Cisco Duo Policy Change to Allow Devices Without Screen Lock
A Splunk detection analytic identifies when a Duo policy is created or updated to allow devices without a screen lock, potentially weakening device security controls and increasing the risk of unauthorized access and data breaches.
This brief focuses on a Splunk detection analytic designed to identify the weakening of security controls within a Cisco Duo environment. Specifically, the analytic detects instances where a Duo policy is created or updated to permit devices without a screen lock requirement. This configuration change can expose organizations to increased security risks, as lost or stolen devices could be more easily compromised. The detection logic searches Cisco Duo administrator activity logs for policy creation or update events, explicitly looking for entries where the 'require_lock' setting is set to false. This activity is flagged because it deviates from a security best practice. This detection is critical for SOC teams, as malicious insiders or external attackers could attempt to lower authentication standards to facilitate unauthorized access.
Attack Chain
- An attacker compromises an administrator account with privileges to modify Duo policies.
- The attacker logs into the Duo Admin Panel using the compromised credentials.
- The attacker navigates to the "Policies" section within the Duo Admin Panel.
- The attacker either creates a new policy or modifies an existing policy.
- Within the policy settings, the attacker modifies the "require_lock" setting to "false," allowing devices without screen locks to authenticate.
- The attacker saves the policy changes.
- Users with devices that do not have screen locks are now able to authenticate through Duo.
- An attacker exploits a lost or stolen device without a screen lock to gain unauthorized access to protected resources.
Impact
Compromising Duo security policies to allow devices without screen locks significantly increases the risk of unauthorized access. If successful, this policy change could lead to credential compromise, data breaches, and lateral movement within the network. While the specific number of potential victims or targeted sectors is unknown, any organization using Cisco Duo for authentication is potentially vulnerable. The impact is magnified in environments where mobile devices are heavily used, or where sensitive data is accessed.
Recommendation
- Deploy the provided Sigma rule to your SIEM and tune for your specific Cisco Duo environment to detect the policy change activity.
- Review existing Duo policies to ensure that the "require_lock" setting is enabled for all appropriate policies and user groups.
- Investigate any alerts generated by the Sigma rule by examining the Duo administrator activity logs and identifying the user (
userfield in the logs) who made the changes. - Monitor Cisco Duo administrator logs (
cisco_duo_administratordata source) for unauthorized or suspicious activity. - Implement multi-factor authentication (MFA) for all administrative accounts, including those used to manage Duo policies, to prevent credential compromise.
Detection coverage 2
Cisco Duo Policy Modified to Allow Devices Without Screen Lock
mediumDetects when a Cisco Duo policy is created or updated to allow devices without a screen lock requirement.
Cisco Duo Policy Created Allowing Devices Without Screen Lock
mediumDetects when a Cisco Duo policy is created that allows devices without a screen lock requirement.
Detection queries are available on the platform. Get full rules →