A recent discovery by researchers from Mitiga reveals a significant forensic security deficiency in Google Workspace that allows threat actors to exfiltrate data from Google Drive without leaving any trace. The lack of activity logging in the free subscription of Google Workspace exposes enterprises to potential insider threats and data leaks. Let’s delve into the details of the deficiency, and its implications, and provide recommendations to address the issue.
The Forensic Security Deficiency
Mitiga’s research team found that the default Cloud Identity Free license, provided to new users in a domain, lacks the log generation necessary for tracking Google Drive activity. While users with paid licenses, such as Google Workspace Enterprise Plus, have visibility through “drive log events,” including copying, deleting, downloading, and viewing files, those with the free license remain invisible. This deficiency hampers organizations’ ability to detect data manipulation and exfiltration attacks, leaving them blind to potential breaches.
Exploiting the Deficiency
The researchers outline two primary scenarios in which the lack of visibility poses a problem. First, if a threat actor compromises an admin user’s account, they can revoke the user’s license, download private files, and reassign the license. Only log records of license revocation and assignment, under “Admin Log Events,” would be generated in this case. Second, an attacker who gains access to a user without a paid license but still uses the organization’s private drive can download files without leaving any trace. Employee offboarding also presents a risk, as users without a paid license can download internal files from their private drive or Google Workspace without detection.
Implications and Risk Mitigation
The deficiency in Google Drive’s activity logging leaves organizations vulnerable to insider threats and data exfiltration. To address this issue, Mitiga recommends a proactive approach. Organizations should monitor Admin Log Events for quick successions of license assignment and revocation, as it may indicate threat actors manipulating user licenses. Regular threat hunts within Google Workspace should include searching for these activities. Furthermore, organizations should pay attention to “source_copy” events, which indicate the copying of files from shared drives to private drives for potential data exfiltration. By adopting these practices, organizations can better protect their data and infrastructure.
Vendor Response and Shared Responsibility
Mitiga has notified Google about the deficiency, but an official response is yet to be received. It is worth noting that cloud providers and software-as-a-service (SaaS) platforms share responsibility for security. Organizations rely on the logging and forensic data provided by these services. The case of Google Workspace highlights the need for SaaS providers to offer comprehensive logs and data for effective incident response.
The forensic security deficiency discovered in Google Workspace’s free subscription poses a significant threat to enterprises, allowing attackers to exfiltrate data from Google Drive without leaving a trace. Organizations must remain vigilant and implement proactive measures to mitigate the risk of insider threats and data leaks. Monitoring license assignments, revocations, and source_copy events can help identify potential malicious activities. As organizations continue to embrace cloud-based solutions, it becomes crucial to establish a shared responsibility model with service providers to ensure comprehensive security measures are in place.