Google Cloud Platform (GCP) failed to adequately log critical event data used to aid in detection of compromise and forensic analysis during post-compromise investigations. Researchers found that despite storage access logs being enabled they failed to provide enough detail, creating forensic detail gaps referencing data exfiltration resulting in an unclear picture of what happened. A variety of events, for example, are included under a single type of access — such as reading a file or downloading data meaning that analysts are unable to piece together a clear picture of what happened. A key to understanding what happened during a compromise is having adequate visibility through detailed logging of events in cloud services. Forensics investigators rely on logs to determine what happened, what data may have been at risk, and what threat actors accomplished.
Read more here.
