A free tool has been released by the Cybersecurity & Infrastructure Security Agency (CISA) called “Untitled Goose Tool” or Goose for short. CISA states that the free tool helps network defenders detect potentially malicious activity by assisting in data gathering and authentication.
At one of our recent 3 Tree Tech security events, a respected CISO asked me to look into this tool and determine if it’s worth using.
What is Goose?
As stated on CISA.gov, this tool is free. It’s designed to “help network defenders detect potentially malicious activity in MSFT Azure, AD, and 365 environments.” It accomplishes this through gathering and authenticating data.
In theory, it sounds helpful, and it’s hard to beat the price of free. To determine if it is worth its salt however, I connected with a couple tenured CISO’s in my network and asked for their insight.
One of the CISO’s I connected with warned against placing too much trust in the tool. Although this tool can be appealing to organizations with tight security budgets, it can potentially lead to wasting time and money. This is because the items/vulnerabilities you target to fix may lack context. Without context, you may end up treating a symptom of an issue rather than the root cause.
Just like any other tool, there will always be limitations. However, let’s discuss where this tool can shine.
Benefits of CISA’s Goose Tool
The Untitled Goose Tool could be of great use to an organization that may not have a SIEM in place and wishes to log events from a MS Azure environment. A respected Infosec source who preferred to be unnamed for this article informed me of three potential fits for the tool:
- An internal incident responder in a less mature organization that does not have the budget for a full SIEM to manage events would be able to quickly pull data for analysis and use it to triage or identify an event.
- An external incident responder who may not trust the SIEM of the client (concerns of a compromised SIEM) can use this to acquire unfiltered data.
- During the due diligence phase of acquiring a company, the tool can be used to access and review data about an acquisition target’s posture and potential security issues without having to gain full access to the target’s SIEM.
These three uses are valuable, but if an organization already has a robust SIEM solution in place, and has their Azure environment reporting event data to it, then there is limited value. (Unless SIEM compromise is a concern).
General security concerns:
Due to the various tales of vendors and agencies being breached recently, there has been an erosion of trust and increase in paranoia within the security community.
Although it may seem like common sense, any company implementing code from external sources should still do an appsec review in accordance to their own levels of risk tolerance. The lower the tolerance, the more they should scrutinize the code.
CISA or any other government entity shouldn’t be trusted any more or less than the code you can obtain from various internet sources. (Ex = StackExchange). At the end of the day they are an unknown 3rd party.
However, it could be argued that tools such as Goose allow for a higher confidence level since you can actually inspect the code as opposed to pre-compiled binaries you may receive from a for-profit vendor.
Conclusion
Overall, this tool could be a great resource to organizations in select situations. It is important to not rely too heavily on a tool, which can be said about anything on the market. You have to make sure your doors and windows are locked before you start worrying about someone tunneling in from the backyard.
If anything, the release of this tool is a reflection of our country’s commitment to taking cyber seriously, and we will hopefully see more collaboration between the federal and private sectors in the future.
Jacob Friedman is a Strategic Account Director at 3 Tree Tech in Portland. He enjoys researching new disruptive tech across the full stack and introducing it to tech execs across the United States. Message him right here.
FYI: The goose anchor image was created with AI. Because computers…