The Cybersecurity and Infrastructure Security Agency (CISA) hasn’t been around for very long—formed in 2018, it’s one of the youngest federal agencies that exists. It’s probably best known for circulating alerts and advisories about hardware and software exploits that have the potential to wreak havoc across the economy.
But CISA isn’t just waiting and watching for threats—it’s also actively developing free security software to counter them. The intent is to identify holes in the nation’s preparedness that aren’t being adequately countered by commercial providers, or for which solutions might not be widely accessible, and help plug them. Enter: the goose.
Specifically, CISA’s Untitled Goose Tool, a utility that helps scan for malicious intrusions in Microsoft cloud environments like Azure, Azure Active Directory, and Microsoft 365. Developed in partnership with Sandia National Laboratories and released in March, it’s available to download for free on GitHub.
Yes, and it’s named after Untitled Goose Game, the surprise hit 2019 video game where players control a cranky goose that struts around town, tormenting unfortunate villagers with avian mischief.
According to Jermaine Roebuck, CISA associate director for threat hunting, CISA identified the need for tooling like Untitled Goose Tool after the sprawling 2020 SolarWinds attack, which involved supply chain attacks on the Microsoft cloud. Roebuck told IT Brew that CISA evaluated “many” PowerShell tools to investigate those environments and realized they weren’t collecting the right kinds of data.
“They were missing large amounts of critical data that we needed for our incident response investigations,” Roebuck said. “Many of the tools were not able to extract the unified audit log in a timely fashion.”
Roebuck said the tool has unique methods of performing authentication against Microsoft tenants—essentially allowing admins to emulate a user entering their login credentials—and novel data gathering methods. For example, the tool uses consolidated APIs to allow users to extract configuration and log data that might otherwise require fumbling around with PowerShell commandlets and Microsoft Graph API.
Then there’s “goosey graze” and “goosey honk.” Goosey graze performs time bounding on the unified audit log, while goosey honk extracts data within those bounds.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“Our goosey graze tool basically allows us to go back 365 days, and in that 365 days, there’s a function and a method within our script that allows us to say, ‘Hey, how many results are going to be returned in that 364 day period?’” Roebuck told IT Brew. “If that result is too large, we then, by time frame, start to chunk that up in half, until we get down to a reasonable number of logs…and then recompile them on the back end.”
Untitled Goose Tool is one of the “battlefield innovations” the agency developed in response to input from the private sector and the flyaway teams the agency sends to aid civic organizations in incident response, Roebuck said.
Untitled Goose Tool is just one of many efforts CISA is making to fill those gaps. In February, it and the FBI issued guidance about the ESXiArgs ransomware targeting unpatched versions of VMware ESXi software, as well as released a recovery script on GitHub.
CISA also runs the “pre-ransomware notification initiative,” which processes and passes on tips about potential ransomware intrusions, and the Ransomware Vulnerability Warning Pilot (RVWP), an opt-in program in which CISA scans enrolled entities to determine their exposure. (CISA uses less active methods, like open source tools and data sources, to look at entities that have yet to enroll.)
Eric Goldstein, CISA’s executive assistant director for cybersecurity, told IT Brew via an email by CISA spokesperson Zee Zaman that throughout 2023, the agency and its partners have notified over 200 entities in sectors including energy, healthcare, and water of potential intrusions.
“We’ve confirmed that many of them identified and remediated the intrusion before encryption or exfiltration occurred,” Goldstein wrote.
Untitled Goose Tool is the first one to be named after a video game featuring an unruly waterfowl, though. Asked just who the gamer is at CISA, Roebuck laughed and said, “It’s all of us.”