Google Cloud Platform (GCP) is a widely used cloud computing platform provided by Google. GCP offers a range of security capabilities to protect cloud data, applications, and infrastructure from threats. These mappings connect GCP security capabilities to adversary behaviors in MITRE ATT&CK®, providing GCP users with a comprehensive view of how native GCP security capabilities can be used to prevent, detect, and respond to prevalent cloud threats. As a result, GCP users can evaluate the effectiveness of native security controls against specific ATT&CK techniques and take a threat-informed approach to understand, prioritize, and mitigate adversary behaviors that are most important for their environment.
GCP Versions: 06.28.2022, 03.06.2025 ATT&CK Versions: 16.1, 10.0 ATT&CK Domain: Enterprise
ID | Capability Group Name | Number of Mappings | Number of Capabilities |
|---|---|---|---|
| access_transparency | Access Transparency | 2 | 1 |
| advanced_protection_program | Advanced Protection Program | 21 | 1 |
| artifact_analysis | Artifact Analysis | 12 | 1 |
| assured_oss | Assured Open Source Software | 3 | 1 |
| backup_and_dr_actifiogo | Backup and DR-Actifio GO | 8 | 1 |
| binary_authorization | Binary Authorization | 8 | 1 |
| certificate_authority_service | Certificate Authority Service | 2 | 1 |
| chrome_enterprise_premium | Chrome Enterprise Premium | 11 | 1 |
| cloud_armor | Cloud Armor | 5 | 1 |
| cloud_asset_inventory | Cloud Asset Inventory | 4 | 1 |
Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| artifact_analysis | Artifact Analysis | protect | partial | T1068 | Exploitation for Privilege Escalation | Comments
Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known Linux OS package vulnerabilities in various containers (e.g., Debian, Ubuntu, Alpine, RHEL, CentOS).
References
|
| artifact_analysis | Artifact Analysis | protect | partial | T1068 | Exploitation for Privilege Escalation | Comments
Artifact Analysis scans container images uploaded to Artifact Registry or Container Registry (deprecated) for known software vulnerabilities and various system artifacts that could potentially be used to execute adversary-controlled code. Due to the medium threat protection coverage and temporal factor, this control was scored as partial.
References
|
| artifact_analysis | Artifact Analysis | protect | partial | T1078 | Valid Accounts | Comments
Artifact Analysis scans container images uploaded to Artifact Registry or Container Registry (deprecated) for vulnerabilities that could potentially be used to escalate privileges, such as default accounts with root permissions in Docker containers. Due to the medium threat protection coverage and scan results being available 48 hours after completion, this control was scored as partial.
References
|
| artifact_analysis | Artifact Analysis | detect | partial | T1212 | Exploitation for Credential Access | Comments
Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known vulnerabilities in various OS packages that could be used to escalate privileges and execute adversary-controlled code (e.g., Debian, Ubuntu, Alpine, RHEL, CentOS, National Vulnerability Database). Due to the medium threat detection coverage and temporal factor, the control was scored as partial.
References
|
| artifact_analysis | Artifact Analysis | protect | partial | T1525 | Implant Internal Image | Comments
Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, this security solution can detect known vulnerabilities in Docker containers. This information can be used to detect images that deviate from the baseline norm, and could indicate a malicious implanted images in the environment. Due to the medium threat detection coverage and temporal factor, the control was scored as partial.
References
|
| artifact_analysis | Artifact Analysis | protect | partial | T1610 | Deploy Container | Comments
Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can scan for known vulnerabilities in containers. This information can be used to detect malicious deployed containers used to evade defenses and execute processes in a target environment. Due to the medium threat detection coverage and temporal factor, the control was scored as partial.
References
|
| cloud_ngfw | Cloud Next-Generation Firewall (NGFW)_ | protect | partial | T1008 | Fallback Channels | Comments
Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block communication with known fallback channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known fallback channels and not channels yet to be identified.
References
|
| google_secops | Google Security Operations | detect | minimal | T1016.001 | Internet Connection Discovery | Comments
Google Security Ops is able to trigger an alert based off processes and command-line arguments that may indicate adversary reconnaissance and information discovery techniques for network configuration settings (e.g., "net config", "ipconfig.exe", "nbtstat.exe).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral
References
|
| google_secops | Google Security Operations | detect | minimal | T1016.002 | Wi-Fi Discovery | Comments
Google Security Ops is able to trigger an alert based off processes and command-line arguments that may indicate adversary reconnaissance and information discovery techniques for network configuration settings (e.g., "net config", "ipconfig.exe", "nbtstat.exe).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral
References
|
| mandiant_asm | Mandiant Attack Surface Management (ASM) | detect | significant | T1021 | Remote Services | Comments
Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.
References
|
Non-mappable capabilities are either out of scope or unable to be mapped to any
ATT&CK objects
