Detecting Cloud Threats With CloudGrappler

With organizations depending more on cloud infrastructure for their operations, enterprise defenders need tools that can help them monitor their cloud environments and detect threat actors before they can cause too much damage. CloudGrappler is a new open source tool from Permiso designed to scan an organization's Azure and Amazon Web Services environments looking for tactics, techniques, and procedures (TTPs) used by threat actors.

Security teams define a list of data sources that should be included in the scan and a list of predefined TTPs commonly used by cloud threat actors, and CloudGrappler scans logs and other events data to deliver a JSON report with a detailed breakdown of everything it finds. The security team can also add new queries dynamically to the input file, create a new input file with multiple queries, and define ways to filter the results based on criteria like date range and file size.

CloudGrappler uses cloudgrep, originally developed by Cado Security, to query cloud environments.

The tool captures relevant metadata, such as time stamps, resource names, and file paths. When the scan completes, CloudGrappler correlates the results with Permiso's threat intelligence data to provide context around the detected events, including details about the associated threat actor, severity level, and risk assessment. The scanning tool can query for specific threat actors, look for single events, or provide granular incident analysis, Permiso said.