How ITDR can help protect you from the latest Cyber Security Threats
Attacks targeting the identity layer have become a prominent cyber security threat, as attackers adapt to the consolidated corporate IT world of Access Management. Duo’s algorithm research team aligns with Gartner’s Identity Threat Detection and Response (ITDR) to secure customer environments. We have been focusing on securing our customers’ environments by detecting these patterns and encouraging the adoption of best practices, such as FIDO2. We understand that prevention is not enough, and offer Advanced Endpoint Detection and Response to improve customer security and give them visibility into the latest threats.
- Device Registration
“Account Manipulation: Device Registration” (T1098.005) is a technique used by attackers to gain persistence on a device after initial access. Detecting this technique is important as it is often part of an attack chain leading to harmful activities such as ransomware or data exfiltration. Due to the high risk of these rare events, many security teams prefer to recall all events that could indicate this threat type instead of relying on precision alone.
What can we offer?
If a phone number has not been previously used by the user = alert.
If a user registers an authentication device with a laptop or device, they have not used before = alert.
- Cookie Theft
The identity layer operates in conjunction with the endpoint, network, and cloud layers of your environment. There have been instances of malware bypassing endpoint defences and targeting session cookies for exfiltration in the wild, which enables attackers to jump from a user’s endpoint to their cloud accounts. These techniques are referred to as Steal Web Session Cookie (T1539) by MITRE. However, a user’s IP address may change during a session for various benign reasons, making session termination based on this signal alone too disruptive for customers. Therefore, Risk-Based Authentication techniques like Wi-Fi Fingerprint have been implemented to provide Duo with a robust signal that the user is in the same location they authenticated from previously, which can be difficult for attackers to replicate.
What can we offer?
If an authentication cookie is used from an IP address or device that it was not issued to = alert.
- MFA Fatigue
This technique, known as Multi-Factor Authentication Request Generation (T1621) by MITRE, is also commonly referred to as MFA fatigue, push fatigue, push harassment, or push grief, and involves an attacker repeatedly prompting the legitimate account holder with authentication requests until they accept after primary credentials have been compromised.
What can we offer?
If there are more than a specified amount of requests in ten minutes for a specific user = alert.
- Account Takeover
Also known as Valid Accounts: Cloud Accounts (T108.004), Account Takeover is a term used to describe attacks that don’t fit into any other category of attack techniques or lack attribution confirmation. It can also refer to situations where forensic investigations have not yet established what occurred. In certain cases, account takeover can be associated with malicious account access behaviours, such as accessing an account from a new location or device. Alerting users when such activity occurs is a simple detection measure that can be implemented without external sources.
What can we offer?
If an authentication occurs from a location or device that the user has not authenticated from before = alert.
- Disabling and Modifying MFA
Cybersecurity professionals have long been aware of attacks on administrative controls, including those that modify or eliminate multi-factor authentication requirements. Such techniques are referred to by MITRE as Modify Authentication Process: Multi-Factor Authentication (T1556.006). One effective way to protect these controls is by limiting access to specific networks, devices, and accounts, which can be part of a defence-in-depth strategy. Monitoring and establishing detection and response rules to this threat vector can also help improve overall cyber security defences.
What can we offer?
If a new administrator account is created = alert.
If a bypass code is created for an end user = alert.
If an authentication policy is changed = alert.
If you want to ensure that your business is following the best cyber security practices to protect you from the latest threats, head over to our Cyber Security page to find out more about how you can protect your business and take our Cyber Security Self Assessment.
Latest News Stories
UPDATED June 26th, 2023: University of Manchester Targeted in Major Cyber Security Incident
Updated 26/06/2023: After Students and Saff of The University of Manchester received emails last week claiming to be from the attackers, stating that more than 7 Terabytes of data had been stolen in the attack, the university released a statement on Friday (June 23rd)...
Why should you outsource your Network Cyber Security?
The strength of your network's security is the key determinant in the aftermath of a cyber attack. Establishing a solid cyber security solution is a complex task, requiring a high level of technical skills and resources. Your Cyber Security Solution has the vital role...
Rise of Supply Chain Cyber Attacks: Understanding and Preventing the Threat
As the digital landscape evolves, so too do the threats that loom within it. Cyber Security measures are ever-improving, but in the cat-and-mouse game of the online world, hackers often still manage to gain the upper hand. The latest strategy in their arsenal? Supply...
Our Customers
Testimonials
Greystones Medical
Professional people providing a professional service. Fully met our business needs and listened to our requirements. Responsive team and capable engineers.
UK Steel
Very quick response on most of our issues. O2C look after us and keep us posted on progress with tickets.
Tracy Lilley, Ecclesfield Primary School
Responsive, friendly service. Very customer focused, polite and eager to help. Would definitely recommend and will use again.