Skip to content
Threat Feed
high threat

Cisco Duo Bulk Policy Deletion Detected

Detection of a Cisco Duo administrator performing a bulk deletion of more than three policies, potentially indicating malicious activity such as weakening security controls.

This alert identifies instances where a Cisco Duo administrator deletes more than three policies in a single action. This behavior is detected by analyzing Duo activity logs for the policy_bulk_delete action. The analytic extracts the names of the deleted policies and counts them. If the count exceeds three, the event is flagged as suspicious. This bulk deletion of security policies can indicate malicious activity, such as an attacker or a rogue administrator attempting to weaken or disable security controls, potentially to facilitate unauthorized access or data breaches. Early detection is critical, as the impact could include a significantly reduced security posture and increased risk.

Attack Chain

  1. An attacker gains administrative access to the Cisco Duo platform, either through compromised credentials or as a rogue insider.
  2. The attacker authenticates to the Duo Admin Panel.
  3. The attacker navigates to the "Policies" section within the Duo Admin Panel.
  4. The attacker selects multiple policies (more than three) for deletion.
  5. The attacker initiates the bulk deletion action, triggering the policy_bulk_delete event in the Duo activity logs.
  6. The Cisco Duo system processes the deletion requests.
  7. The targeted security policies are removed from the Duo configuration.
  8. The attacker aims to weaken the overall security posture, making it easier to bypass authentication controls in the future.

Impact

A successful bulk policy deletion can severely compromise an organization's security posture. If critical MFA policies are deleted, unauthorized access to sensitive systems and data becomes easier. While specific victim counts are unavailable, the potential scope includes all users and systems protected by the deleted policies. The sectors most at risk are those heavily reliant on Duo for access control, including finance, healthcare, and government. Consequences range from data breaches and financial loss to regulatory penalties.

Recommendation

  • Deploy the Sigma rule Cisco Duo Bulk Policy Deletion to your SIEM to detect suspicious bulk policy deletions.
  • Investigate any alerts generated by the Cisco Duo Bulk Policy Deletion rule, focusing on the user account performing the deletions and the specific policies targeted.
  • Review and restrict Duo administrator privileges to minimize the risk of rogue insider activity.
  • Implement multi-factor authentication for all Duo administrator accounts to prevent unauthorized access.
  • Enable and regularly review audit logs within the Cisco Duo Admin Panel to monitor administrative actions.
  • Monitor Cisco Duo Administrator logs as the source of the Sigma rule.

Detection coverage 2

Cisco Duo Bulk Policy Deletion

high

Detects instances where a Duo administrator performs a bulk deletion of more than three policies in a single action.

sigma tactics: defense_evasion techniques: T1556 sources: application, cisco

Cisco Duo Excessive Policy Deletion Count

high

Detects when a user deletes an unusually large number of Duo policies, exceeding a threshold.

sigma tactics: defense_evasion techniques: T1556 sources: application, cisco

Detection queries are available on the platform. Get full rules →