March 24 — The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has recently unveiled a novel open-source instrument for incident response. It’s designed to identify signs of malicious conduct within Microsoft’s cloud ecosystem.
The ‘Untitled Goose Tool’, created in collaboration with Sandia, a U.S. Department of Energy laboratory, uses Python to extract telemetry data from Azure Active Directory, Microsoft Azure and Microsoft 365.
Says CISA, “Untitled Goose Tools is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure and M365 environments.”
“Untitled Goose Tool gathers additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).”
Using CISA’s cross-platform Microsoft cloud tool, security experts and network admins can export and review AAD sign-in and audit logs, M365 unified audit logs, Azure activity logs, Microsoft Defender for IoT alerts and MDE data, query and investigate AAD, M365 and Azure configurations. They can also extract cloud artifacts without further analytics, among other things.
Defending against adversaries
In early March of this year, CISA released ‘Decider’, an open-source tool designed to generate MITRE ATT&CK mapping reports for adjusting security posture based on adversaries’ tactics and techniques.
This followed the release of a “best practices” guide and a warning system for critical infrastructure entities.
Since then, CISA has proactively notified over 60 entities of early-stage ransomware intrusions, including organizations within the energy, healthcare, public health, water and wastewater systems sectors.
More info here. Want to stay up-to-date with the latest and greatest in cyber security? Check out the CyberTalk.org newsletter! Sign up today to receive top-notch news articles, best practices and expert analyses; delivered straight to your inbox.