Sandia LabNews

Sandia helps develop digital tool to track cloud hackers

Image of untitled-goose
DATA DIGGER — Sandia helped the Cybersecurity and Infrastructure Security Agency develop a new toolset to quickly analyze and isolate unusual data in cloud computing environments. (Getty Images)

Sandia programmers are helping the federal Cybersecurity and Infrastructure Security Agency through an innovative program that enlists Microsoft cloud users everywhere to track down hackers and cyberterrorists.

Untitled Goose Tool was introduced to the public through a CISA alert in March. Sandia cybersecurity expert Wellington Lee was part of the team that developed the free tool to track potentially malicious activity in Microsoft Azure, Azure Active Directory and Microsoft Office 365 environments.

“All these environments are very, very different so we wanted to figure out what is the best way to very quickly get all the cloud information that we need to be able to do what we do from a forensic standpoint,” Wellington said. “Cybersecurity in general is a fast, evolving field. But cloud computing, especially, is much newer in comparison to your traditional computer or network forensics where people are looking at a thing on-site. It is a new area to try and figure out what is the best way that we can do this.”

Untitled Goose Tool is a suite of data collection tools that can quickly scour a virtual storage space to find evidence of a possibly malicious user accessing the data, gather data on how they accessed the supposedly secure cloud space and bring the data back to CISA’s security experts for review.

“Sometimes it’s a large department or agency with tens of thousands of users,” Wellington explained. “So that’s a lot of data that we have to work with. The tool is able to pull down data for all those users, which is not a simple feat.”

But it could also be small businesses with payroll and other information stored virtually. In short, Untitled Goose Tool can be very helpful for a wide variety of accounts of differing sizes to find bits of code left behind by an intruder. But that variety, which also includes different types of paid access, also makes things complicated — which programmers had to account for.

“That’s why we built the Untitled Goose Tool, to be able to pull that data back, so we have all the data locally and we can do analysis on that data without relying on capabilities in the customer’s cloud environment,” Wellington said.

The idea for this forensic software came organically while Wellington was deployed to support CISA. The team working on cloud computing forensics — which serves federal, state, local, tribal and territorial agencies — were getting called in to investigate data breaches in systems that differ as much as the groups that use them and had a short amount of time to try to figure out what happened.

“These environments are not homogeneous,” he added. “Large departments or agencies with tens of thousands of users, maybe even up to 100,000 plus users, is a lot of data that we have to work through. We created Untitled Goose Tool to be agnostic to the customer’s subscription tier of their cloud environment.”

Gathering as much data as possible no matter what customer environment they are in became very important, so the team and Wellington started with the Microsoft servers.

“We figured out what is the best way to get all the cloud information that we need to do what we do from a forensic standpoint, and do so really quickly,” he recalled, adding that cyberthreats are constantly evolving.

“In the cloud, you might have someone impersonating someone else,” he said. “Perhaps they got an authentication token stolen through a phishing e-mail. So, let’s say someone’s authentication token might have been stolen and then used to log in as Michael Langley from Los Angeles. But we can see that Michael Langley is not in Los Angeles. This looks suspicious, so Untitled Goose Tool pulls back data that can help identify some of those inconsistencies. It pulls back quite a lot of different types of logs from various sources in the cloud.”

The appointment of Sandia to aid CISA speaks to the expertise that the Labs brings to these kinds of threats.

“We have a unique level of expertise in terms of our cybersecurity,” Wellington said. “We have a smaller presence in terms of how many physical people are working with CISA, but we bring a really advanced level of understanding of the nation’s problems. From deep in the weeds, all the way up to sweeping policy that affects a lot of things.”

It’s a relationship that continues to evolve and pay dividends for the nation. Something Wellington has seen first-hand.

“It’s really cool to see how much excitement there is around the tool,” he said. “But the war goes on. There are always improvements that we have the expertise to make that give our federal partners valuable tools to continue to protect the nation.”

Recent articles by Michael Ellis Langley