Forensics

From a posting by CISA on 12.24.20:

CISA has created a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment. The tool is intended for use by incident responders and is narrowly focused on activity that is endemic to the recent identity- and authentication-based attacks seen in multiple sectors.

CISA strongly encourages users and administrators to visit the following GitHub page for additional information and detection countermeasures.

The tool is PowerShell script called “Sparrow” created by CISA’s Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment.

Sparrow.ps1 will check and install the required PowerShell modules on the analysis machine, check the unified audit log in Azure/M365 for certain indicators of compromise (IoC’s), list Azure AD domains, and check Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool then outputs the data into multiple CSV files in a default directory. Looks like it requires the CloudConnect, AzureAD and MSOnline PowerShell modules.

Read more

The report is based on a study conducted by staff at FERC, NERC and NERC regional entities. The study is based on information provided by experts at eight U.S. electric utilities of various sizes and functions, and its goal was to help the industry improve incident response and incident recovery plans, which authors of the study say help ensure the reliability of the bulk electric system in the event of a cybersecurity incident.

The study found that there is no best incident response and recovery (IRR) plan model. The IRR plans of the targeted utilities share many similarities — they are based on the same NIST framework (SP 800-61) — but there are also differences, and some organizations have developed separate plans for incidents impacting their operational and business networks.

Read more