The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a factsheet to help organizations securely transition from on-premises to cloud and hybrid environments and ensure data and critical assets are properly secured. The factsheet can be used by network defenders, analysis, and incident responders and suggests several open source tools that complement those provided by cloud service platforms and providers (CSPs).
CISA notes that CSPs offer security tools to help protect critical assets and data during transitions to cloud infrastructure and enhance security for organizations operating in cloud environments, and while these tools should be used, there are often security gaps that need to be addressed with third-party tools. While CISA does not endorse the use of any third-party tool, suggestions are provided on open source tools that can be used to investigate security weaknesses, detect and mitigate threats and malicious activities, and enhance an organization’s security posture. While the suggested tools can help organizations to improve their security posture, they are not all-encompassing so additional tools may be required, depending on the needs of each organization.
In addition to the platform-specific analysis and monitoring tools provided by CSPs, CISA suggests five additional tools. The Cybersecurity Evaluation Tool from CSET can be used to evaluate enterprise and asset cybersecurity posture and identify gaps and areas for future investment. SCuBAGear was developed by CISA and is an automation script for comparing configurations against CISA M365 baseline recommendations and can be used to verify that configurations meet the minimum viable security configurations described in the M365 SCB guides.
The Untitled Goose Tool was developed by CISA and Sandia National Laboratories to help network defenders with hunt and incident response activities in Microsoft Azure, AAD, and M365 environments. Decider is another CISA-developed tool that helps organizations understand malicious behavior and can be used to generate MITRE ATT&CK mapping reports. Memory Forensic on Cloud was developed by Japan’s Computer Emergency Response Team (CERT) Coordination Center and can be used to build a memory forensic environment on AWS.
Cybercriminals are increasingly targeting cloud infrastructure and services and are attacking organizations that are not using the proper tools and techniques for protecting data and critical assets. These tools should be incorporated into organizations’ arsenals to better defend their cloud environments against attacks.