CISA Releases New Cyber Tool

This is all a bit way beyond what I do for a living, but it could have an application for your organization, be it public or private. 

A few years back, the Center for Regional Disaster Resilience (CRDR) conducted a cybersecurity workshop on behalf of the King County Office of Emergency Management, where they tried to drill down on who to report a cyber intrusion to. There were plenty of organizations floated. At least in this case they are calling themselves out as being a place to report and ask for help. See this: “Please contact CISA (via email at central@cisa.dhs.gov  or by phone at 1-888-282-0870) to report an intrusion or to request either technical assistance or additional resources for incident response.”

Here’s the message from CISA:

“Critical Infrastructure Colleagues and Partners,

“Today, CISA released ‘Aviary,’ a new companion resource to its existing Sparrow detection tool, which helps partners detect possible compromised accounts and applications in the Azure/M365 environment. This resource is available on the CISA GitHub page (Github.com/cisagov/sparrow/releases) with updated instructions provided within the Sparrow-section of the original alert, AA21-008A ‘Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments.’

“A current activity report has also been released in conjunction with the Aviary tool for more information: https://us-cert.gov/ncas/current-activity/2021/04/08/using-aviary-to-analyze-post-compromise-threat-activity

“Aviary provides a user-friendly dashboard to display the output data from the Sparrow tool. Since its release in late December 2020 (and subsequent updates in early 2021), Sparrow has focused incident responder’s attention on the narrow scope of user and application activity endemic to identity-and authentication-based attacks seen recently in multiple sectors. Aviary, a complementary Splunk-based analysis dashboard, now enables these incident responders to better display the CSV output data from Sparrow’s PowerShell Script [1].

“The development of Aviary is a direct result of the constructive feedback CISA has received in the last few months. The Aviary dashboard represents an important upgrade in the user experience, and we feel it will greatly enhance the efficacy of the Sparrow tool and the data it produces. For organizations already using a Splunk back end, Aviary is ready to use without adjustments, with no dependencies on it.

“Our hope is the new user experience and easier to understand outputs will help our partners better understand the steps for detecting and mitigating against potentially malicious activity in their Azure/M365 environment and prevent the re-use of similar tactics, techniques, and procedures in the future.

“Please contact CISA (via email at central@cisa.dhs.gov  or by phone at 1-888-282-0870) to report an intrusion or to request either technical assistance or additional resources for incident response.”