Identity threat detection and response startup Permiso Security Inc. today released a new open-source tool that helps offensive and defensive security professionals understand how policies could be obfuscated by threat actors to go undetected in an environment.
Called SkyScalpel, the tool has been designed to address issues in cloud environments such as where JSON-based policies, particularly in Amazon Web Services Inc., dictate what resources users and systems can access and the actions they perform. Permiso argues that these policies can be susceptible to obfuscation — where bad actors manipulate the policy’s syntax and semantics to hide their true intentions, making them difficult to detect and prevent.
SkyScalpel addresses obfuscation by providing a solution for scanning, analyzing and normalizing obfuscated policies. The tool ensures that security teams can quickly identify and rectify policies that may compromise the security of their cloud environments.
Given a policy containing some obfuscation, the tool uses a custom tokenizer to parse and decode syntactical obfuscation techniques, allowing access to the underlying values while still preserving the original values for comparison or reassembly of the original input policy.
“SkyScalpel will help teams detect obfuscated JSON documents, with additional rules and de-obfuscation capabilities targeting numerous syntactical and logical evasions that affect IAM policies (and the plethora of runtime events that contain policy statements),” Permiso Principal Threat Researcher Daniel Bohannon explained. “Attackers employing these obfuscation techniques can quite effectively evade traditional string-based detections, with some techniques persisting after JSON deserialization.”
Additionally, SkyScalpel includes a full obfuscation suite of functions that allow red teams to automate the multilayer obfuscation of any input JSON document with additional obfuscation techniques applied to IAM policies. In doing so, red teams can more thoroughly test an organization’s defenses against such evasion techniques.
Permiso is a venture capital-backed startup that has raised about $39.1 million, including a round of $18.5 million in April. Investors include Altimeter Capital Management LP and Point72 Ventures.
The company was previously in the news in September when it announced the launch of its Universal Identity Graph, a service that provides risk and threat visibility for all identities in all environments. The Universal Identity Graph combines identity security posture management with identity threat detection and response to provide a comprehensive identity security solution.