CISA NEW TOOL: A RESPONSE AND HUNT TOOL FOR MICROSOFT’S CLOUD SERVICES:
CISA (Cybersecurity & Infrastructure Security Agency), a well renowned organization that have made great impact in the cybersecurity ecosystem, has gone ahead to develop and release a new threat and response tool that aid defenders in extracting cloud evidence without straining to perform additional analytics.
The tool named the “Untitled Goose Tool” is one of the recent development from the United States Cybersecurity and Infrastructure Security Agency, intended to assist security defenders and teams respond effectively to cyber-attacks. Sandia National Labs has been said to develop the tool in conjunction with CISA; with the capability which offers novel authentication and information gathering for network defenders to use in analyzing and interrogating Microsoft cloud services.
According to CISA, the tool supports Microsoft cloud services such as Microsoft 365, Microsoft Azure, and Azure Active Directory. The power of the tool is said to enable defenders run complete investigation, by interrogating and collecting Audit logs, Azure Active Directory sign-in, Azure Activity logs, Microsoft 365 unified audit logs, Defender for IoT (Internet of Things) alerts, and Microsoft Defender for Endpoint data for suspicious activity.
CISA further clarified that the tool allows defenders to also query, export, and as well investigate Active directories in Azure, Azure configurations and Microsoft 365.
Untitled Goose Tool GUI
image source: CISA GitHub Repository.
According to CISA, in the Untitled Goose repository in GitHub, the threat hunting and Incident response tool was designed with the fore-thought of helping incident response team export cloud artifacts after an incident occurrence in environments that aren’t ingesting logs into the organizations SIEM system. The organization can now be able to ingest the JSON results into an existing SIEM, text editor, web browser, or their own database for more analysis.
CISA announced about the tool, same day as the Pre-Ransomware notification initiative, which is promotes to organization to be alert about early ransomware attacks, and enable the organization to take swift actions in blocking and preventing the compromise of encrypted data. Also in march, CISA announced the Decider tool, that assist organizations in understanding an attacker’s perspective to the MITRE ATT&CK framework to discover loop holes in their defences. Other tools also developed by CISA are Ransomware Vulnerability Warning Pilot, a tool that alerts critical infrastructure entities of existing vulnerabilities in their system.
Read more about the Untitled Goose Tool
Facts about the Untitled Goose Fact Sheets
To Download the Untitled Goose Tool GitHub Repository
Read more about the “Decide” Utilizing MITRE ATT&CK
Please do let us know in the comment section what are your thoughts about this.