CISA unleashes Untitled Goose Tool to honk at danger in Microsoft's cloud

American cybersecurity officials have released an early-warning system to protect Microsoft cloud users.

The US government's Cybersecurity and Infrastructure Security Agency (CISA) released the software, developed in conjunction with Sandia National Labs, to help network administrators spot potentially malicious activity in the Microsoft Azure cloud, Microsoft 365 services, and Azure Active Directory (AAD).

Dubbed the Untitled Goose Tool, CISA said it "offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services."

The introduction of Untitled Goose Tool comes the same day as the agency announced its Pre-Ransomware Notification Initiative, which delivers early warnings to organizations about attacks, possibly in enough time to stop the attacks before the miscreants can encrypt or steal data.

"We know that ransomware actors often take some time after gaining initial access to a target before encrypting or stealing information, a window of time that often lasts from hours to days," Clayton Romans, associate director of the Joint Cyber Defense Collaborative (JCDC), wrote in a blog post. "This window gives us time to warn organizations that ransomware actors have gained initial access to their networks."

Both efforts are aimed at making enterprises more proactive in defending against attacks and this month also saw the rollout of the Decider tool to make it easier for organizations to map adversary behavior to the MITRE ATT&CK framework to identify gaps in their defenses and go threat hunting.

Take a bird's eye view

Network pros can use Untitled Goose Tool for exporting and reviewing AAD sign-in and audit logs, Microsoft 365's unified audit log (UAL), Azure activity logs, Defender for IoT alerts, and Defender for Endpoint data for suspicious activity. They also can look into Azure, Microsoft 365, and AAD configurations to spot sloppy security.

"Network defenders attempting to interrogate a large M365 tenant via the UAL may find that manually gathering all events at once is not feasible. Untitled Goose Tool uses novel data gathering methods via bespoke mechanisms," CISA wrote [PDF].

• Hands up who DIDN'T exploit this years-old flaw to ransack a US govt web server...
• Microsoft admits Azure Resource Manager failed after code change
• Microsoft breaks geolocation, locking users out of Azure and M365
• You just gonna take that AWS? Let Microsoft school your users on cloud security?

Given that, the tool makes it easier to draw cloud artifacts from the cloud services without further analytics, setting time bounds for the UAL using a feature called "goosey graze" and then extracting data within the timeframes with "goosey honk." The same can be used for data from Defender for Endpoint.

Untitled Goose Tool can be used with both Windows and macOS, though the PowerShell script is best used only with Windows. It requires Python 3.7, 3.8, or 3.9 and is available from CISA's GitHub repository along with the PowerShell script.

The agency's unveiling of the Pre-Ransomware Notification Initiative comes less than two weeks after it announced Ransomware Vulnerability Warning Pilot to warn critical infrastructure entities about flaws in their systems that could be exploited by ransomware groups.

The notification effort started in January and so far has alerted more than 60 entities in such industries as healthcare, energy, water and wastewater, and education about possible pre-ransomware, with some address the problem before data was encrypted or stolen, according to Romans.

There are two key parts to it. The JCDC collects tips from cybersecurity researchers, infrastructure providers, and cyberthreat companies about possible ransomware activity in the early stages. The JCDC – a public-private group launched in August 2021 – then notifies organizations targeted by miscreants about the threat and guides them through mitigation. ®