Permiso launches CloudGrappler to help security teams better detect threat actors in their cloud environments

Permiso, a Palo Alto-based identity threat detection and response startup, has announced the launch of CloudGrappler, an open-source tool designed to help security teams quickly detect threat actors in their Azure and AWS environments.

The tool built off the foundation of Cado Security’s Cloudgrep project, offers enhanced detection capabilities culled from the tactics, techniques, and procedures (TTPs) of modern cloud threat actors like LUCR-3 (Scattered Spider). 

Open-source tool

“We’ve been monitoring LUCR-3 for the last few years. We offered free threat briefings to share our knowledge of this group to help enterprises to better defend against them and we’re providing a tool to help security teams even more,” explained SVP of P0 Labs, Ian Ahl. 

Ian Ahl adds, "CloudGrappler is an open-source tool that gives security teams the ability to take more proactive steps to detect known TTPs in their environments."

CloudGrappler

The tool excels in both detecting and analysing singular log events, while offering a comprehensive view

CloudGrappler queries for a high-fidelity activity for some of the most notorious threat actors in the cloud. The tool excels in both detecting and analysing singular log events, while offering a comprehensive view of potential security incidents that are occurring or have occurred in their environment.

By leveraging the capabilities of CloudGrep and extending the detection capabilities to find threats more effortlessly in their AWS and Azure environments. 

Response to cloud attacks

"The PO Labs continues to impress us by being at the forefront of these emerging cloud attacks. The knowledge they're able to share with our team on the TTPs of modern threat actors like Scattered Spider is unlike anything we've seen before,” said Rob Preta, Head of Cyber Security at ACV Auctions. 

The tool, which is freely available on GitHub, allows users to define the data sources they want to scope in their scan.

Comprehensive JSON report

Users are also able to add new queries dynamically or can add a new file with multiple queries

Through another JSON file, users are then able to leverage a list of predefined TTPs that are commonly used by cloud threat actors.

Users are also able to add new queries dynamically or can add a new file with multiple queries to scan the target data set. After scanning, CloudGrappler delivers a comprehensive JSON report, including a detailed breakdown of the scan results. 

One-line command

“Knowing where to look and what to look for is key when searching for malicious activity. CloudGrappler makes ongoing hunting for malicious activity as simple as a one-line command,” said Andi Ahmeti, Associate Threat Researcher on the P0 Labs team. 

Andi Ahmeti adds, "It lets you seamlessly integrate Permiso intel and TTP-based detections into your threat hunting and incident response process, even if you don't have a SIEM."

Cloud environment intrusions

50% of all cloud attacks occurring in the tech, telecom, and financial industries

Crowdstrike released their annual Global Threat Report earlier in 2024, where they observed a 75% increase in cloud environment intrusions year over year, and 84% of adversary-attributed cloud-conscious intrusions focused on eCrime.

A shocking 61% of those intrusions were in North America, with more than 50% of all attacks occurring in the tech, telecom, and financial industries. 

Unparalleled visibility

In 2023, Permiso was on the front lines detecting and responding to multiple incidents for enterprises that were targeted by LUCR-3, a contingent of threat actors that overlapped with prominent groups like Scattered Spider.

Permiso’s deep library of detection signals, driven by years of threat research of modern threat actors in the cloud, provided impacted organisations unparalleled visibility into their environment in a way that no other security solutions could offer.