October 2, 2023

The U.S. CISA has recently augmented its cloud security toolbox of free open-source software, and there are now five programs that can be used to identify threats, evaluate an organization’s cloud security posture, detect unusual network patterns and complement paid security products.

  • The Cyber Security Evaluation Tool, which was updated to v.11.5.1 last week, is more of a structured questionnaire to help IT managers assess their goals, identify critical services, and review if an organization has sufficient security guidelines and best practices. This tool is useful for evaluating both cloud and on-premises infrastructure.
  • Secure Configuration Baseline Assessment Tool is used to evaluate a Microsoft 365 E3, G3, E5 or G5 license. It can determine if it meets the Secure Cloud Business Application baseline requirements that CISA created as a reaction to the 2021 Solarwinds supply chain attacks. CISA assembled various recommendations for secure cloud hosting configurations, such as domain settings, API access tokens and administrative privileges. It produces a report of nonconforming policy settings that can quickly point out configuration gaps or errors. CISA warns the tool is still in early testing, with the most recent v.0.3 released in March, so reports may not be completely accurate.
  • Untitled Goose Tool, is used to search for incidents flagged in Microsoft Azure, Azure Active Directory and 365 environments. It was last revised in March with v.1.2.2. Security managers can investigate audit and activity logs and data collected by Microsoft Defender and export potential cloud interactions for further analysis. CISA developed Goose to fill in a gap in other PowerShell tools which were limited in terms of the number of log entries, or parse it into any actionable format. It is written in Python and runs a series of PowerShell scripts. The results are produced in JSON format so they can be easily imported into security event management tools.
  • Decider, a tool to map attack techniques and procedures to the MITRE ATT&CK v.11 or v.12 knowledge base and schema. It was released in March and is an application that runs either on Docker or under several Linux versions. The app asks a series of questions about the observed attack activities – such as “What is the adversary trying to do?” and then provides the ATT&CK details for further analysis.
  • Memory Forensic on Cloud is a tool developed by the Japanese computer emergency center. It can be used to do forensics on AWS installations. It runs on Windows only and was developed last year.

These tools provide a basic evaluation capability. But they can show organizations who may not have begun to explore these aspects of their cloud configurations a way to better protect their networks and their applications.

Leave a Reply

%d bloggers like this: