Duo

D
Written By Threat NG Staff

Duo is an identity and access management (IAM) solution that provides a robust layer of security for an organization's applications and data. Its core function is to ensure that the right individuals have the proper access to the right resources, while also protecting against credential theft and unauthorized access.

Core Problem Solved: Credential-Based Attacks

With passwords being the weakest link in many security infrastructures, attackers frequently use stolen or weak credentials to gain access. Duo addresses this by moving beyond simple passwords to require multiple forms of verification, making it much harder for attackers to "just log in."

Key Cybersecurity Capabilities

  1. Multi-Factor Authentication (MFA): This is Duo's foundational capability. It requires users to present at least two different "factors" to verify their identity.

    • Something you know: A password or PIN.

    • Something you have: A mobile phone (Duo Push notification), a hardware token, or a security key.

    • Something you are: Biometrics like a fingerprint or facial scan. Duo's most popular method, Duo Push, is designed for ease of use, sending a push notification to a user's smartphone for a one-tap approval.

  2. Adaptive Authentication: Duo doesn't treat every login attempt the same. It uses a risk-based approach to determine the appropriate level of authentication. It assesses various factors in real-time, such as:

    • Device Health: Whether the company manages the device, has up-to-date software, or is encrypted.

    • Location: If the user is logging in from a known or unusual location.

    • User Behavior: If the login attempt deviates from the user's typical patterns. Based on this analysis, Duo can either grant access, require additional verification, or block the login attempt.

  3. Endpoint Visibility: Duo provides visibility into the devices accessing a company's applications, regardless of whether they are company-managed or personal. It can provide details on the operating system, browser, and security status of each device, which helps to enforce policies and identify unsecure endpoints.

  4. Single Sign-On (SSO): As an IAM solution, Duo provides SSO capabilities. This enables users to access multiple applications with a single, secure login. This improves both security and user experience by reducing the number of passwords that can be stolen or forgotten.

  5. Compliance and Zero Trust: Duo helps organizations meet compliance requirements for standards like HIPAA, PCI-DSS, and NIST by enforcing strong authentication policies. It is also a key component of a "Zero Trust" security model, which operates on the principle of "never trust, always verify." Every user and device, regardless of their location, must be authenticated and authorized before gaining access to resources.

Duo is a solution that focuses on identity as the new security perimeter. By providing strong, user-friendly, and context-aware authentication, it protects against the most common entry point for cyberattacks: compromised credentials.

ThreatNG, an all-in-one external attack surface management, digital risk protection, and security ratings solution, would help an organization that uses Duo by providing an unauthenticated, outside-in view of its identity and access management (IAM) security posture. This perspective is vital because it reveals what an attacker sees and how they might attempt to bypass security controls.

External Discovery

ThreatNG performs purely external, unauthenticated discovery, using no connectors. For an organization that uses Duo, ThreatNG's Cloud and SaaS Exposure module would identify the Duo instance as a sanctioned SaaS application. The discovery process also uncovers other related assets, such as public code repositories, mobile apps, and subdomains, that could be used as an initial access vector to compromise an employee's Duo account.

  • Example: ThreatNG would identify the company's Duo instance at a domain mycompany.duosecurity.com and begin its assessment. It might also discover a subdomain sso.mycompany.com and identify that it uses Duo for authentication.

External Assessment

ThreatNG's external assessment capabilities would evaluate the security of the company's Duo implementation and related assets from the perspective of an attacker.

  • Cyber Risk Exposure: ThreatNG's score for cyber risk exposure considers factors such as the security of subdomain headers, vulnerabilities, and the presence of sensitive ports. It would also factor in Code Secret Exposure, which discovers code repositories and their exposure level, and investigates their contents for sensitive data. For Duo, this could mean finding an API key or an administrative password in a public GitHub repository. It also considers compromised credentials on the dark web, which increases the risk of successful attacks.

  • NHI (Non-Human Identity) Exposure: This score uncovers and evaluates a company's susceptibility to risks associated with non-human identities like API keys, service accounts, and system accounts. ThreatNG would look for exposed APIs and non-human identities found in sensitive code or cloud exposure. This is particularly important for Duo because it is often integrated with other applications using APIs, and a leaked API key could be used to manipulate user accounts or bypass authentication.

Investigation Modules

ThreatNG provides several investigation modules to analyze findings in detail.

  • Sensitive Code Exposure: This module identifies public code repositories and mobile applications, then examines them for sensitive data.

    • Example: ThreatNG could find a public repository on GitHub where a developer accidentally hard-coded a Duo API key or secret key. An attacker could use this to manipulate user accounts or bypass MFA controls.

  • NHI Email Exposure: This feature groups discovered emails identified as admin, support, or security. This helps identify and secure administrative accounts that may have privileged access to Duo, making them a high-value target for phishing attacks.

  • Domain Intelligence: This module could uncover typosquatting domains (e.g., duo-mycompany.com) that could be used in phishing attacks targeting employees with access to Duo.

Intelligence Repositories

ThreatNG's intelligence repositories, branded as DarCache, provide continuously updated information to power its assessments.

  • DarCache Rupture (Compromised Credentials): This repository would be checked for any compromised user or non-human credentials associated with the company that could be used to log into the Duo platform.

  • DarCache Dark Web: This repository would be scanned for mentions of the company or its use of Duo, including discussions about potential exploits or leaked data.

  • DarCache Vulnerability: This repository provides critical context on known vulnerabilities that could affect the Duo platform or its integrations. It includes data from NVD, EPSS, and KEV.

    • Example: ThreatNG's DarCache Vulnerability repository would provide information on any known vulnerabilities in the Duo SDKs or APIs, including their technical characteristics, potential impact, and likelihood of being exploited in the near future. This helps a company's security team prioritize patching efforts on vulnerabilities that pose an immediate and proven threat. It also links to Verified Proof-of-Concept (PoC) Exploits on platforms like GitHub, which helps a security team understand how a vulnerability can be exploited and how to develop effective mitigation strategies.

Reporting and Continuous Monitoring

ThreatNG offers comprehensive reporting, including executive, technical, and prioritized reports. These reports would detail the findings related to the company's use of Duo, providing risk levels, reasoning, and recommendations to help the organization prioritize its security efforts and mitigate risks. ThreatNG also offers continuous monitoring of the external attack surface and security ratings, ensuring that any new risks or exposures related to Duo are promptly detected.

Complementary Solutions

ThreatNG's external, unauthenticated approach complements internal security tools, creating a more comprehensive security program.

  • Security Information and Event Management (SIEM): A SIEM solution, like Splunk, collects and analyzes log data from internal systems. ThreatNG's findings, such as compromised credentials on the dark web or an exposed API key found in a code repository, can be fed into the SIEM. Then, suppose the SIEM detects a suspicious login attempt to a Duo-protected application. In that case, it can correlate that event with the intelligence from ThreatNG, providing the security team with a clearer picture of the threat.

  • Vulnerability Management Solutions: Internal vulnerability management tools, such as Tenable or Qualys, scan for vulnerabilities inside a company's network. ThreatNG's DarCache Vulnerability intelligence, especially its KEV data, can be used to inform these tools, helping the security team prioritize which vulnerabilities to patch first on their Duo-related infrastructure.

  • Identity and Access Management (IAM): ThreatNG helps address a significant attack vector that is often invisible to internal tools. If ThreatNG discovers a compromised non-human identity, such as an exposed API key for Duo, this information can be used to revoke that credential in the IAM system immediately.

Threat NG Staff
Previous

Doxware
Next

Dynamic Application Security Testing