What Do You Mean, "Resource Not Found?" Demystifying GCP Error Codes for IR & Detections
Gabriel Fried
fwd:cloudsec North America 2025 · Day 2 · Track 1 - Crystal
Gabriel Fried, a principal security researcher at Mitiga, presented a remote talk on leveraging **GCP error codes** as a detection and incident response signal. The central thesis is that security teams overwhelmingly focus on successful actions when building detections, but the errors that precede those successes -- failed resource lookups, permission denials, quota exhaustion -- can serve as early warning indicators of reconnaissance, credential probing, and resource abuse. Fried walked through the structure of GCP error codes (rooted in **gRPC** and the **AIP-193** standard), demonstrated how the error detail section provides richer context than the status code alone, explained a nuance around **long operations** and null principal emails, and presented three practical PySpark-based detection examples with comparative analysis of naive versus context-aware approaches.
AI review
A well-structured defensive talk that takes an overlooked data source -- GCP error codes -- and demonstrates how to extract detection value from it. The gRPC/AIP-193 deep dive is genuinely educational, the long operation ID stitching trick is useful, and the naive-vs-refined detection comparisons with real false positive reduction numbers are better than most detection engineering talks manage. No offensive content, but the blue team work is competent.