{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/malicious-administrator/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Insider Threat","Malicious Administrator"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["high"],"_cs_tags":["cisco-duo","policy-deletion","insider-threat"],"_cs_type":"threat","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis alert identifies instances where a Cisco Duo administrator deletes more than three policies in a single action. This behavior is detected by analyzing Duo activity logs for the \u003ccode\u003epolicy_bulk_delete\u003c/code\u003e action. The analytic extracts the names of the deleted policies and counts them. If the count exceeds three, the event is flagged as suspicious. This bulk deletion of security policies can indicate malicious activity, such as an attacker or a rogue administrator attempting to weaken or disable security controls, potentially to facilitate unauthorized access or data breaches. Early detection is critical, as the impact could include a significantly reduced security posture and increased risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative access to the Cisco Duo platform, either through compromised credentials or as a rogue insider.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026quot;Policies\u0026quot; section within the Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker selects multiple policies (more than three) for deletion.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the bulk deletion action, triggering the \u003ccode\u003epolicy_bulk_delete\u003c/code\u003e event in the Duo activity logs.\u003c/li\u003e\n\u003cli\u003eThe Cisco Duo system processes the deletion requests.\u003c/li\u003e\n\u003cli\u003eThe targeted security policies are removed from the Duo configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker aims to weaken the overall security posture, making it easier to bypass authentication controls in the future.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful bulk policy deletion can severely compromise an organization's security posture. If critical MFA policies are deleted, unauthorized access to sensitive systems and data becomes easier. While specific victim counts are unavailable, the potential scope includes all users and systems protected by the deleted policies. The sectors most at risk are those heavily reliant on Duo for access control, including finance, healthcare, and government. Consequences range from data breaches and financial loss to regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Duo Bulk Policy Deletion\u003c/code\u003e to your SIEM to detect suspicious bulk policy deletions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eCisco Duo Bulk Policy Deletion\u003c/code\u003e rule, focusing on the user account performing the deletions and the specific policies targeted.\u003c/li\u003e\n\u003cli\u003eReview and restrict Duo administrator privileges to minimize the risk of rogue insider activity.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all Duo administrator accounts to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eEnable and regularly review audit logs within the Cisco Duo Admin Panel to monitor administrative actions.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco Duo Administrator logs as the source of the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-bulk-policy-deletion/","summary":"Detection of a Cisco Duo administrator performing a bulk deletion of more than three policies, potentially indicating malicious activity such as weakening security controls.","title":"Cisco Duo Bulk Policy Deletion Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-bulk-policy-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Malicious Administrator","version":"https://jsonfeed.org/version/1.1"}