The U.S. Cybersecurity and Infrastructure Security Agency recently augmented its cloud security toolbox of free open-source software, and there are now five programs that can be used to identify threats, evaluate an organization’s cloud security posture, detect unusual network patterns and complement paid security products.

This is a welcome trend for two reasons. First, it shows that the agency is supportive of the open-source world and encouraging more solutions that are simple and cost-effective. And second, because like so many infosec situations, information technology managers are only as good as their tools. The more that they can figure out weaknesses in their infrastructure — such as unprotected cloud storage buckets or hard coded encryption keys — the better an organization can protect itself.

These are the five programs, along with links to the source code on GitHub:

• The Cyber Security Evaluation Tool, which was updated to v.11.5.1 last week, is more of a structured questionnaire to help IT managers assess their goals, identify critical services, and review if an organization has sufficient security guidelines and best practices. This tool is useful for evaluating both cloud and on-premises infrastructure.
• Secure Configuration Baseline Assessment Tool is used to evaluate a Microsoft 365 E3, G3, E5 or G5 license. It can determine if it meets the Secure Cloud Business Application baseline requirements that CISA created as a reaction to the 2021 Solarwinds supply chain attacks. CISA assembled various recommendations for secure cloud hosting configurations, such as domain settings, API access tokens and administrative privileges. It produces a report of nonconforming policy settings that can quickly point out configuration gaps or errors. CISA warns the tool is still in early testing, with the most recent v.0.3 released in March, so reports may not be completely accurate.
• Untitled Goose Tool, which was jointly developed by CISA and the Sandia National Labs, is used to search for incidents flagged in Microsoft Azure, Azure Active Directory and 365 environments. It was last revised in March with v.1.2.2. Security managers can investigate audit and activity logs and data collected by Microsoft Defender and export potential cloud interactions for further analysis. CISA developed Goose to fill in a gap in other PowerShell tools which were limited in terms of the number of log entries, or parse it into any actionable format. It is written in Python and runs a series of PowerShell scripts. The results are produced in JSON format so they can be easily imported into security event management tools.
• Decider, a tool to map attack techniques and procedures to the MITRE ATT&CK v.11 or v.12 knowledge base and schema. It was released in March and is an application that runs either on Docker or under several Linux versions. The app asks a series of questions about the observed attack activities – such as “What is the adversary trying to do?” and then provides the ATT&CK details for further analysis. If a security operation isn’t yet using this framework — it can be daunting at first glance — this is a good entry point to learn more about its utility.
• Memory Forensic on Cloud is a tool developed by the Japanese computer emergency center. It can be used to do forensics on Amazon Web Services installations. It runs on Windows only and was developed last year. The flow chart of how it works is shown below:

Granted, these five tools are very basic and occupy a very small niche in the world of cybersecurity. But they can show organizations who may not have begun to explore these aspects of their cloud configurations a way to better protect their networks and their applications.

Image: CISA