Talk With an Expert

ATT&CK-Based Live Response for GCP CentOS Instances

ATT&CK-Based Live Response for GCP CentOS Instances (PDF, 5.90MB)Published: 22 Jul, 2020
Created by
Allen Cox

As organizations increasingly invest in cloud service providers to host data, applications, and services, incident responders must detect and respond to malicious activity across several major platforms. With nearly one-third of the cloud infrastructure market share, Amazon Web Services (AWS) dominates the information security scientific literature. However, of the other major cloud providers, Google Cloud Platform (GCP) experienced the most significant annual growth in 2019 (Canalys, 2020), and as a result, defenders can expect to respond more frequently to incidents in GCP. This research examines the data sources available to responders on GCP CentOS compute instances and within the cloud platform. Using MITRE ATT&CK to identify attacker tactics and Red Canary's Atomic Red Team to generate test data, this research proposes a live response script to collect the essential data that responders will need to identify the discussed tactics.