Sandia Labs News Releases

Safeguarding the nation with Untitled Goose Tool

Sandia helps develop digital toolset to track cloud hackers

LIVERMORE, Calif. — Programmers at Sandia National Laboratories are helping the Cybersecurity and Infrastructure Security Agency protect the nation through an innovative program, assisting Microsoft cloud users everywhere in tracking down hackers and cyber terrorists.

Untitled Goose Tool was introduced to the public through a CISA alert in March. Sandia cybersecurity expert Wellington Lee was part of the team that developed the free tool to track potentially malicious activity in Microsoft Azure, Azure Active Directory and Microsoft 365 environments. The tool’s name was inspired by a videogame about a troublemaking goose.

“All these environments are very, very different so we wanted to figure out the best way to quickly obtain all the cloud information we need from a forensic standpoint,” Lee said. “Cybersecurity in general is a fast-evolving field, but cloud computing, especially, is much newer compared to traditional computer or network forensics where people are investigating things on site. It is a new area, and we are trying to figure out the best way to approach it.”

Person observing multiple computer screens.

Sandia National Laboratories helped the Cybersecurity and Infrastructure Security Agency develop a new toolset to quickly analyze and isolate unusual data in cloud computing environments. (Photo by Craig Fritz) Click on the thumbnail for a high-resolution image.

Untitled Goose Tool is a suite of data collection tools that can quickly scour a virtual storage space to find evidence of a possibly malicious user accessing the data. It gathers data on how they accessed the supposedly secure cloud space and brings the data back to CISA’s security experts for review.

“Sometimes it’s a large department or agency with tens of thousands of users,” Lee explained. “So that’s a lot of data that we have to work with. The tool can pull down data for all those users, which is not a simple feat.”

But it could also be small businesses with payroll and other information stored virtually. In short, Untitled Goose Tool can be very helpful for a wide variety of accounts of differing sizes and numbers of users, all to find bits of code left behind by an intruder. However, that variety, including different types of paid access, also makes things complicated, which programmers had to account for.

“That’s why we built the Untitled Goose Tool to be able to pull that data back, so we have all the data locally and we can do an analysis on that data without relying on capabilities in the customer’s cloud environment,” Lee said.

The idea for this forensic software came organically while Lee was deployed to support CISA. The team working on cloud computing forensics — which serves federal, state, local, tribal and territorial agencies — was called in to investigate data breaches in systems that differ as much as the groups that use them. They had a short amount of time to try and figure out what happened.

“These environments are not homogeneous,” he said. “Large departments or agencies with tens of thousands of users, maybe even up to 100,000-plus users, is a lot of data that we have to work through. We created Untitled Goose Tool to be agnostic to the customer’s subscription tier of their cloud environment.”

Gathering as much data as possible no matter what customer environment they are in became very important, so the team and Lee started with the Microsoft servers.

“We figured out the best way to get all the cloud information we need to do what we do from a forensic standpoint and do so really quickly,” Lee recalled, adding that cyber threats are constantly evolving.

“In the cloud, you might have someone impersonating someone else,” he said. “Perhaps they got an authentication token stolen through a phishing email. So, let’s say someone’s authentication token might have been stolen and then used to log in as Wellington Lee from Los Angeles. But we can see that Wellington Lee is not in Los Angeles. This looks suspicious, so Untitled Goose Tool pulls back data that can help identify some of those inconsistencies. It pulls back quite a lot of different types of logs from various sources in the cloud.”

The appointment of Sandia to aid CISA speaks to the expertise that the Labs bring to these kinds of threats.

“We have a unique level of expertise in terms of our cybersecurity,” Lee said. “We have a smaller presence in terms of how many physical people are working with CISA, but we bring a really advanced level of understanding of the nation’s problems. From deep in the weeds, all the way up to sweeping policies that affect a lot of things.”

It’s a relationship that continues to evolve and pay dividends for the nation, something Lee has seen first-hand.

“It’s really cool to see how much excitement there is around the tool,” he said. “But the war goes on. There are always improvements that we have the expertise to make that give our federal partners valuable tools to continue to protect the nation.”

Sandia National Laboratories is a multimission laboratory operated by National Technology and Engineering Solutions of Sandia LLC, a wholly owned subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration. Sandia Labs has major research and development responsibilities in nuclear deterrence, global security, defense, energy technologies and economic competitiveness, with main facilities in Albuquerque, New Mexico, and Livermore, California.

Sandia news media contact: Michael Langley,, 925-315-0437