Leveraging Duo Trust Monitor to Detect Push Phishing
Security controls can sometimes be double-edged swords. The obvious benefits can be slightly reversed if the control isn’t managed or practiced properly. To illustrate the point, think about placing a defensive wall around a village. In the early days after the wall is constructed, there is probably a night watchman set to walk the perimeter in case of attack.
Perhaps the villagers are even trained to understand that one horn blast means attackers are approaching and two horn blasts means that invaders are at the wall. However, over time, if attacks become rare and the village goes through a few years of peace, it can be easy to discontinue the night watch and the villagers may go on to forget the horn threat signals. When this happens, the once strong wall protection, though still better than no wall, becomes less effective.
We can map this exact example onto modern multi-factor authentication. There is no question that MFA is a core security control, it plays a key role in stopping credential-based attacks which are still a primary cause of breach. MFA was also required specifically in the most recent Cybersecurity Executive Order. However, MFA is now commonplace enough that folks are beginning to treat it as the wall that’s been around the city for years - some have gotten too used to its protection.
What is Second Factor Phishing?
What does it mean when users get “too used to” MFA protection? At Duo, some of our customers are worried about second factor phishing or push phishing. Second factor phishing can occur when a bad actor has stolen a user's primary credentials (usually a username and password) and then attempts to gain access to that user’s environment.
The bad actor is hoping that, even if there is MFA in place, end users will be overly conditioned to accept the second factor. In other words, the end user is acclimated to “the wall” and may have forgotten to assess the threat signals. In these cases, the end user just hits accept and the attacker is through - effectively bypassing MFA.
To be clear, in the case above, it is still much better to have MFA in place than not. The overwhelming majority of end users assess each push accordingly and don’t grant fraudulent attempts access. However, companies shouldn’t let their guard down when it comes to end user education. Workforces should be reminded to evaluate the second factor when it comes in.
Whenever accepting a second factor, there are simple questions an end user should ask themselves:
Did I just attempt access to an application?
Where is the second factor coming from? (ex. Duo’s push factor shows device and IP address as a part of the second factor).
Did a session of mine just end? Or, am I being prompted to re-login to an account?
Even with the MFA in place and consistent worker training, there are still cases to worry about. Some users may accept a fraudulent second factor absentmindedly, or even by mistake, letting a bad actor into the corporate environment.
Duo Trust Monitor Enhances The Security of MFA
Never fear, Duo has a feature for that: Duo Trust Monitor. Duo Trust Monitor is Duo’s machine-learning enabled risk detection tool. It works by ingesting Duo authentication information and using it to develop baselines of workforce activity. Basically, who typically accesses what from where. After setting up these baselines, Duo Trust Monitor highlights anomalous access attempts.
For example, Duo Trust Monitor can understand that John Doe typically accesses his CRM application at 9 am EST from Virginia on a MacBook. This is helpful because if John Doe’s credentials attempt access that is highly anomalous (say they try to gain access from the Ukraine on a Windows device) then Duo will highlight this information.
Duo Trust Monitor is especially effective at combating second factor fraud. This is because bad actors almost never exhibit all the same behavioral variables as their targets. Yes, they may have the primary credentials in hand — but it would be exceedingly difficult for them to replicate the daily pattern of access behavior of that user.
If an attacker buys a set of usernames and passwords, how are they supposed to know what type of device the users typically access from? Or, which IP addresses? Or, which times users typically login? The answer is that it’s incredibly challenging, if not impossible, to do.
In this way, Duo Trust Monitor can alert customers to potential cases of second factor fraud or push phishing. Even if John Doe were to accept a push notification sent by a bad actor — Duo Trust Monitor should catch it. The feature would highlight that, even though the second factor was accepted, the variables associated with the authentication are anomalous.
In other words, Duo doesn’t expect John Doe to attempt a login from outside of the US, from a new device, at a strange time — therefore, we’ll flag this authentication and sound the alarm.
In conclusion, though it’s obviously important to put core security controls in place, it’s also important to maintain them. In the case of a city wall, maintaining proper watch protocols and keeping an informed citizenry are key. In the case of MFA, maintaining risk detection features like Duo Trust Monitor and keeping an educated workforce are critical.
Try Duo for Free
Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.