Cisco Duo – MFA abuse alert handling

Entities: User, IP Log type: Windows Server

In this page

Playbook Description

This playbook investigates MFA abuse alerts by analyzing user behavior, checking for signs of MFA fatigue attacks, and evaluating the risk associated with such alerts to determine appropriate response actions.

MITRE ATT&CK mapping

Tactics Techniques Sub-techniques
Defense Evasion(TA0005) System Binary Proxy Execution(T1218) InstallUtil(T1218.004)

MITRE D3FEND mapping

Tactics Techniques Sub-techniques
Model(D3-Model) Application Hardening(D3-AH) Process Segment Execution Prevention(D3-PSEP)

Playbook input type

Alert

Prerequisites

  • VirusTotal connection - Need to connect with VirusTotal API to check URL and file hash reputation.
  • Log360 Cloud - Connection to execute PowerShell scripts on the target Windows host for investigation and remediation actions.
  • Privileges - Admin privileges on the target host are required.

Playbook creation input

  • connectionName - Provide the VirusTotal connection name for executing the VirusTotal APIs

Dependencies

Extensions - VirusTotal

  • virustotal_ipReputation
  • virustotal_calculateRiskScore
  • ciscoduo_createPolicy
  • ciscoduo_retrieveEndpointById
  • ciscoduo_modifyUser
  • ciscoduo_retrieveUserById
  • ciscoduo_retrievePolicies

Extensions - Cisco Duo

  • ciscoduo_createPolicy
  • ciscoduo_retrieveEndpointById
  • ciscoduo_modifyUser
  • ciscoduo_retrieveUserById
  • ciscoduo_retrievePolicies

Utility functions:

  • utility_analyseDeviceHealthResult
  • utility_filterAndMatchEvents
  • utility_convertTimeToUTC
  • utility_getRequiredTime
  • utility_sendMail

Connections

VirusTotal connection - Need to connect with VirusTotal API and fetch access key to check the malware IP/URL/File details.

Cisco Duo connection - Need to connect Cisco Duo using Integration Key, Secret Key and API Hostname.

Sub playbooks

  • Cisco Duo - Block IP
  • Cisco Duo - Add user to group

Execution workflow

Investigation:

  • Checks the IP reputation.
  • Calculates the IP risk score.
  • Checks for push bombing.
  • Analyzes the user.

Decision logic:

  • Proceeds to remediation based on the following conditions:
    • The associated IP address has a high-risk score.
  • If suspicious but not confirmed malicious, sends a notification for manual review and stops further actions.
  • If no malicious indicators are confirmed, the playbook ends with no further actions.

Remediation:

  • Checks if request is from browser.
  • Passes policy result.
  • Checks whether endpoint ID exists.
  • Passes endpoint results.
  • Executes the "Cisco Duo - Block IP" sub-playbook.
  • Checks if any remediation failed.
  • Builds the notification email with remediation details and findings.
  • Sends a notification email regarding the actions taken and required next steps.
Execution Workflow
Figure: Execution workflow of the playbook

Post execution procedure

  • Review the blocked IP address and remember devices policy to ensure correct application.
  • Investigate whether the attacker successfully bypassed MFA through push bombing.
  • Review Cisco Duo authentication logs for any additional unauthorized access.
  • Consider enforcing hardware token-based MFA for high-risk users.
  • Audit MFA configurations across the organization to prevent future push bombing attacks.