Google Cloud Lateral Movement: Leveraging Default Service Accounts

South Texas ISSA

What: Instructor-Led Skills Workshop

When: August 26, 2025

Hours: 11:30 – 1:30 pm Central

Instructor:

Pierre Lidome, SLB

SANS course author, instructor, and cyber threat hunter

Location:

SLB (formerly Schlumberger)

1430 Enclave Parkway

Houston, TX 77077

ISSA Members: $20, includes 2 CPEs

ISSA Non-Member: $30, includes 2 CPEs

***NOTE: ISSA requires a minimum of 10 enrolled students to run this workshop If the minimum is not met, the class may be postponed or canceled.

***NOTE: Attendance at this workshop is limited to 30 attendees.

Prerequisites:

• Knowledge of basic security and cloud concepts

Who Should Attend: The content is designed for students, cybersecurity professionals, practitioners, managers, and leaders seeking to learn about leveraging default service accounts to move laterally in Google Cloud.

Description:

During this training, the instructor will address the following:

• Important Google Cloud Platform (GCP) concepts
• Attack demonstration
• Guided log analysis (everyone participates)
• Summary, Takeaways, and Q&A

This workshop will track lateral movement in Google Cloud and underscores the vital role of robust logging. Lateral movement is possible in all clouds, but the presence of default service accounts in Google Cloud present unique risks that the workshop will:

• Track lateral movement in Google Cloud and underscores the vital role of robust logging.

• Explore unique risks from the presence of default service accounts in Google Cloud.

• Review Google Cloud's identity and access management (IAM) services, permission inheritance, and service account use.

• Uncover critical configurations of roles, permissions, and service accounts, focusing on the often-overlooked risks posed by default service accounts and their excessive permissions.

• Gain an attacker's eye view through a live demo, witnessing how a cloud-based intrusion unfolds and how adversaries achieve lateral movement across projects by exploiting IAM vulnerabilities.

• Use SOF-ELK, a pre-configured log analysis platform to perform a practical investigative exercise.

Instructor Bio:

Pierre Lidome is a Cyber Investigations Practice Principal at a major energy company, where he specializes in threat hunting, digital forensics, incident response, and cloud security. Pierre is a certified SANS Instructor and is a co-author of FOR509: Enterprise Cloud Forensics and Incident Response.

Pierre’s career began after earning a Bachelor’s degree in Electrical Engineering from the University of Houston. He has since expanded his expertise with multiple industry certifications, including GIAC Cyber Threat Intelligence (GCTI), GIAC Certified Forensic Analyst (GCFA), GIAC Cloud Forensics Responder (GCFR), Certified Computer Examiner (CCE), and Certified Information Security Manager (CISM).

Pierre is also a faculty member of the SANS Technology Institute, an NSA Center of Academic Excellence in Cyber Defense that is a multiple winner of the National Cyber League competition. In addition to his academic contributions, Pierre is a member of the GIAC Advisory Board and has been a guest lecturer at both the undergraduate and graduate levels.

“I believe that teaching is more than sharing knowledge—it’s about empowering people to think critically, adapt quickly, and stay ahead of threats, especially as cloud technologies evolve.”

Pierre is driven by a passion for training the next generation of cyber hunters, ensuring they are prepared for the challenges of real-world incident response and digital forensics.

“Every class I teach is designed to mirror the complexities of the real world, blending hands-on exercises with the latest developments in cloud security. Cyber defense is a moving target, which is why I dedicate myself to continuous research in cloud security. That way, my students leave with the skills—and mindset—to adapt.”

Outside of cybersecurity, Pierre enjoys cattle ranching and stock trading. He brings the same dedication and enthusiasm to his personal interests as he does to defending organizations against cyber threats.

Questions: Contact "Dr. Tom" Duffey, South Texas ISSA Education Director (education@southtexas.issa.org)

Please Note: ***Registration closes August 21, at 5:00 PM Central***

Also Note: Members, please verify your email address on file with ISSA. This is where all course correspondence will be sent to members for CPEs.