Back to BlogProduct Update: Duo Detections
Blumira’s incident detection engineering (IDE) team not only creates new detections to protect our customers from the latest threat actor trends and attack techniques, but we review existing detections to determine if they continue to make sense from a detection standpoint.
In that process, we ask ourselves questions such as:
- Do the detections create actionable findings that our customers need to respond to?
- Does the finding volume generated by detections cause alert fatigue?
- Do the workflows still make sense?
Let’s break down some of the new detections being released and some updates to existing rules.
Duo Detection Updates
Duo Security (now Cisco Duo) was one of the earliest integrations at Blumira, and since the initial Duo launch we’ve migrated from sensor modules into Cloud Connectors with the integration. This necessitated a review of the existing rules and some recent attack trends of the past year have shown threat actors spamming MFA requests to users as a method to bypass MFA protections, and has resulted in some high profile breaches.
Here are the recent updates made to the Blumira Duo detections:
Duo User Account Lockout:
This detection is operational and may generate findings as a result of Duo misconfiguration. We’ve lowered this detection to a P3 Risk category as a result. The workflow has been aligned to better reflect that as well. Further, we’ve updated language in the detection and moved the category to align closer to the MITRE ATT&CK Matrix.
This detection has also been on the high end of alerting numbers. Due to the ability to enable user lockouts to self-resolve and automatically unlock after a timeout period, this detection is no longer included in our default deployment. This will not affect current customer deployments, but new customers will need to configure this detection in the Detection Rules Management page to enable it.
Fraudulent Duo User Report:
This detection has received updated language, an updated workflow, and a MITRE category update as well. Its status remains unchanged.
Duo High Number of MFA Requests:
We created this detection to help detect MFA exhaustion attacks. Threat actors send excessive MFA alerts to an end user until they finally just accept the MFA alert to stop their device from pinging them for another MFA request. This detection relies on a combination of conditions, including the number of requests in a timeframe as well as using z-score statistical analysis to filter out the noise of normal behavior.
When a z-score cannot be calculated due to too few authentication requests, this detection continues to alert customers, which may cause some noise. This is most commonly caused via session timeout and re-authentication activity when users have configured a “default” Duo MFA option. So if a user session expires but the application tries to immediately re-authenticate them, the user may receive the MFA text, or push or whatever option they configured by default. Then, if they don’t respond, this action may continue again until it recurs frequently enough to trigger a detection. See the configuration advice section to learn how users can change this behavior.
Duo Password Spraying Behavior:
This detection has been deprecated and removed from rulesets.
Duo User Authentication MFA Bypass:
This is a brand new detection that identifies when users authenticate to a Duo-protected application while their Duo profile is in bypass status. This status allows users to fully skip the Duo authentication process and log in with just a username and password. Bypassing MFA was highlighted at RSA 2022 as one of the most dangerous attack techniques, and has been observed in several real-life incidents such as a Russian state-sponsored attack in 2021.
Administrators will commonly put users in bypass mode as a troubleshooting step or temporary configuration so, as a result, this detection is disabled by default.
To help display this detection more clearly, we created it as a weekly scan. Once a week, this detection will run and identify all accounts that authenticated to any Duo-protected application and skipped MFA as a result of being in bypass status in the last week.
Duo User Set to Bypass Status:
This is another brand new detection related to Duo’s bypass setting. This differs from the Authentication MFA Bypass detection in that it detects when a Duo Administrator updates a user profile and puts it in bypass status. Due to the high number of alerts that may result from this detection, it has been set to disabled by default and can be manually enabled in the Detection Rules Management page.
Bypass status is a necessary setting for many situations, but can be a real danger if a bypass user is forgotten about. These two new Duo MFA bypass-related detections help administrators keep track of important changes to Duo user profiles and reveal users who are skipping MFA at every login.
Investigation Notes:
Duo records two IP addresses and geolocation for most authentication activity:
- One IP address is recorded for the authentication attempt to the application under Duo protection,
- The other is the IP address for the MFA device, often the user’s mobile phone.
Blumira records the authentication attempt IP address as the client_ip in the Duo Authentication logs and src_ip as the MFA device. So in a Fraud alert, the client_ip may come from an unusual location, but the src_ip may be more in line with the user’s normal location. Therefore client_ip is most often the address you will want to investigate if many malicious access occurred.
The client_ip may often report 0.0.0.0 as the authentication address; this article can explain why you’re seeing this.
Duo Configuration Advice
Configuring a lockout policy can prevent many types of brute force attacks, from traditional ones to MFA user exhaustion attacks.
By default, Duo sets the lockout policy to 10. This may cover most organizations, but if you set the policy too low, or are getting flooded by User Lockout alerts, Blumira recommends re-evaluating Duo policy settings to better fit your organization. One option is to leave the lockout number in place, but set a reasonable auto unlock. This can lower the need for helpdesk to reset users, and also frustrate threat actors who keep hitting it in an attempt to login. You can configure both of these options in the Duo Administration settings panel.
The other consideration relates to users being auto prompted for authentication on session timeout. If they have configured a default MFA option, this can result in lockouts or false positive detections related to MFA exhaustion alerting. During setup for an application, a user can choose to set a default authentication method.
If a user is triggering alerting or locking out on multiple occasions, have them update to an authentication option rather than sending repeated MFA prompts, texts, or calls. Letting users change this setting may require updating the application’s self-service portal option.
How Blumira Simplifies Detection & Response
Our belief is that SIEMs should help make our customers’ lives easier and not introduce unnecessary friction in their day.
Putting that belief in action, we actively maintain Blumira’s platform behind the scenes and add more detections on a rolling basis, as we believe it’s the responsibility of the product to support the user.
We also strive to provide useful and actionable findings to our customers with all relevant, contextual information and pre-built playbooks to guide them through response.
Learn more about our approach and get a free account to start detecting and responding to Microsoft 365 threats.