How Cisco Duo Helps Mitigate Common MITRE ATT&CK® Techniques
In our never-ending quest to help customers safeguard their environments and streamline security operations, Cisco Duo maintains constant lookout for rich vulnerability and threat intelligence so that we can provide the strongest protection. One piece of that effort is dedicated to understanding the types of tactics and attacks targeted at today’s organizations. That’s where MITRE ATT&CK® comes into play.
In this blog, we’ll shed light on how Cisco Duo helps mitigate common attack techniques chronicled in MITRE ATT&CK® framework.
What is MITRE ATT&CK?
MITRE ATT&CK is a "globally accessible knowledge base of adversary tactics and techniques based on real-world observations." Organizations use this information to audit, assess, and implement security defense-in-depth strategies to mitigate cybersecurity attacks.
Under each individual attack technique, MITRE lists unique IDs to file procedures, mitigations, and detection methods along with associated attack techniques, sub-techniques, definitions, and tactics to provide detailed information on each attack.
For example, MITRE ID: T1621 identifies multi-factor request generation and focuses on using MITRE ID: T1078 valid accounts to generate unsolicited requests to a user(s) to gain unauthorized access to specific or multiple accounts. The technique involves an attacker attempting to use stolen, but valid account credentials to authenticate as a user and perform a push phishing attack such as a push bomb (sending multiple requests to the same user) or a push spray attack (sending multiple requests to different users) to gain unauthorized access.
How does Cisco Duo help mitigate real-life MITRE ATT&CK techniques?
The image below mimics a real-life attack scenario that we saw last summer targeting Microsoft 365 and displays where Duo can potentially help mitigate the attack:
In the example image above:
The bad actor obtains a list of Microsoft office mailboxes with account credentials and passwords.
The bad actor uses credentials to connect to Office 365.
The bad actor launches a series of push-phishing attacks against a single user (push bomb attack) or a group of users (push spray attack) until someone accepts one.
The bad actor self-enrolls their device (via self-service) and sets up MFA for persistence.
With the Azure Active Directory credentials and the ability to approve MFA requests on their own device, the attacker can move laterally into other applications and services.
The threat actor ATP29/Cozy Bear used the following MITRE techniques to target Microsoft 365:
Brute Force: MITRE ID T1110
Device Registration: MITRE ID: T1098.005
MFA Request Generation: MITRE ID: T1621
An organization using Duo’s Universal Prompt functionality could help mitigate similar attacks since the bad actor would be unable to authenticate to 365 without advanced verification such as requiring Duo’s phishing-resistant MFA (Multi-Factor Authentication) and Trusted Endpoints. Duo Trust Monitor would also help surface the attempted device registration so administrators could take action. If you are not using Microsoft 365, Duo can also apply the same zero trust protection & analytics to Microsoft AD FS, Google Workspace, Citrix, WorkDay, SalesForce, Cisco VPN, and a variety of applications & services.
What else can Cisco help with?
Cisco Duo is a robust, end-to-end access management solution that can play a significant role in mitigating popular MITRE ATT&CK techniques with a zero-trust approach. Duo can also pair with other Cisco Secure Access solutions including SSE, Cisco XDR, Cisco Umbrella, Cisco Email Security, Cisco Secure Endpoint, Cisco Security Workload, and Secure Analytics for a comprehensive defense-in-depth strategy that supports a best-in-class security operation for your organization.
To learn more, contact the Duo sales team today.