Arachnophobic: How Duo Customers Can Respond to CISA’s Report on Scattered Spider
CISA recently published a report on Scattered Spider, a threat actor that has been increasingly active and impactful over the past year. The report is important reading for any security practitioner because, in addition to being a threat in and of itself, Scattered Spider has been a leading indicator showing how threat actors pivot into new techniques. They have quickly adapted their approaches, flipping between technical and social attack vectors, and taking advantage of industry trends in Identity and Access Management practices.
At Duo, we want our customers to be as prepared as possible. That’s why we prioritize the development of secure configurations within Duo, and support integrations with the rest of your security stack. We also recognize that defenders and system administrators operate with a lot of constraints and aren’t always able to configure their environment to their ideal security posture. That’s why we offer a series of options, any of which can improve your posture, all of which work best together. Throughout this document, unless otherwise noted, these features are available to all of our customers.
Here are a couple of tools that can help you reduce your risk for some of Scattered Spider’s techniques:
SIM Swaps
Remove SMS and telephony authentication methods, limiting users to stronger factors like WebAuthn and Verified Duo Push.
Use Risk-Based Factor Selection, which allows the most convenient authentication methods available to end users except when Duo detects activity that aligns with attack vectors (available to Advantage and Premier customers).
Consider using policies that can help mitigate access outside of expected use cases:
Locations you wouldn’t expect (available to Advantage and Premier customers).
Devices you wouldn’t expect (available to Advantage and Premier customers).
Networks you wouldn’t expect (available to Advantage and Premier customers).
Help Desk Social Engineering
Apply the principle of least privilege when granting administrator rights, and make sure you’re aware of the different roles that Duo admins can hold. Be especially aware of the owner role, which is a super-admin role: it can grant admin privileges to other accounts.
You can further tailor administrative privilege using Administrative Units, which restrict an administrator’s privileges by scoping their impact to specific objects, such as applications or groups.
You can further restrict user managers and help desk administrators from issuing bypass codes, as well as restrict help desk administrators from sending enrollment emails.
Consider building Duo Mobile Instant Restore into your processes, reducing the frequency with which users will need to contact the help desk when they have lost access to authenticators.
Consider your options for identity verification at key points in the account reset process, including Duo partners like SpecOps.
Consider encouraging users to have multiple authentication methods established when they enroll, in order to provide a higher degree of confidence that a user is who they say they are in the event that they lose access to their primary authenticator.
Familiarize yourself with Scattered Spider’s techniques and consider them when establishing help desk policies and procedures.
MFA Fatigue
MFA fatigue attacks (T1621), which have become increasingly common, occur when adversaries send a barrage of MFA requests to users in an effort to exhaust them into providing access.
WebAuthn authentication methods are the gold standard for protecting against MFA fatigue attacks, and Duo offers several. You can use these in both our standard MFA flow, as well as in our Passwordless offerings.
Verified Duo Push can offer an improvement in MFA fatigue and MFA timing attacks over traditional push-based authentication, OTP codes, SMS, and telephony-based authentication.
Use Risk-Based Factor Selection, which allows the most convenient authentication methods available to end users except when Duo detects activity that aligns with attack vectors (available to Advantage and Premier customers).
Enable Muted Push to reduce a threat actor’s ability to catch end user’s attention.
Enable lockout and fraud notifications to alert administrators to user-reported suspicious activity.
Consider the end user flow and review feedback from end users for configurations that could lead to habituation of blind acceptance of authentication attempts by your end users. Shared accounts, including executive assistant use cases and auto-refreshing applications, such as VPNs that have temporarily lost connection, are two areas that many customers have seen this kind of use in their environment.
Device Registration
When using the device registration technique (T1098.005), adversaries register new devices into a multi-factor authentication system to gain access to sensitive resources.
Restrict access policy for the user self service portal as much as possible. Consider that users will access this very rarely under normal circumstances, and that it is among the most impactful areas for attackers to target. We strongly recommend that you restrict access to the self-service portal to authentication factors resistant to MFA Fatigue, and use WebAuthn wherever possible.
Trust Monitor now offers a suite of detections based on Device Registration. Consider enabling notifications for new security events. Trust Monitor is available to Advantage and Premier customers.
Avoid bypassing MFA for unenrolled users whenever possible.
Malware
Consider using Duo Desktop to help enforce up-to-date policies for operating systems and browsers (available to Advantage and Premier customers), as well as the presence of a security agent (available to Premier customers).
Trusted Endpoints provides another level of protection by only granting access requests to managed devices.
Session Theft
Session theft (T1539) can happen through a couple of different vectors, and each of these mitigative actions apply to a subset of the overall attack vector.
For session theft that occurs via an Adversary in the Middle attack - in which a session token never makes it to the user after being issued by the service, as occurs in an evilginx attack - WebAuthn authenticators are the golden standard for protection.
Reducing the session length of a given authentication can reduce the amount of time that an adversary has to pivot before taking their next step.
Risk-based remembered devices provides an additional level of scrutiny before a remember-me session is honored by the Duo service, using detections built by Duo based on real-world data. Risk-based remembered devices is available in our Advantage and Premier tiers.
Consider using Duo Desktop in combination with risk-based remembered devices to provide Wi-Fi Fingerprint, and additional signal of trust.
Monitoring
Duo fully supports customers who want to monitor their identity stack using tools like SIEMs, SOARs, and XDRs.
Consider using administrator logs in API format to review instances that could have been susceptible to social engineering attacks. Specifically, consider reviewing the modification of administrator accounts, the creation of bypass codes for accounts, and the creation or association of an authenticator with a user.
If you are a Splunk customer, consider using the Duo Splunk Connector.
If you use another SIEM or similar tool for security operations, consider using the Duo Log Sync, a repo written and supported by Duo Security to help you import authentication information into your tool of choice.
Trust Monitor supports API functionality and provides detections for authentication as well as device registration events. Trust Monitor is available to Advantage and Premier customers.
Last, but not least: A note on minimizing attack surface
It’s not always possible to bring the best possible practice to your entire environment. Contractors use their own devices; students are not willing to download the Duo app; business requirements sometimes demand more permissive posture than you’d prefer. That’s why we are proud of our policy options, which allow you to configure your environment at a granular level.
Do you have an application that everyone needs to get to, including folks who have to use less-secure authentication factors like SMS, while maintaining a stronger security posture globally? Our application policy allows you to open up just those applications that you need to.
Do you have a group of users who are at higher risk, and therefore have to have a different authentication experience than the rest of your end users? Our group policy allows you to configure things like group-level exceptions.
We also support easy exports of our reports in the admin panel, so that you’re able to take a deeper look at your environment by cutting the data any way you’d like.
Duo Cares
Duo takes pride in protecting our customers, and we’re constantly trying to raise the bar. That’s why we’re doing things like developing new features that help customers protect themselves, studying the latest attack techniques - in addition to some of the older ones that are still hard to deal with. That’s why we conduct experiments like attacking our own tools and continuously rolling out new protections. We continue to develop new solutions to these difficult problems and adapt to the newest risks that our customers face.