Free open source tool detects activity in cloud environments related to well-known threat actors such as LUCR-3 (Scattered Spider), the group responsible for MGM and Caesars breaches last September

PALO ALTO, CA – March 7th, 2024 – Permiso, a Palo Alto-based identity threat detection and response startup, has announced the launch of CloudGrappler, an open-source tool designed to help security teams quickly detect threat actors in their Azure and AWS environments. The tool, developed from the foundation of Cado Security’s cloudgrep project, offers enhanced detection capabilities built from the tactics, techniques and procedures (TTPs) of modern cloud threat actors like LUCR-3 (Scattered Spider).

”We’ve been monitoring LUCR-3 for the last few years. We offered free threat briefings to share our knowledge of this group to help enterprises to better defend against them and now we’re providing a tool to help security teams even more. CloudGrappler is an open source tool that gives security teams the ability to take more pro-active steps to detecting known TTPs in their environments,” explained SVP of P0 Labs, Ian Ahl.

CloudGrappler queries for high-fidelity activity for some of the most notorious threat actors in the cloud. The tool excels in both detecting and analyzing singular log events, while offering a comprehensive view of potential security incidents that are occurring or have occurred in their environment. By leveraging the capabilities of cloudgrep and extending the detection capabilities to find threats more effortlessly in their AWS and Azure environments.

"The PO Labs continues to impress us by being at the forefront of these emerging cloud attacks. The knowledge they're able to share with our team on the TTPs of modern threat actors like Scattered Spider is unlike anything we've seen before,” said Rob Preta, Head of Cyber Security at ACV Auctions.

The tool, which is freely available on GitHub, allows users to define the data sources they want to scope in their scan. Through another JSON file, users are then able to leverage a list of pre-defined TTPs that are commonly used by cloud threat actors. Users are also able to add new queries dynamically or can add a new file with multiple queries to scan the target data set. After scanning, CloudGrappler delivers a comprehensive JSON report, including a detailed breakdown of the scan results.

“Knowing where to look and what to look for is key when searching for malicious activity. CloudGrep makes ongoing hunting for malicious activity as simple as a one-line command. It lets you seamlessly integrate Permiso intel and TTP-based detections into your threat hunting and incident response process, even if you don't have a SIEM,” added Andi Ahmeti, Associate Threat Researcher on the P0 labs team.

Crowdstrike released their annual Global Threat Report earlier this year, where they observed a 75% increase in cloud environment intrusions year over year, and 84% of adversary-attributed cloud-conscious intrusions focused on eCrime. A shocking 61% of those intrusions were in North America, with more than 50% of all attacks occurring in the tech, telecom and financial industries.

Last year, Permiso was at the front lines detecting and responding to multiple incidents for enterprises that were targeted by LUCR-3, a contingent of threat actors that overlaps with prominent groups like Scattered Spider. Permiso’s deep library of detection signals, driven by years of threat research of modern threat actors in the cloud, provided impacted organizations unparalleled visibility into their environment in a way that no other security solutions could offer.

To learn more about CloudGrappler, read Permiso's blog post on the release: https://permiso.io/blog/cloudgrappler-a-powerful-open-source-threat-detection-tool-for-cloud-environments 

You can get CloudGrappler on GitHub: https://github.com/Permiso-io-tools/CloudGrappler 

About Permiso

Permiso is an identity threat detection company that finds evil in cloud-based environments. Permiso creates session constructs for the identities across cloud and SaaS applications to break down visibility boundaries and understand user behavior and intent across your environment. These session constructs are developed by stitching together activity across cloud applications, services, and providers to create an immutable ledger of activity in an environment. Permiso creates a unified identity across authentication boundaries and presents this as a forensically sound access chain. By tying all activity back to a singular identity, Permiso is able to detect access anomalies, behavioral anomalies, or specific activities associated with compromised credentials. For more information, please visit our website or find us on Twitter and LinkedIn.