Connect with us

Hi, what are you looking for?


Cloud Security

New Open Source Tool Hunts for APT Activity in the Cloud

The CloudGrappler open source tool can detect the presence of known threat actors in cloud environments.

Threat intelligence firm Permiso Security has released an open source tool to help organizations detect cloud environment intrusions by known advanced persistent threat (APT) actors.

Dubbed CloudGrappler, the solution is built upon the capabilities of Cado Security’s cloudgrep open source tool that supports searching for log files in AWS, Azure, and Google Cloud Storage.

CloudGrappler, Permiso explains, enables the detection of suspicious and malicious activity matching the tactics, techniques, and procedures (TTPs) of known threat actors in popular cloud environments, which may go unnoticed in a flood of alerts.

“CloudGrappler specializes in querying for activity demonstrated by some of the most notorious threat actors in the cloud. Based on subset activity from Permiso’s library of hundreds of detections, it helps organizations detect threats targeting their cloud infrastructure,” Permiso explains.

The tool is notably good at detecting and analyzing single events, providing a granular view of security incidents, and helping identify anomalies fast.

CloudGrappler includes a data_sources.json file for defining the scope of a scan, allowing users to specify parameters to target specific resources but also enabling comprehensive scan across AWS and Azure environments.

The tool also includes a queries.json file containing predefined TTPs commonly used by threat actors and allows users to modify the source to scan the corresponding query or add custom queries to the file.

Once the scanning process is completed, CloudGrappler provides a report in a JSON format, containing a detailed breakdown of the scan results, including the cloud platform, specific resources, and details like prefixes or filenames.

Advertisement. Scroll to continue reading.

“These reports offer easy to read, granular details of the findings to enable the security team to address them as quickly as possible,” Permiso says.

The security firm also notes that CloudGrappler’s usage can be optimized by using short time ranges when querying for results.

CloudGrappler is available on GitHub, together with instructions on how to use it.

Related: Cisco Releases Open Source Backplane Traffic Visibility Tool for OT

Related: Linux Foundation Tackles Financial Fraud With Open Source Platform

Related: Google Open Sources AI-Aided Fuzzing Framework

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.