Permiso bolsters open source cloud identity security tools

Real-time identity security company has released a suite of three open-source tools to help security teams in firm up their detection capabilities.

The company’s threat research arm known as “P0 Labs” has previously (this year) launched YetiHunter, an open source tool that detects indicators of compromise in Snowflake environments.

It has also released CloudGrappler, which queries high-fidelity and single-event detections related to well-known threat actors in popular cloud environments such as AWS and Azure. 

Permiso has been incorporated into several open source projects that allow security teams to uplevel their detection capabilities in a variety of different environments.

“The learning curve for detection in the cloud is steep and our goal is to help security teams bolster their detections across their cloud environments without having to purchase commercial software solutions like a SIEM,” said Permiso co-founder and co-CEO Jason Martin. “We are committed to providing resources that can help the broader security community defend against the TTPs [see below] of modern threat actors.”

Tactics, Techniques & Procedures

In the suite of projects is DetentionDodger. This technology finds identities with leaked credentials and their potential impact. DetentionDodger will list all the identities with a Quarantine Policy (version 1-3) and look for failed policy attachments of a Quarantine Policy in CloudTrail Logs to generate a list of users with leaked credentials. 

It also lists all the inline and attached policies of the user and each group it is part of to determine the impact based on privileges.

BucketShield is a monitoring and alerting system built for AWS S3 buckets and CloudTrail logs. It ensures the consistent flow of logs from AWS services into S3 buckets and mitigates potential misconfigurations that could interrupt log collection.

With real-time tracking of IAM roles, KMS configurations and S3 log flows, BucketShield ensures that every critical event is recorded and a cloud instance remains audit-ready.

CAPICHE, get it?

Finally, CAPICHE Detection Framework (Cloud API Conversion Helper Express) is an open source tool designed to simplify each step of the cloud API detection translation pipeline. It enables any defender to instantly create a multitude of different detection rules from groupings of APIs, even if the complete API names are unknown.