At the end of March 2023, CISA released a new tool called ‘Untitled Goose.’ It is a post-incident hunting tool to help security practitioners sift through security logs in the Microsoft Cloud. In this blog, we discuss the tool, its uses, and our opinion on it.
Continuing our review of practices to protect cloud infrastructures from weaknesses that can be introduced from on-premises accounts, we consider admin rights, authentication, and conditional access policies. Plus the need to collect and analyze the log data available in cloud environments to make sure that nothing nasty is slipping through.
According to a Microsoft presentation at TEC 2021, organizations moving to the cloud from on-premises infrastructures should pay attention to security weaknesses that could be introduced from on-premises accounts. It's all too easy to allow a highly-permissioned on-premises account to evolve into one that has full access across a Microsoft 365 infrastructure, and that can lead to terrible consequences if attackers penetrate the on-premises infrastructure and compromise the accounts.