegation

04:39

info this is for impersonation chain of

04:42

service account and Service agents which

04:44

we'll talk about later down the line but

04:47

this section just to keep in mind looks

04:49

something like this so something small

04:51

we can remember we have four SE types of

04:54

logs three main identities and two

04:57

interesting structures so once we talked

05:00

about that let's shift to the service

05:02

account and Service

05:04

agents what are service accounts service

05:07

accounts provide an identity for a

05:09

resource to access another resource and

05:11

an example usage for this to get this

05:13

into our uh head is kind of like having

05:16

an application on a VM which needs to

05:19

access our gcp bucket so this will be

05:22

done using a service account we could

05:24

identify these by the GS service

05:26

account.com prefix

05:30

wait okay there are three types of

05:33

service accounts service accounts just

05:35

to a head start when they authenticate

05:37

they needs credentials which are usually

05:40

ajon or p12 key so we have three main

05:43

categories we have user which are

05:45

custommade built-in service accounts and

05:48

Google manage service accounts the

05:51

custom ones that a user could create are

05:54

we could act we could give them certain

05:56

types of roles specific Scopes and we

05:58

manage their keys

06:00

for access the Google built-in service

06:03

accounts are kind of Google's way to

06:05

give to give us a head start on certain

06:07

services for example if we have the

06:09

Google compute engine and we enable this

06:11

API Google will create the service

06:14

account and its keys to get us started

06:16

and the Google managed are technically

06:18

what we will later refer to as the

06:20

service agents but these are for

06:21

internal operations happening in our

06:24

Google environment and their keys are

06:26

completely managed by

06:28

Google so

06:30

how can we access these service accounts

06:32

well we have two types of meth methods

06:34

of accessing them through through

06:38

activation and through impersonation

06:40

when we activate a service account we're

06:42

essentially logging in as the service

06:45

account we need to provide a key and

06:47

then we're essentially if our g-cloud uh

06:50

command is activating it we're kind of

06:53

logged in as disservice account this

06:55

could be done using this command

07:00

now this is what I'd call a bad

07:02

impersonation but now let's talk about

07:05

service account

07:07

impersonations a service account

07:08

personation allows a service account to

07:11

act on our behalf to access a certain

07:14

Resource as we could see here a user

07:16

might need to impersonate a service

07:17

account to access a resource this

07:19

service account has this will allow us

07:22

to have temporary credentials to the

07:23

service account to access the

07:27

resource now we could have legitimate

07:29

cases for impersonation some malicious

07:32

cases for

07:33

impersonation and two types of

07:35

impersonations a legitimate case could

07:37

be when we want to delegate access

07:39

because we don't want our users to

07:40

always have access to everything we

07:43

might need this to automate tasks on

07:45

certain software we have to impersonate

07:47

service accounts for resources and we

07:50

might want to De like give external

07:52

entities access to our resources which

07:55

we'll talk about later on to get um

07:58

resources from outside into our gcp

08:00

environment a malicious actor might use

08:03

this to either exfiltrate data cuz a

08:06

service account might have the right

08:07

permissions escalate their privileges

08:09

because it might have higher Privileges

08:11

and certain types of attacks using their

08:14

behavior and to possibly cover their

08:16

tracks why because you might say Okay a

08:19

service account is operating in these

08:20

logs it's all

08:22

good now there are two forms of

08:25

impersonation one is the activation we

08:27

mentioned previously and one is a

08:29

specific

08:29

invocation what happens when we have a

08:31

specific invocation we're essentially

08:34

getting temporary credentials to act on

08:36

one certain command to to allow this

08:39

service account to act on our behalf

08:42

what we need for this is a role called

08:44

service account token Creator why

08:47

because what happens when we impersonate

08:49

we're generating an access token which

08:51

allows us to have temporary credentials

08:53

for the service account to allow it to

08:55

operate on our behalf so we understood

08:58

so far that in service accounts we have

09:01

activation and impersonation let's see

09:03

how this looks in our audit

09:06

logs when we're activating a service

09:08

account as we mentioned we're

09:10

essentially logging in as the service

09:12

account so the authentication info

09:14

section will tell us our principal email

09:16

was the actual service account operating

09:19

because now our session is as the

09:20

service account but when we impersonate

09:23

a service account we will see our user

09:26

which is instigating this specific

09:28

invocation in

09:30

impersonation doing a generate access

09:33

token operation to get the token for the

09:36

service account and in our resource

09:38

section of the logs we will see our

09:40

service account as what we're trying to

09:43

impersonate so this is how these look in

09:46

the logs but we mentioned before

09:48

something called delegation chains so

09:50

what is that a service account

09:52

delegation chain means that sometimes we

09:55

might need to have several

09:57

impersonations going out because service

10:00

account needs doesn't have the

10:01

sufficient permissions to do something

10:03

it needs another service account or you

10:05

might want to move around some type of

10:07

permissions so a user might impersonate

10:10

service account a which needs to

10:12

impersonate service account B to access

10:14

our resources for this we'll need the

10:16

get access token and again the service

10:18

account token

10:20

Creator now let's see how this looks and

10:23

belongs when we're starting a delegation

10:25

chain we will see the invoker or in this

10:27

case our username

10:30

doing a generate access token for the

10:32

full list of service account we need to

10:34

impersonate because each entity in this

10:36

chain will now also need to generate an

10:38

access token for the next one in the

10:41

chain but when we see sorry yes but when

10:46

we see the operations happening with the

10:48

delegation chain what we'll actually see

10:51

is oh sorry is the last service account

10:54

in our delegation chain which we needed

10:56

to actually access our resources but in

11:00

the um identity delegation info we'll

11:03

see the reverse order of who actually

11:06

initiated this operation which is

11:08

critical because if we see an operation

11:10

an operation happen in an incident you

11:12

could trace this back to the actual

11:14

original

11:15

invoker but sometimes because we

11:18

mentioned each one needs to generate an

11:19

access token we're not sure if this

11:21

started as a specific invocation or a

11:23

delegation chain well for this I have a

11:26

tip you could look at the permission Cod

11:30

when we see an event for generating a

11:32

token if we have a single invocation our

11:35

permission will be the get access token

11:38

and our identity will only involve one

11:41

service account but when we're starting

11:43

a delegation our permission scope will

11:45

involve implicit delegation and in our

11:49

resources we will see the information uh

11:52

sorry in our metad data we will see the

11:53

information of all the identities we

11:55

want to

11:57

impersonate so so far we understood that

11:59

service accounts have these operations

12:02

impersonations and delegation chains now

12:05

I'd like to talk about the curist case

12:07

the Google uh compute engine default

12:10

service account we mentioned that

12:12

default service accounts are kind of

12:13

like a hit start to our operations right

12:16

so one of these is the Google compute

12:18

engine service now Google allows us to

12:22

attach our own custom service account to

12:24

AVM if we want certain operations to

12:27

happen and this will be the entity

12:30

acting for this virtual machine kind of

12:32

like managed identities if anyone knows

12:35

how they are in Azure so what I'd expect

12:38

the behavior to be is that we see an

12:40

operation from this VM Happening by this

12:42

attached uh service account what we

12:45

noticed

12:46

is that each operation even with an

12:49

attached service account actually

12:51

happens by a delegation from the default

12:53

computer engine service account so

12:55

seeing this is not like something

12:56

unusual but it's just unusual as a

12:58

behavior and something cool to

13:01

notice so now let's talk about Service

13:05

agents Service agents act on behalf of

13:08

like certain type of services in Google

13:11

they're usually attached to them like

13:12

the Google Sync uh for logging operation

13:15

these things are logged for transparency

13:18

and their keys that we mentioned before

13:20

like we use for Activation are

13:21

completely managed by Google and

13:23

therefore you cannot impersonate Service

13:25

agents uh here are some example of

13:27

Service agents but I'd highly recommend

13:30

looking at Google's documentation for a

13:32

full list let's see how Service agents

13:35

look in our logs um here again we see

13:38

our Google compute engine default

13:40

service account which we remember and

13:44

this was actually an operation invoked

13:46

by our service agent as we see over here

13:49

so this kind of sums up our service

13:51

agents and service account section we

13:54

learn about impersonation delegation

13:56

chains word cases with the GCE and

13:59

Service agents now let's talk about

14:01

workload identities and Workforce

14:03

identities workload identities provide

14:06

external cloud cloud providers or SAS

14:09

applications and identity to access our

14:12

gcp resources why would we need the

14:14

solution because we mentioned that

14:17

sometimes we might want to uh get a

14:19

service account through keys or log into

14:21

our gcp environment and having keys

14:23

around is a security risk and we also

14:26

don't want the complexity of managing

14:28

external entities so what solution do we

14:30

have the solution here is that we have

14:32

keyless authentication because we have

14:35

an IDP trust to our gcp environment now

14:38

let's see how this

14:40

works our workload entity will then will

14:44

first start by authenticating with its

14:46

external IDP it will then get its

14:49

credentials back from the IDP and send

14:52

these credentials to the Google SDS

14:54

service which is the security token

14:56

service in Google which verifies the

14:58

authentication with the IDP once this

15:01

entity is is verified the SDS will

15:05

return a gcp access token now we

15:08

remember what we could do with these

15:09

tokens we can

15:12

impersonate a service account which

15:14

gives us access to the gcp resource so

15:17

this is how this works now let's see how

15:19

we could identify these things in our

15:21

logs let's talk about the SDS to token

15:24

Exchange in our

15:26

logs something really cool here is we

15:29

have an external workload identity

15:31

coming from AWS where we could see this

15:33

the account ID the role it assumed and

15:36

the session ID which means like for

15:39

forensic investigations this is gold

15:41

because we could trace something all the

15:43

way back to a specific session ID in

15:45

AWS um we will see here um Google giving

15:50

us a mapped identity for this external

15:53

entity this is how this identity will

15:55

now be represented in our logs and the

15:57

operation will be the token exchange for

16:01

Google here's another example but why am

16:04

i showing you first the mapped identity

16:06

because what we see here is that when it

16:09

comes from Azure we get the object ID

16:12

which we could trace back to a to Azure

16:14

if we had an incident starting from

16:17

there so once we have our token we our

16:20

STDs token we want to impersonate a

16:22

service account so what we see here is

16:25

that we're starting with our maap entity

16:27

which we saw in the token Exchange

16:28

change doing a generate access token for

16:32

a resource which is the service account

16:35

which we need to impersonate to access

16:37

our

16:38

logs this before what we saw sorry was

16:42

an AWS which we know what we could trace

16:44

back but now let's see what happened

16:47

once we

16:48

impersonated once we're impersonated or

16:51

AWS we will see a service account

16:53

operating cuz we already impersonated

16:56

and our our principal subject in the in

16:58

the

16:59

in the service account delegation info

17:01

will be our external entity now GitHub

17:04

has something called GitHub actions

17:06

which are for cicd operations which on

17:09

uh which kind of like on P requests

17:11

could allow us to like spawn VMS to try

17:14

check our deployment so what we see here

17:16

is a service account operating but our

17:18

principal subject is actually a GitHub

17:21

and we get it straight from the

17:22

repository the path all the way up to

17:24

the pr of what spawn or did actions in

17:28

our G GP environment which is really

17:30

cool cuz if someone had access to our GC

17:32

to our GitHub we can actually trace this

17:34

all the way back to

17:36

gcp let's talk a little bit about work

17:38

force identity Federation this is

17:41

essentially kind of like the same

17:43

solution but for users but without

17:45

impersonation a user authenticates the

17:47

IDP and then has direct access to our

17:49

gcp environment the solution here is

17:52

that also we don't have to sync users if

17:54

anyone knows entra ID and on Prem you

17:56

have to sync your users and you have to

17:58

manage them we could manage them using

18:00

Workforce identity

18:02

pools this is how Google describes the

18:04

operation fairly similar but no

18:07

impersonation where we authenticate to

18:09

the IDP get a token verified and access

18:12

our gcp resources the way this will look

18:14

in our logs is fairly similar the way

18:17

our user authenticated to its IDP in

18:19

this case a user a user add an

18:23

email Short Pop Quiz let's see if anyone

18:26

got anything so far few seconds let's

18:28

see if anyone can understand what

18:30

happened

18:42

here so what happened here something I

18:45

need I I I stumbled upon myself was that

18:48

I saw a service account operating but I

18:51

saw this uh principal subject that SVC

18:54

ID goo which I didn't understand what it

18:56

was this is actually

18:59

the Google kubernetes engine default

19:01

service account attached with an IM

19:03

policy to a service account so this is a

19:06

hint if we're investigating anything

19:08

from Google kubernetes engine and we see

19:10

the SBC goog we could even Trace things

19:12

back to the name space and the

19:14

kubernetes service account that we had

19:16

inside our environment which is really

19:18

cool for

19:19

investigations now let's have a short

19:21

brief about cases where Google redacts

19:24

caller IPS or caller

19:26

identities uh in big query sometimes we

19:28

have cross project access with different

19:30

domains so Google might redact this for

19:32

privacy gdpr and all those fun reasons

19:35

uh call or email in Virtual networks

19:38

they might call it Google internal and

19:40

if we have the MS without external IPS

19:42

they might just call it like Google

19:44

internal or remove it I highly recommend

19:47

looking at Google's documentation for

19:48

all the use cases we

19:51

have so in order to summarize this up We

19:55

Now understand the different types of

19:57

identities how they look in our logs and

19:59

how we could investig investigate these

20:01

incidents I would like you tomorrow to

20:03

check your gcp logs see if you could

20:06

understand what happened there in a week

20:08

from now if you have an incident can you

20:10

tie it back and in a month write

20:12

detections based on your uh environment

20:15

impersonation patterns and what you know

20:18

if there's one thing I could have you

20:19

all take away from this is that once we

20:21

understand the principles we could

20:23

easily investigate and understand who

20:25

touched our gcp project thank you very

20:28

much that was gel

20:38

freed were all the were all the logs

20:40

that you showed in the default audit

20:42

logs that are enabled by default or did

20:43

you have to turn on data access dat yeah

20:46

so some of them were from data access

20:47

and someone for the from the audit LS

20:51

that that that link oh this link is just

20:54

my LinkedIn if anyone feel free yeah

20:57

yeah uh one other question great talk by

20:59

the way um one of the things we've

21:01

noticed when we see ransomware in gcp is

21:03

that um their mechanism for persistence

21:06

is to create a service account but try

21:07

to make it look like a service agent

21:08

with nomenclature um do you have any

21:10

tips on like identifying that inside the

21:12

delegation chain or anything like that

21:14

so A few things you could have is first

21:16

of all Google has an immense list of all

21:18

the service agents there are specific

21:20

like uh resources which have designated

21:23

Service agents another cool thing which

21:25

I also noticed myself is that each

21:27

listed service agent they might try to

21:30

Def fake has a list of of specific uh

21:33

roles it should have so if you see it

21:36

acting something that it shouldn't be

21:37

doing that's a really cool point because

21:39

for some reason Google allows you to add

21:41

additional roles but they're like don't

21:44

do it you might break stuff but yeah so

21:47

if you'd see it

21:48

operating hi uh so I actually work at

21:50

Google then that's it's a good talk I

21:52

actually didn't know as much about uh Ro

21:54

delegation and service account we

21:55

because I re use mostly Borg but uh we I

21:58

I have a service called access

21:59

transparency which which I don't know if

22:00

youve used which tells you when googlers

22:02

access your data have you had experience

22:04

with that and I thought I was getting

22:05

your thoughts so I'm aware of the access

22:07

transparency log which like Google kind

22:09

of like allows you to see what they're

22:10

doing but I haven't seen the logs myself

22:13

to ingate cuz like what I know from Main

22:16

detection and investigation people go to

22:19

the cloud audit but that's something I

22:21

definitely should look

22:22

into thank Gabrielle cheers

22:27

[Applause]