Permiso Launches CloudGrappler to Help Security Teams Better Detect Threat Actors in Their Cloud Environments


Permiso, a Palo Alto-based identity threat detection and response startup, has announced the launch of CloudGrappler, an open-source tool designed to help security teams quickly detect threat actors in their Azure and AWS environments. The tool, built off the foundation of Cado Security’s cloudgrep project, offers enhanced detection capabilities built from the tactics, techniques and procedures (TTPs) of modern cloud threat actors like LUCR-3 (Scattered Spider).

“We’ve been monitoring LUCR-3 for the last few years. We offered free threat briefings to share our knowledge of this group to help enterprises to better defend against them and now we’re providing a tool to help security teams even more. CloudGrappler is an open-source tool that gives security teams the ability to take more proactive steps to detect known TTPs in their environments,” explained SVP of P0 Labs, Ian Ahl.

CloudGrappler queries for high-fidelity activity for some of the most notorious threat actors in the cloud. The tool excels in both detecting and analyzing singular log events, while offering a comprehensive view of potential security incidents that are occurring or have occurred in their environment. By leveraging the capabilities of cloudgrep and extending the detection capabilities to find threats more effortlessly in their AWS and Azure environments.

“The PO Labs continues to impress us by being at the forefront of these emerging cloud attacks. The knowledge they’re able to share with our team on the TTPs of modern threat actors like Scattered Spider is unlike anything we’ve seen before,” said Rob Preta, Head of Cyber Security at ACV Auctions.

Also Read: How to Choose the Right Cybersecurity Software

The tool, which is freely available on GitHub, allows users to define the data sources they want to scope in their scan. Through another JSON file, users are then able to leverage a list of predefined TTPs that are commonly used by cloud threat actors. Users are also able to add new queries dynamically or can add a new file with multiple queries to scan the target data set. After scanning, CloudGrappler delivers a comprehensive JSON report, including a detailed breakdown of the scan results.

“Knowing where to look and what to look for is key when searching for malicious activity. CloudGrappler makes ongoing hunting for malicious activity as simple as a one-line command. It lets you seamlessly integrate Permiso intel and TTP-based detections into your threat hunting and incident response process, even if you don’t have a SIEM,” added Andi Ahmeti, Associate Threat Researcher on the P0 Labs team.

Crowdstrike released their annual Global Threat Report earlier this year, where they observed a 75% increase in cloud environment intrusions year over year, and 84% of adversary-attributed cloud-conscious intrusions focused on eCrime. A shocking 61% of those intrusions were in North America, with more than 50% of all attacks occurring in the tech, telecom and financial industries.

Last year, Permiso was on the front lines detecting and responding to multiple incidents for enterprises that were targeted by LUCR-3, a contingent of threat actors that overlaps with prominent groups like Scattered Spider. Permiso’s deep library of detection signals, driven by years of threat research of modern threat actors in the cloud, provided impacted organizations unparalleled visibility into their environment in a way that no other security solutions could offer.

Check Out The New ITsecuritywire Podcast. For more such updates follow us on Google News ITsecuritywire News.