{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/screen-lock/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["medium"],"_cs_tags":["cisco-duo","screen-lock","policy-change"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis brief focuses on a Splunk detection analytic designed to identify the weakening of security controls within a Cisco Duo environment. Specifically, the analytic detects instances where a Duo policy is created or updated to permit devices without a screen lock requirement. This configuration change can expose organizations to increased security risks, as lost or stolen devices could be more easily compromised. The detection logic searches Cisco Duo administrator activity logs for policy creation or update events, explicitly looking for entries where the 'require_lock' setting is set to false. This activity is flagged because it deviates from a security best practice. This detection is critical for SOC teams, as malicious insiders or external attackers could attempt to lower authentication standards to facilitate unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises an administrator account with privileges to modify Duo policies.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the Duo Admin Panel using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026quot;Policies\u0026quot; section within the Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker either creates a new policy or modifies an existing policy.\u003c/li\u003e\n\u003cli\u003eWithin the policy settings, the attacker modifies the \u0026quot;require_lock\u0026quot; setting to \u0026quot;false,\u0026quot; allowing devices without screen locks to authenticate.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the policy changes.\u003c/li\u003e\n\u003cli\u003eUsers with devices that do not have screen locks are now able to authenticate through Duo.\u003c/li\u003e\n\u003cli\u003eAn attacker exploits a lost or stolen device without a screen lock to gain unauthorized access to protected resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising Duo security policies to allow devices without screen locks significantly increases the risk of unauthorized access. If successful, this policy change could lead to credential compromise, data breaches, and lateral movement within the network. While the specific number of potential victims or targeted sectors is unknown, any organization using Cisco Duo for authentication is potentially vulnerable. The impact is magnified in environments where mobile devices are heavily used, or where sensitive data is accessed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your specific Cisco Duo environment to detect the policy change activity.\u003c/li\u003e\n\u003cli\u003eReview existing Duo policies to ensure that the \u0026quot;require_lock\u0026quot; setting is enabled for all appropriate policies and user groups.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the Duo administrator activity logs and identifying the user (\u003ccode\u003euser\u003c/code\u003e field in the logs) who made the changes.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco Duo administrator logs (\u003ccode\u003ecisco_duo_administrator\u003c/code\u003e data source) for unauthorized or suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all administrative accounts, including those used to manage Duo policies, to prevent credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-screen-lock-bypass/","summary":"A Splunk detection analytic identifies when a Duo policy is created or updated to allow devices without a screen lock, potentially weakening device security controls and increasing the risk of unauthorized access and data breaches.","title":"Cisco Duo Policy Change to Allow Devices Without Screen Lock","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-screen-lock-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Screen-Lock","version":"https://jsonfeed.org/version/1.1"}