The Cybersecurity and Infrastructure Security Agency (CISA) has introduced a new open-source incident response tool called the Untitled Goose Tool. This Python-based utility tool was developed in collaboration with Sandia, a national laboratory of the United States Department of Energy. It is designed to protect Microsoft cloud environments against malicious activity.
The Untitled Goose Tool allows security experts and network administrators to perform in-depth analysis and export of telemetry information from various Microsoft cloud environments.
These include Azure Active Directory, Microsoft Azure, Microsoft 365, Microsoft Defender for Endpoint (MDE), and Defender for Internet of Things (IoT) (D4IoT). It can help analyze AAD, M365, and Azure configurations through queries, exports, and investigation.
Key Features of the Untitled Goose Tool
The Untitled Goose Tool provides the following features for security experts and network administrators:
- In-depth analysis and export of telemetry information:
- AAD sign-in and audit logs
- M365 unified audit log
- Azure activity logs
- Microsoft Defender for IoT alerts
- Microsoft Defender for Endpoint data for suspicious activity
- Extraction of cloud artifacts:
- Enables the extraction of the cloud artifacts without performing additional analytics from Microsoft’s AAD, Azure, and M365 environments.
- Time-bounding capabilities:
- The tool enables the time-bounding of the UAL and MDE data to collect, review, and compare data.
Prerequisites for Installing the Untitled Goose Tool
To run the Untitled Goose Tool with Python, you need Python versions 3.7, 3.8, or 3.9. It is recommended to run the tool in a virtual environment. The tool can be installed on Mac OSX, Linux, and Windows.
To install the Untitled Goose Tool, clone the repository and then do an install with pip.
git clone https://github.com/cisagov/untitledgoosetool.git cd untitledgoosetool python3 -m pip install .
Recent Developments by CISA
CISA has taken several mitigatory steps to improve the security measures that organizations can take against emerging cyber threats. They recently launched a new open-source tool called Decider, which helps defenders create MITRE ATT&CK mapping reports. This tool was launched after the publication of a “best practices” guide in January, stressing the significance of adhering to the standard.
In addition, CISA has warned critical infrastructure entities at the beginning of 2023 that their systems are susceptible to ransomware attacks due to internet exposure. This announcement was made after a new partnership launched in August 2021 to focus on protecting the core infrastructure of the United States from cyber attacks such as ransomware. The collaboration is named the JCDC (Joint Cyber Defense Collaborative).
Ransomware Readiness Assessment (RRA)
In June 2021, CISA launched the Ransomware Readiness Assessment (RRA) to update the Cyber Security Evaluation Tool (CSET). The RRA module assists organizations in assessing their preparedness for preventing and recovering from ransomware and other cyber attacks.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.