Thursday, July 25, 2024

CISA Released Free Cloud Security Tools to Secure Cloud Data

The Cybersecurity & Infrastructure Security Agency (CISA) has released a list of free tools for organizations to secure themselves in cloud environments.

The post from CISA stated that these tools will help incident response analysts and network defenders to mitigate, identify and detect threats, known vulnerabilities, and anomalies in the cloud or hybrid environments.

Threat actors have traditionally targeted internal servers during an attack. However, the rapid growth of cloud migration has attracted several threat actors to target cloud environments as the attack vector is massive when it comes to the cloud.

The tools provided by CISA will aid organizations that lack the necessary tools to defend against cloud threats. These tools can help in protecting their cloud resources from information theft, data theft, and information exposure.

Tools + Pre-built Security features

CISA also mentioned that organizations should use the security features provided by the Cloud Service Providers and combine them with the free tools suggested by the CISA for protecting against these threats. The tools provided by the CISA are,

  • The Cybersecurity Evaluation Tool (CSET) (CISA)
  • SCuBAGear (CISA)
  • The Untitled Goose Tool (CISA)
  • Decider (CISA)
  • Memory Forensic on Cloud (JPCERT/CC)

The Cyber Security Evaluation Tool (CSET)

This tool was developed by the CISA that uses industry-recognized standards, frameworks, and recommendations to assist organizations in their cybersecurity posture evaluation. The tool asks multiple questions about system components, architecture, and operational policies and procedures.

This information is then used to generate a report that provides a complete insight into the strengths and weaknesses of the organizations including the recommendations to fix them. The CSET version 11.5 includes Cross-Sector Cyber Performance Goals (CPG) which was developed by the CISA and the NIST (National Institute of Standards and Technology).

CPG can provide best practices and guidance that all organizations should follow. This tool can help against common and impactful TTPs. 

SCuBAGear M365 Secure Configuration Baseline Assessment Tool

SCuBAGear is a tool that was a part of the SCuBA (Secure Cloud Business Applications) project that was initiated in response to the Supply Chain compromise of SolarWinds Orion Software. SCuBA is an automated script that compares the Federal Civilian Executive Branch (FECB) against M365 Secure configurations of the CISA.

In collaboration with SCuBAGear, CISA created multiple documents that can guide cloud security that can help all organizations. Three documents were created as part of this tool,

  • SCuBA Technical Reference Architecture (TRA) – Provides essential components for hardening cloud security. The scope of TRA adds cloud business applications (for SaaS models) and the security services used to secure and monitor them.
  • Hybrid Identity Solutions Architecture – Provides best approaches for addressing identity management in a Cloud environment.
  • M365 security configuration baseline (SCB) – provides basic security configurations for Microsoft Defender 365, OneDrive, AAD, Exchange Online etc.

This tool provides an HTML report highlighting policy deviations described in the M365 SCB guides.

Untitled Goose Tool

This tool was developed alongside Sandia National Laboratories which can help network defenders identify malicious activities in Microsoft Azure, AAD, and M365. It can also help query, export, and investigate audit logs.

This tool is extremely useful for organizations that do not ingest these kinds of logs into their Security Incident and Event Management (SIEM) tool. It was developed as an alternative to PowerShell tools since they did not have data collection capacity for Azure, AAD, and M365.

Network Defenders can use this tool to,

  • Cloud artifacts extraction from AAD, Azure, and M365
  • Perform time bounding of the Unified Audit Logs (UAL)
  • Extra data within time bound
  • Collect data using the capability of time bounding for MDE(Microsoft Defender Endpoint) data

Decider Tool

This tool can help incident response analysts to map malicious activities with the MITRE ATT&CK framework. It also provides an easier approach to their techniques and provides guidance for mapping the activities accordingly.

Just like CSET, this tool also asks several questions to provide relevant user queries for determining the best possible identification method. With this information, the users can now,

  • Export ATT&CK Navigator heatmaps
  • Publish Threat Intelligence reports 
  • Identify and execute mitigation procedures
  • Prevent Exploitation

The CISA has also provided a link on how to use the Decider tool.

Memory Forensic on Cloud (JPCERT/CC)

It was developed for building and analyzing the Windows Memory Image on AWS using Volatility 3. Furthermore, Memory Forensics is required when it comes to the newly trending LOTL (Living-Off-the-Land) attacks which are otherwise called fileless malware.

A memory image analysis can help during incident response engagements that usually require high-specification machines, time, and resources to prepare a sufficient environment.


Latest articles

ShadowRoot Ransomware Attacking Organizations With Weaponized PDF Documents

A rudimentary ransomware targets Turkish businesses through phishing emails with ".ru" domain sender addresses....

BreachForumsV1 Database Leaked: Private messages, Emails & IP Exposed

BreachForumsV1, a notorious online platform for facilitating illegal activities, has reportedly suffered a massive...

250 Million Hamster Kombat Players Targeted Via Android And Windows Malware

Despite having simple gameplay, the new Telegram clicker game Hamster Kombat has become very...

Beware Of Malicious Python Packages That Steal Users Sensitive Data

Malicious Python packages uploaded by "dsfsdfds" to PyPI infiltrated user systems by exfiltrating sensitive...

Chinese Hackers Using Shared Framework To Create Multi-Platform Malware

Shared frameworks are often prone to hackers' abuses as they have been built into...

BlueStacks Emulator For Windows Flaw Exposes Millions Of Gamers To Attack

A significant vulnerability was discovered in BlueStacks, the world's fastest Android emulator and cloud...

Google Chrome 127 Released with a fix for 24 Security Vulnerabilities

Google has unveiled the latest version of its Chrome browser, Chrome 127, which is...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles