{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/gcp-pub/sub/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GCP Pub/Sub"],"_cs_severities":["low"],"_cs_tags":["gcp","pubsub","defense-evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThe Google Cloud Platform (GCP) Pub/Sub service facilitates asynchronous messaging between applications. A publisher application creates and sends messages to a topic, and subscriber applications receive those messages. Deleting a Pub/Sub topic can interrupt this communication, potentially disrupting services that rely on the topic for message flow. This action can be exploited by attackers as a defense evasion technique to impair logging or event-driven automation. This rule identifies the deletion of a topic in Google Cloud Platform (GCP) by monitoring audit logs for \u003ccode\u003egoogle.pubsub.v*.Publisher.DeleteTopic\u003c/code\u003e events. Defenders should investigate unexpected topic deletions, as they might indicate malicious activity or unauthorized access. The activity is logged in GCP audit logs, and can be accessed via the GCP Fleet integration or Filebeat module.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GCP account with sufficient permissions to manage Pub/Sub topics.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Pub/Sub topics to identify a target for deletion.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003egoogle.pubsub.v*.Publisher.DeleteTopic\u003c/code\u003e API call to delete the target topic.\u003c/li\u003e\n\u003cli\u003eThe GCP audit logs record the successful topic deletion event with event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success.\u003c/li\u003e\n\u003cli\u003eApplications that publish to or subscribe from the deleted topic experience disruptions in message flow.\u003c/li\u003e\n\u003cli\u003eLogging or event-driven automation that relies on the deleted topic is impaired, potentially hindering incident response or security monitoring.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of a Pub/Sub topic can disrupt critical services and impair defenses, leading to delayed incident response and reduced visibility into malicious activities. The impact is service disruption, data loss, and potential concealment of malicious activities. The severity is low, as the deletion itself does not directly compromise data but hinders visibility.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGCP Pub/Sub Topic Deletion\u003c/code\u003e to your SIEM to detect unauthorized topic deletions by monitoring GCP audit logs.\u003c/li\u003e\n\u003cli\u003eReview the audit logs for the specific \u003ccode\u003eevent.action: google.pubsub.v*.Publisher.DeleteTopic\u003c/code\u003e to identify the exact time and user or service account responsible for the deletion, as described in the overview.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and permissions for Pub/Sub topics to prevent unauthorized deletions in the future.\u003c/li\u003e\n\u003cli\u003eMonitor GCP audit logs for any related activities or anomalies around the same timeframe to identify potential malicious intent or unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T10:00:00Z","date_published":"2024-01-29T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-gcp-pubsub-topic-deletion/","summary":"Detection of Google Cloud Platform Pub/Sub topic deletions can indicate an attempt to disrupt message flow and potentially evade defenses by impairing logging or event-driven automation.","title":"GCP Pub/Sub Topic Deletion for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-29-gcp-pubsub-topic-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - GCP Pub/Sub","version":"https://jsonfeed.org/version/1.1"}