CISA Releases Additional Open-source Cloud Protection Tools

Highlights:

• The Secure Configuration Baseline Assessment Tool evaluates Microsoft 365 licenses (E3, G3, E5, or G5) to determine if they meet the Secure Cloud Business Application baseline requirements developed by CISA in response to the 2021 SolarWinds supply chain attacks.
• The Untitled Goose Tool, a collaborative effort between CISA and Sandia National Labs, searches for flagged incidents in Microsoft Azure, Azure Active Directory, and 365 environments.

The U.S. Cybersecurity and Infrastructure Security Agency has enriched its cloud security toolkit by incorporating five free, open-source programs. These tools can detect threats, evaluate cloud security posture, identify unusual network patterns, and work in conjunction with paid security products.

This trend is favorable for two reasons. Firstly, it demonstrates the agency’s support for the open-source community, fostering simple and cost-effective solutions. Secondly, in many infosec scenarios, the effectiveness of information technology managers relies heavily on their tools. Identifying vulnerabilities in their infrastructure, such as unprotected cloud storage buckets or hard-coded encryption keys, enables organizations to enhance their protection measures.

Here are the five newly-added programs with their details:

Cyber Security Evaluation Tool: Recently, version 11.5.1 of the Cyber Security Evaluation Tool was released. It functions as a structured questionnaire, assisting IT managers in evaluating goals, identifying critical services, and reviewing an organization’s adherence to security guidelines and best practices. The utility of this tool extends to evaluating both cloud and on-premises infrastructure.

Secure Configuration Baseline Assessment Tool: It evaluates Microsoft 365 licenses (E3, G3, E5, or G5) to determine if they meet the Secure Cloud Business Application baseline requirements developed by CISA in response to the 2021 SolarWinds supply chain attacks. The tool incorporates CISA’s recommendations for secure cloud hosting configurations, encompassing domain settings, API access tokens, and administrative privileges. The tool generates a report highlighting non-conforming policy settings, swiftly identifying configuration gaps or errors. However, CISA advises caution as the tool is still in early testing, with the latest version (v.0.3) released in March, which means the reports may need to be more accurate.

Untitled Goose Tool: It is a collaborative effort between CISA and Sandia National Labs that searches for flagged incidents in Microsoft Azure, Azure Active Directory, and 365 environments. The most recent revision, version 1.2.2, was implemented in March. Security managers can investigate audit and activity logs and data collected by Microsoft Defender and export potential cloud interactions for further analysis using this tool. CISA designed Goose to address shortcomings in other PowerShell tools, which had restrictions on log entry numbers and lacked actionable parsing capabilities. Developed in Python, Goose executes a series of PowerShell scripts, generating results in JSON format for seamless importation into security event management tools.

Decider: Decider is a tool that was released in March to map attack methods and processes to the MITRE ATT and amp;CK v.11 or v.12 knowledge base and schema. It operates on either Docker or various Linux versions for enhanced flexibility. The application presents a series of questions concerning observed attack activities, guiding users with queries like “What is the adversary trying to do?” Hence, it furnishes ATT and amp;CK details, facilitating deeper analysis. For security operations unfamiliar with this framework, which might seem overwhelming initially, the app is an excellent entry point to explore its utility and gain insights.

Memory Forensic on Cloud: It is a tool developed by the Japanese computer emergency center, tailored for conducting forensics on Amazon Web Services installations. Specifically designed to run on Windows systems, this tool was developed last year.

While it is true that these five tools are relatively basic and cater to a specific niche in the field of cybersecurity, they serve as valuable resources for organizations that have yet to delve into these aspects of their cloud configurations. These organizations can significantly enhance their network and application security by leveraging these tools.