Exfiltration: BigQuery Data Extraction

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Overview

Data exfiltration from BigQuery is detected by examining audit logs for two scenarios:

  • A resource is saved to a Cloud Storage bucket outside of your organization.
  • A resource is saved to a publicly accessible Cloud Storage bucket owned by your organization.

For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.

Event Threat Detection is the source of this finding.

How to respond

To respond to this finding, do the following:

Step 1: Review finding details

  1. Open an Exfiltration: BigQuery Data Extraction finding, as directed in Reviewing findings. The details panel for the finding opens to the Summary tab.

  2. On the Summary tab of the finding details panel, review the listed values in the following sections:

    • What was detected:
      • Principal email: the account used to exfiltrate the data.
      • Exfiltration sources: details about the tables from which data was exfiltrated.
      • Exfiltration targets: details about the tables where exfiltrated data was stored.
    • Affected resource:
      • Resource full name: the name of the BigQuery resource whose data was exfiltrated.
      • Project full name: the Google Cloud project that contains the source BigQuery dataset.
    • Related links:
      • Cloud Logging URI: link to Logging entries.
      • MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
      • Related findings: links to any related findings.

  3. In the finding details panel, click the JSON tab.

  4. In the JSON, note the following fields.

    • sourceProperties:
      • evidence:
        • sourceLogId:
        • projectId: the Google Cloud project that contains the source BigQuery dataset.
      • properties:
        • extractionAttempt:
        • jobLink: the link to the BigQuery job that exfiltrated data

Step 2: Review permissions and settings

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM

  2. If necessary, select the project listed in the projectId field in the finding JSON (from Step 1).

  3. On the page that appears, in the Filter box, enter the email address listed in Principal email (from Step 1) and check what permissions are assigned to the account.

Step 3: Check logs

  1. On the Summary tab of the finding details panel, click the Cloud Logging URI link to open the Logs Explorer.
  2. Find admin activity logs related to BigQuery jobs by using the following filters:
    • protoPayload.methodName="Jobservice.insert"
    • protoPayload.methodName="google.cloud.bigquery.v2.JobService.InsertJob"

Step 4: Research attack and response methods

  1. Review the MITRE ATT&CK framework entry for this finding type: Exfiltration Over Web Service: Exfiltration to Cloud Storage.
  2. Review related findings by clicking the link on the Related findings row in the Summary tab of the finding details. Related findings are the same finding type on the same instance and network.
  3. To develop a response plan, combine your investigation results with MITRE research.

Step 5: Implement your response

The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.

What's next