The blog post discusses the role of detection engineers and security analysts in identifying and preventing threats in Google Cloud. The post mentions the use of the MITRE ATT&CK cloud framework to classify attacker behaviors based on their intentions. The detections are categorized into "known knowns" and "unknown knowns."
Known knowns:
- Service account key creation
- Google Cloud Compute Engine—GPU-based VM creation
- Use of default service accounts outside of Google Cloud
- Exfiltration of data via Google Cloud SQL
- Google Compute Engine project metadata SSH key addition or modification
- Creation of a privileged service account
