<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Duo - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/duo/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/duo/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cisco Duo Bulk Policy Deletion Detected</title><link>https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-bulk-policy-deletion/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-bulk-policy-deletion/</guid><description>Detection of a Cisco Duo administrator performing a bulk deletion of more than three policies, potentially indicating malicious activity such as weakening security controls.</description><content:encoded><![CDATA[<p>This alert identifies instances where a Cisco Duo administrator deletes more than three policies in a single action. This behavior is detected by analyzing Duo activity logs for the <code>policy_bulk_delete</code> action. The analytic extracts the names of the deleted policies and counts them. If the count exceeds three, the event is flagged as suspicious. This bulk deletion of security policies can indicate malicious activity, such as an attacker or a rogue administrator attempting to weaken or disable security controls, potentially to facilitate unauthorized access or data breaches. Early detection is critical, as the impact could include a significantly reduced security posture and increased risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains administrative access to the Cisco Duo platform, either through compromised credentials or as a rogue insider.</li>
<li>The attacker authenticates to the Duo Admin Panel.</li>
<li>The attacker navigates to the &quot;Policies&quot; section within the Duo Admin Panel.</li>
<li>The attacker selects multiple policies (more than three) for deletion.</li>
<li>The attacker initiates the bulk deletion action, triggering the <code>policy_bulk_delete</code> event in the Duo activity logs.</li>
<li>The Cisco Duo system processes the deletion requests.</li>
<li>The targeted security policies are removed from the Duo configuration.</li>
<li>The attacker aims to weaken the overall security posture, making it easier to bypass authentication controls in the future.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful bulk policy deletion can severely compromise an organization's security posture. If critical MFA policies are deleted, unauthorized access to sensitive systems and data becomes easier. While specific victim counts are unavailable, the potential scope includes all users and systems protected by the deleted policies. The sectors most at risk are those heavily reliant on Duo for access control, including finance, healthcare, and government. Consequences range from data breaches and financial loss to regulatory penalties.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Cisco Duo Bulk Policy Deletion</code> to your SIEM to detect suspicious bulk policy deletions.</li>
<li>Investigate any alerts generated by the <code>Cisco Duo Bulk Policy Deletion</code> rule, focusing on the user account performing the deletions and the specific policies targeted.</li>
<li>Review and restrict Duo administrator privileges to minimize the risk of rogue insider activity.</li>
<li>Implement multi-factor authentication for all Duo administrator accounts to prevent unauthorized access.</li>
<li>Enable and regularly review audit logs within the Cisco Duo Admin Panel to monitor administrative actions.</li>
<li>Monitor Cisco Duo Administrator logs as the source of the Sigma rule.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>cisco-duo</category><category>policy-deletion</category><category>insider-threat</category></item><item><title>Unusual Country for Cisco Duo Admin Login</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-duo-unusual-admin-login/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-duo-unusual-admin-login/</guid><description>Detection of Cisco Duo admin logins originating from outside the United States indicates potential account compromise or unauthorized access.</description><content:encoded><![CDATA[<p>This analytic focuses on identifying suspicious admin logins to Cisco Duo accounts. The core concern is that if a Duo admin logs in from an unexpected geographic location, especially a country outside the United States, it could signal a compromised account or an insider threat. This activity warrants immediate investigation due to the elevated privileges associated with admin accounts. The detection logic analyzes Duo activity logs, specifically looking for &quot;admin_login&quot; events and filtering based on the originating country. The goal is to pinpoint login attempts that deviate from established patterns, which could indicate unauthorized access, potentially leading to a breach of Duo's security configurations and sensitive data. The analytic relies on the Cisco Security Cloud App to ingest Duo logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to a Duo admin's credentials, possibly through phishing or credential stuffing.</li>
<li>The attacker uses the compromised credentials to attempt an admin login to the Duo platform.</li>
<li>Duo logs the admin login attempt, including the originating IP address and associated geolocation data.</li>
<li>The analytic ingests the Duo activity logs via the Cisco Security Cloud App.</li>
<li>The detection logic identifies the login attempt as originating from a country outside the United States.</li>
<li>The analytic correlates user, device, browser, and location information to confirm the anomalous login.</li>
<li>An alert is triggered, notifying security personnel of the suspicious admin login.</li>
<li>The attacker may then be able to bypass security controls, alter configurations, or exfiltrate sensitive information.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation could lead to complete compromise of the Duo security environment. An attacker with admin access could disable multi-factor authentication for targeted users, bypass security controls, modify security policies, or exfiltrate sensitive user data and configuration details. This could result in a significant data breach and disruption of services for organizations relying on Duo for authentication, potentially impacting thousands of users.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule provided in this brief to your SIEM to detect unusual admin logins based on geographic location and tune it to exclude known good logins from international travelers.</li>
<li>Investigate any alerts generated by the Sigma rule to determine the validity of the login attempt, correlating the event with other security logs for the user account.</li>
<li>Enable multi-factor authentication (MFA) on all Duo admin accounts to mitigate the risk of credential compromise.</li>
<li>Ingest Cisco Duo activity logs using the Cisco Security Cloud App (<a href="https://splunkbase.splunk.com/app/7404">https://splunkbase.splunk.com/app/7404</a>) to enable the detection logic.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco-duo</category><category>account-compromise</category><category>unauthorized-access</category></item><item><title>Cisco Duo User 2FA Bypass</title><link>https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-bypass/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-bypass/</guid><description>Detection of Cisco Duo user status being changed to 'Bypass' after being 'Active', indicating potential malicious activity to weaken account security.</description><content:encoded><![CDATA[<p>This threat brief addresses the risk associated with unauthorized modification of user status within Cisco Duo, specifically the act of setting a user's status to &quot;Bypass&quot; for 2FA after it was previously &quot;Active&quot;. Such a change significantly weakens the security posture of the affected account and may be indicative of malicious insider activity or account compromise. Attackers or unauthorized administrators could exploit this capability to disable strong authentication controls, thereby increasing the risk of unauthorized access to sensitive systems and data. This activity is detected via the Cisco Duo activity logs. Early detection of such changes is critical for enabling rapid investigation and response, helping to prevent potential breaches and limit the impact of credential-based attacks.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker gains initial access through compromised credentials or insider access.</li>
<li>Privilege Escalation: The attacker escalates privileges to an account capable of modifying Duo user settings.</li>
<li>Configuration Change: The attacker navigates to the Cisco Duo admin panel and modifies the target user's status.</li>
<li>User Status Modification: The attacker changes the user's status from &quot;Active&quot; to &quot;Bypass&quot;, effectively disabling 2FA for that account.</li>
<li>Authentication Bypass: The attacker uses the compromised credentials to authenticate to protected resources without 2FA.</li>
<li>Lateral Movement: The attacker leverages the access gained to move laterally within the network, accessing additional systems and data.</li>
<li>Data Exfiltration/Damage: The attacker exfiltrates sensitive data or causes damage to critical systems.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to a complete compromise of user accounts, enabling attackers to bypass multi-factor authentication and gain unauthorized access to sensitive systems and data. The impact can range from data breaches and financial loss to disruption of critical services. While the exact number of victims is not specified, any organization using Cisco Duo is potentially at risk. The sectors targeted are broad, as Duo is used across various industries to protect access to applications and resources.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and monitor Cisco Duo activity logs to detect unauthorized changes (Cisco Duo Administrator).</li>
<li>Deploy the provided Sigma rule to detect instances where a user's status is changed to &quot;Bypass&quot; after being &quot;Active&quot; (Sigma rule: &quot;Cisco Duo Set User Status to Bypass 2FA&quot;).</li>
<li>Investigate any alerts generated by the Sigma rule to determine the legitimacy of the user status change.</li>
<li>Implement strict access controls and multi-factor authentication for all administrative accounts in Cisco Duo.</li>
<li>Review and update user access privileges regularly to minimize the potential impact of compromised accounts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco-duo</category><category>2fa-bypass</category><category>credential-access</category></item><item><title>Cisco Duo Policy Modification to Bypass 2FA for Specific Countries</title><link>https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-2fa-bypass/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-2fa-bypass/</guid><description>A Duo policy is created or updated to allow access without two-factor authentication (2FA) for users in countries other than the default, potentially weakening the organization's security posture and increasing the risk of unauthorized access.</description><content:encoded><![CDATA[<p>This analytic focuses on the detection of unauthorized modifications to Cisco Duo policies that could weaken an organization's security. Specifically, it identifies instances where a Duo policy is created or updated to permit access without two-factor authentication (2FA) for users originating from countries outside the default settings. This is significant because attackers or malicious insiders might exploit such policy changes to circumvent strong authentication controls. By monitoring the Duo administrator activity logs for policy creation or update actions where the policy description indicates that access is permitted without 2FA, defenders can quickly identify and respond to potentially malicious behavior. The scope of targeting is any organization utilizing Cisco Duo for multi-factor authentication.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains administrative access to the Cisco Duo administration panel, potentially through compromised credentials or exploiting a vulnerability.</li>
<li>The attacker navigates to the &quot;Policies&quot; section within the Duo admin panel.</li>
<li>The attacker creates a new policy or modifies an existing one.</li>
<li>Within the policy configuration, the attacker configures the &quot;user_locations_default_action&quot; setting to &quot;Allow access without 2FA&quot; for specific countries.</li>
<li>The attacker saves the policy changes, which are then logged as a <code>policy_update</code> or <code>policy_create</code> action in the Duo administrator activity logs.</li>
<li>Users from the targeted countries are now able to authenticate to systems protected by Duo without undergoing 2FA.</li>
<li>The attacker uses a compromised account originating from one of the allowed countries to gain initial access.</li>
<li>The attacker moves laterally within the network to access sensitive data or systems.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The impact of this attack includes unauthorized access to sensitive resources, data breaches, and potential lateral movement within the network. The absence of 2FA for specific countries significantly weakens the security posture, making it easier for attackers to compromise accounts and access valuable information. The number of affected users and systems depends on the scope of the policy change and the attacker's objectives.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule <code>Cisco Duo Policy Created or Modified to Bypass 2FA</code> to your SIEM and tune for your environment.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the <code>user</code> and <code>admin_email</code> fields to identify potentially compromised administrator accounts.</li>
<li>Review all existing Duo policies to ensure that 2FA is enforced for all users, regardless of their location.</li>
<li>Implement multi-factor authentication for all administrator accounts to prevent unauthorized policy changes.</li>
<li>Monitor Cisco Duo Administrator logs for unusual activity patterns.</li>
<li>Regularly audit Duo policy configurations to identify and remediate any deviations from the established security baseline.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco-duo</category><category>2fa-bypass</category><category>policy-modification</category></item><item><title>Cisco Duo Policy Bypass via 2FA Disablement</title><link>https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-policy-bypass/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-policy-bypass/</guid><description>An attacker modifies Cisco Duo policies to allow access without two-factor authentication (2FA), potentially gaining unauthorized access to systems and data.</description><content:encoded><![CDATA[<p>This threat involves the modification of Cisco Duo policies to disable or bypass two-factor authentication (2FA). The attack leverages administrative access, either legitimate or compromised, to alter the Duo configuration. This manipulation allows unauthorized access to systems and applications normally protected by 2FA. This activity is identified by analyzing Cisco Duo administrator activity logs for policy changes that set the authentication status to &quot;Allow access without 2FA&quot;. This is a critical issue because it significantly weakens the security posture of an organization, potentially leading to widespread compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains access to a Cisco Duo administrator account, either through credential theft, social engineering, or exploiting a vulnerability.</li>
<li>The attacker logs into the Cisco Duo Admin Panel.</li>
<li>The attacker navigates to the &quot;Policies&quot; section within the Duo Admin Panel.</li>
<li>The attacker identifies a target policy to modify or creates a new policy.</li>
<li>The attacker modifies the policy settings, specifically changing the &quot;Authentication Status&quot; to &quot;Allow access without 2FA.&quot;</li>
<li>The attacker saves the modified policy.</li>
<li>Users covered by the modified policy can now access protected applications and systems without completing 2FA.</li>
<li>The attacker exploits the lack of 2FA to gain unauthorized access to sensitive systems and data, potentially leading to data exfiltration, system compromise, or further lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to bypass two-factor authentication, a critical security control. This can lead to unauthorized access to sensitive systems and data, potentially resulting in data breaches, financial loss, and reputational damage. The impact is widespread as any application or system protected by the affected Duo policy becomes vulnerable. The damage can be extensive, depending on the scope of access granted by the bypassed 2FA.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Cisco Duo Policy Created Allowing 2FA Bypass</code> to detect the creation of policies bypassing 2FA and tune for your environment.</li>
<li>Deploy the Sigma rule <code>Cisco Duo Policy Updated Allowing 2FA Bypass</code> to detect modifications of existing policies bypassing 2FA and tune for your environment.</li>
<li>Monitor Cisco Duo administrator activity logs for unauthorized or suspicious policy changes as described in the &quot;Overview&quot; section.</li>
<li>Review and enforce strong access controls for Cisco Duo administrator accounts, including multi-factor authentication, as this is the initial access vector.</li>
<li>Install the Cisco Security Cloud App from Splunkbase (<a href="https://splunkbase.splunk.com/app/7404">https://splunkbase.splunk.com/app/7404</a>) to ensure proper data ingestion from Cisco Duo.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>cisco-duo</category><category>2fa-bypass</category><category>policy-modification</category></item><item><title>Cisco Duo Policy Allowing Tampered Devices</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-tampered-devices/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-tampered-devices/</guid><description>A threat actor modifies or creates a Cisco Duo policy to allow tampered or rooted devices to access protected resources, potentially bypassing security controls and enabling unauthorized access.</description><content:encoded><![CDATA[<p>This analytic detects when a Duo policy is created or updated to allow tampered or rooted devices (e.g., jailbroken smartphones) to access protected resources. The detection focuses on changes to Duo policies where the <code>allow_rooted_devices</code> setting is enabled. The activity is identified through the examination of Cisco Duo administrator activity logs. This poses a significant security risk because tampered devices can bypass security controls, run unauthorized software, and become more susceptible to compromise. The ability to modify these settings can be indicative of a misconfiguration or a malicious attempt to weaken authentication requirements, potentially granting attackers access to sensitive systems using compromised devices.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains access to an administrative account within the Cisco Duo environment.</li>
<li>The attacker authenticates to the Duo Admin Panel.</li>
<li>The attacker navigates to the Policies section within the Duo Admin Panel.</li>
<li>The attacker modifies an existing policy or creates a new policy.</li>
<li>During policy creation or modification, the attacker enables the &quot;Allow rooted devices&quot; setting, which is represented as <code>allow_rooted_devices=true</code> in the policy description.</li>
<li>The Duo Admin Panel logs the policy creation or update event in the administrator activity logs.</li>
<li>Tampered devices are now able to authenticate via Duo and access protected resources.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to the circumvention of security controls on tampered devices, unauthorized access to sensitive systems, data breaches, and potential lateral movement within the network. Organizations relying on Duo for multi-factor authentication may experience a significant degradation in their security posture if this policy is enabled, potentially affecting thousands of users and devices.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Cisco Duo Policy Allowing Tampered Devices</code> to detect the creation or modification of Duo policies allowing tampered devices by monitoring the Duo administrator activity logs.</li>
<li>Review and audit existing Duo policies to identify any unintentional or malicious configurations allowing tampered devices.</li>
<li>Monitor the <code>Cisco Duo Administrator</code> logs for suspicious activity, especially related to policy changes.</li>
<li>Investigate any alerts triggered by the Sigma rule and remediate by reverting the policy change.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco_duo</category><category>policy_change</category><category>tampered_devices</category><category>rooted_devices</category><category>identity</category></item><item><title>Cisco Duo Policy Allowing Outdated Java Usage</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-old-java/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-old-java/</guid><description>A threat actor modifies Cisco Duo policies to permit outdated Java versions, potentially exposing the organization to known vulnerabilities and exploits.</description><content:encoded><![CDATA[<p>This brief addresses the risk associated with modifying Cisco Duo policies to allow the use of outdated Java versions. An attacker, potentially an insider or an external actor who has compromised administrative credentials, weakens the organization's security posture by updating Duo policies to disable Java remediation. The activity is identified by monitoring Cisco Duo administrator activity logs for policy updates or creations where the <code>java_remediation</code> setting is explicitly set to <code>no remediation</code>. Allowing outdated Java exposes the organization to numerous security vulnerabilities, increasing the likelihood of successful exploitation. This activity could begin at any time, and defenders should consider the possibility of both malicious insiders and compromised accounts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Credential Compromise/Insider Threat:</strong> The attacker gains access to a Cisco Duo administrator account, either through credential compromise or by being a malicious insider.</li>
<li><strong>Authentication:</strong> The attacker authenticates to the Cisco Duo administrative interface using the compromised or authorized account.</li>
<li><strong>Policy Enumeration:</strong> The attacker enumerates existing Duo policies to identify potential targets for modification.</li>
<li><strong>Policy Modification:</strong> The attacker modifies a Duo policy, specifically setting the <code>java_remediation</code> attribute to <code>no remediation</code>. This disables the enforcement of up-to-date Java requirements for applications protected by the modified policy.</li>
<li><strong>Policy Activation:</strong> The modified policy is activated, allowing users with outdated Java versions to access protected applications without remediation prompts or blocks.</li>
<li><strong>Vulnerability Exploitation:</strong> Users with outdated Java versions access protected applications, unknowingly creating an opportunity for attackers to exploit known Java vulnerabilities.</li>
<li><strong>Lateral Movement/Data Breach:</strong> If a Java vulnerability is successfully exploited, the attacker may gain unauthorized access to systems, potentially leading to lateral movement within the network and/or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful modification of Cisco Duo policies to allow outdated Java can have severe consequences. Victims can range from individual users to entire organizations. The immediate impact is a weakened security posture, increasing the organization's attack surface. Successful exploitation of Java vulnerabilities can lead to data breaches, system compromise, and potential financial losses. The number of affected users and systems depends on the scope of the modified policies and the prevalence of outdated Java versions within the organization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Cisco Duo Policy Allowing Old Java</code> to detect policy updates that disable Java remediation based on <code>cisco_duo_administrator</code> logs.</li>
<li>Investigate any alerts generated by the <code>Cisco Duo Policy Allowing Old Java</code> Sigma rule, focusing on the user (<code>user</code>) and admin email (<code>admin_email</code>) associated with the policy change.</li>
<li>Review and enforce multi-factor authentication for all Cisco Duo administrator accounts to mitigate the risk of credential compromise.</li>
<li>Regularly audit Cisco Duo policies to ensure that Java remediation is enabled and aligned with security best practices.</li>
<li>Refer to the Cisco Security Cloud App documentation (<a href="https://splunkbase.splunk.com/app/7404">https://splunkbase.splunk.com/app/7404</a>) for proper log ingestion from Duo.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco-duo</category><category>policy-modification</category><category>outdated-software</category></item><item><title>Cisco Duo Policy Change to Allow Devices Without Screen Lock</title><link>https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-screen-lock-bypass/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-screen-lock-bypass/</guid><description>A Splunk detection analytic identifies when a Duo policy is created or updated to allow devices without a screen lock, potentially weakening device security controls and increasing the risk of unauthorized access and data breaches.</description><content:encoded><![CDATA[<p>This brief focuses on a Splunk detection analytic designed to identify the weakening of security controls within a Cisco Duo environment. Specifically, the analytic detects instances where a Duo policy is created or updated to permit devices without a screen lock requirement. This configuration change can expose organizations to increased security risks, as lost or stolen devices could be more easily compromised. The detection logic searches Cisco Duo administrator activity logs for policy creation or update events, explicitly looking for entries where the 'require_lock' setting is set to false. This activity is flagged because it deviates from a security best practice. This detection is critical for SOC teams, as malicious insiders or external attackers could attempt to lower authentication standards to facilitate unauthorized access.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker compromises an administrator account with privileges to modify Duo policies.</li>
<li>The attacker logs into the Duo Admin Panel using the compromised credentials.</li>
<li>The attacker navigates to the &quot;Policies&quot; section within the Duo Admin Panel.</li>
<li>The attacker either creates a new policy or modifies an existing policy.</li>
<li>Within the policy settings, the attacker modifies the &quot;require_lock&quot; setting to &quot;false,&quot; allowing devices without screen locks to authenticate.</li>
<li>The attacker saves the policy changes.</li>
<li>Users with devices that do not have screen locks are now able to authenticate through Duo.</li>
<li>An attacker exploits a lost or stolen device without a screen lock to gain unauthorized access to protected resources.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Compromising Duo security policies to allow devices without screen locks significantly increases the risk of unauthorized access. If successful, this policy change could lead to credential compromise, data breaches, and lateral movement within the network. While the specific number of potential victims or targeted sectors is unknown, any organization using Cisco Duo for authentication is potentially vulnerable. The impact is magnified in environments where mobile devices are heavily used, or where sensitive data is accessed.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM and tune for your specific Cisco Duo environment to detect the policy change activity.</li>
<li>Review existing Duo policies to ensure that the &quot;require_lock&quot; setting is enabled for all appropriate policies and user groups.</li>
<li>Investigate any alerts generated by the Sigma rule by examining the Duo administrator activity logs and identifying the user (<code>user</code> field in the logs) who made the changes.</li>
<li>Monitor Cisco Duo administrator logs (<code>cisco_duo_administrator</code> data source) for unauthorized or suspicious activity.</li>
<li>Implement multi-factor authentication (MFA) for all administrative accounts, including those used to manage Duo policies, to prevent credential compromise.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cisco-duo</category><category>screen-lock</category><category>policy-change</category></item></channel></rss>