The Cybersecurity & Infrastructure Security Agency (CISA) has released a list of free tools for organizations to secure themselves in cloud environments.
The post from CISA stated that these tools will help incident response analysts and network defenders to mitigate, identify and detect threats, known vulnerabilities, and anomalies in the cloud or hybrid environments.
Threat actors have traditionally targeted internal servers during an attack. However, the rapid growth of cloud migration has attracted several threat actors to target cloud environments as the attack vector is massive when it comes to the cloud.
The tools provided by CISA will aid organizations that lack the necessary tools to defend against cloud threats. These tools can help in protecting their cloud resources from information theft, data theft, and information exposure.
CISA also mentioned that organizations should use the security features provided by the Cloud Service Providers and combine them with the free tools suggested by the CISA for protecting against these threats. The tools provided by the CISA are,
- The Cybersecurity Evaluation Tool (CSET) (CISA)
- SCuBAGear (CISA)
- The Untitled Goose Tool (CISA)
- Decider (CISA)
- Memory Forensic on Cloud (JPCERT/CC)
The Cyber Security Evaluation Tool (CSET)
This tool was developed by the CISA that uses industry-recognized standards, frameworks, and recommendations to assist organizations in their cybersecurity posture evaluation. The tool asks multiple questions about system components, architecture, and operational policies and procedures.
This information is then used to generate a report that provides a complete insight into the strengths and weaknesses of the organizations including the recommendations to fix them. The CSET version 11.5 includes Cross-Sector Cyber Performance Goals (CPG) which was developed by the CISA and the NIST (National Institute of Standards and Technology).
CPG can provide best practices and guidance that all organizations should follow. This tool can help against common and impactful TTPs.
SCuBAGear M365 Secure Configuration Baseline Assessment Tool
SCuBAGear is a tool that was a part of the SCuBA (Secure Cloud Business Applications) project that was initiated in response to the Supply Chain compromise of SolarWinds Orion Software. SCuBA is an automated script that compares the Federal Civilian Executive Branch (FECB) against M365 Secure configurations of the CISA.
In collaboration with SCuBAGear, CISA created multiple documents that can guide cloud security that can help all organizations. Three documents were created as part of this tool,
- SCuBA Technical Reference Architecture (TRA) – Provides essential components for hardening cloud security. The scope of TRA adds cloud business applications (for SaaS models) and the security services used to secure and monitor them.
- Hybrid Identity Solutions Architecture – Provides best approaches for addressing identity management in a Cloud environment.
- M365 security configuration baseline (SCB) – provides basic security configurations for Microsoft Defender 365, OneDrive, AAD, Exchange Online etc.
This tool provides an HTML report highlighting policy deviations described in the M365 SCB guides.
Untitled Goose Tool
This tool was developed alongside Sandia National Laboratories which can help network defenders identify malicious activities in Microsoft Azure, AAD, and M365. It can also help query, export, and investigate audit logs.
This tool is extremely useful for organizations that do not ingest these kinds of logs into their Security Incident and Event Management (SIEM) tool. It was developed as an alternative to PowerShell tools since they did not have data collection capacity for Azure, AAD, and M365.
Network Defenders can use this tool to,
- Cloud artifacts extraction from AAD, Azure, and M365
- Perform time bounding of the Unified Audit Logs (UAL)
- Extra data within time bound
- Collect data using the capability of time bounding for MDE(Microsoft Defender Endpoint) data
This tool can help incident response analysts to map malicious activities with the MITRE ATT&CK framework. It also provides an easier approach to their techniques and provides guidance for mapping the activities accordingly.
Just like CSET, this tool also asks several questions to provide relevant user queries for determining the best possible identification method. With this information, the users can now,
- Export ATT&CK Navigator heatmaps
- Publish Threat Intelligence reports
- Identify and execute mitigation procedures
- Prevent Exploitation
The CISA has also provided a link on how to use the Decider tool.
Memory Forensic on Cloud (JPCERT/CC)
It was developed for building and analyzing the Windows Memory Image on AWS using Volatility 3. Furthermore, Memory Forensics is required when it comes to the newly trending LOTL (Living-Off-the-Land) attacks which are otherwise called fileless malware.
A memory image analysis can help during incident response engagements that usually require high-specification machines, time, and resources to prepare a sufficient environment.