惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

G
Google Developers Blog
Jina AI
Jina AI
大猫的无限游戏
大猫的无限游戏
Martin Fowler
Martin Fowler
博客园 - 司徒正美
云风的 BLOG
云风的 BLOG
C
Cybersecurity and Infrastructure Security Agency CISA
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
S
Securelist
S
Security Affairs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
L
LINUX DO - 热门话题
博客园 - 三生石上(FineUI控件)
T
Threatpost
T
The Blog of Author Tim Ferriss
C
CERT Recently Published Vulnerability Notes
IT之家
IT之家
P
Palo Alto Networks Blog
Microsoft Azure Blog
Microsoft Azure Blog
Spread Privacy
Spread Privacy
Cyberwarzone
Cyberwarzone
腾讯CDC
L
LangChain Blog
Know Your Adversary
Know Your Adversary
C
CXSECURITY Database RSS Feed - CXSecurity.com
GbyAI
GbyAI
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
I
Intezer
T
Tor Project blog
AWS News Blog
AWS News Blog
T
Tenable Blog
NISL@THU
NISL@THU
Security Latest
Security Latest
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
H
Hackread – Cybersecurity News, Data Breaches, AI and More
人人都是产品经理
人人都是产品经理
MongoDB | Blog
MongoDB | Blog
MyScale Blog
MyScale Blog
D
DataBreaches.Net
Microsoft Security Blog
Microsoft Security Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
量子位
美团技术团队
The Cloudflare Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
罗磊的独立博客
The GitHub Blog
The GitHub Blog
阮一峰的网络日志
阮一峰的网络日志
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Stack Overflow Blog
Stack Overflow Blog

The Duo Blog

Active Directory security: how to stop modern threats | Cisco Duo Duo + PlainID: Dynamic Authorization Meets Enterprise Identity | Cisco Duo Continuous identity security explained | Cisco Duo Salesforce The modern MFA toolkit: push, biometrics, and security keys | Cisco Duo Cisco Duo Identity Summit Preview | Cisco Duo Duo Brings Identity and Authorization Across AI Agent Gateways | Cisco Duo Passwordless for Microsoft 365 starts with federation Custom Admin Roles: Granular control for every Duo admin Token theft, vendor abuse, and the new identity threat surface How Duo Directory automates user lifecycle management Cisco Systems Named a Customers’ Choice in Gartner Peer Insights™ 2026 Voice of the Customer for Access Management Identity provider resilience: backup and split IdP approaches | Cisco Duo Agentic AI Security: Three Threats Your Team Should Know | Cisco Duo Secure client access at scale with Duo and Meraki | Cisco Duo IdP Concentration Risk: Why Single-IdP Dependency Puts You at Risk | Cisco Duo Passwordless authentication without cookies: Duo Push updates Introducing Duo Agentic Identity Solving the double prompt: Better UX with AMR in Duo SSO Simplify compliance with MFA, device trust, and policies Cisco Systems Named a Customers’ Choice in Gartner® Peer Insights™ 2026 Voice of the Customer for User Authentication Why identity-led security matters for MSPs right now The Hitchhiker’s Guide to Shibboleth Launching Active Directory Defense: Strengthen On-Prem AD Security | Duo Security Industry specific IAM for MSPs Duo delivers: 99.99% uptime SLA for every customer
Endpoint Management as an Attack Vector: Lessons from Stryker | Cisco Duo
Janet Ho · 2026-04-16 · via The Duo Blog

Industry News

Your endpoint management system has an identity problem

Headshot of Janet Ho, Duo Product Team

7 minute read

How the Stryker attack proved that identity governance is the real endpoint security gap

Endpoint management platforms sit at the intersection of identity and device control. A compromised administrator does not need to find a zero-day or write custom malware. They already have the keys to push configurations, wipe devices, and modify security policies across an entire fleet.

This is not a theoretical risk. It is a documented pattern, and it has a name: identity-based attacks on management infrastructure. Every time an attacker compromises administrative credentials for platforms like Microsoft Intune or Entra ID, they turn the tool designed to protect endpoints into a weapon. No malware required. No vulnerability exploited. Just identity governance that was not working the way it should.

For a deeper look at why administrative access is vulnerable when it is not governed properly, read Cisco Duo's guide to privileged access management risks.

What happened at Stryker

In early 2026, a cyberattack hit Stryker Corporation, a major U.S. medical technology firm, and disrupted operations globally. No ransomware was deployed. No novel malware was found. Attackers compromised administrative credentials for Microsoft Intune and Entra ID, turning Stryker's own endpoint management infrastructure into a weapon for destructive wiper operations.

Following the attack, CISA issued an alert urging U.S. organizations to strengthen their endpoint management configurations. All three of CISA's recommendations, least privilege, phishing-resistant multi-factor authentication (MFA), and multi-admin approval, point to the same underlying problem: identity governance for the systems that manage devices and access is not keeping pace with how attackers operate.

What the data shows about identity-based attacks

The Stryker incident is not an outlier. It fits a pattern that security teams should recognize.

Expel's 2026 Annual Threat Report found that 68.6% of all security incidents last year were identity-based attacks, with nearly half resulting in successful authentication using stolen credentials. Endpoints accounted for 29% of all incidents. The overlap between these two categories, where compromised identities meet device management infrastructure, is where the greatest risk lives.

The compounding problem is dwell time. IBM's 2024 Cost of a Data Breach Report found that breaches involving stolen credentials take an average of 292 days to identify and contain. Apply that timeline to a compromised endpoint management administrator, and the attacker has nearly 10 months of access to push policies, modify configurations, and stage destructive payloads, all through legitimate tooling that will not trigger traditional malware detection.

Meanwhile, most organizations still treat endpoint management consoles with less rigor than they apply to their cloud infrastructure. Only 6% of organizations report fully automated endpoint management, according to Automox's 2026 State of Endpoint Management Report. Forty-three percent of IT teams spend more than 10 hours per week on manual endpoint tasks, time that is not being spent auditing who has administrative access or whether those permissions are still appropriate.

Identity threat detection and response (ITDR) for management infrastructure is not a feature most organizations have implemented. The gap between how attackers exploit administrative credentials and how organizations monitor those credentials remains wide.

Three CISA recommendations that all point to identity

CISA's alert reads like an endpoint management checklist. But every recommendation maps directly to identity and access management. You cannot harden endpoint management without first hardening identity.

Least privilege for administrative roles

Least privilege means ensuring people have only the access they need, only for as long as they need it. That starts with knowing who has elevated access, what they can do with it, and whether those permissions are still justified.

Most organizations over-provision MDM administrators because privileges accumulate on accounts over time and are rarely audited, largely due to limited visibility across the identity landscape. Step-up authentication, where administrators must verify their identity again before performing high-impact actions, adds a dynamic control layer that static role assignments cannot provide.For a comprehensive framework on implementing least privilege for administrative accounts, see Cisco Duo's privileged access management best practices guide.

Phishing-resistant MFA for privileged access

Phishing-resistant MFA goes beyond push notifications and SMS codes. Organizations that enforce phishing-resistant MFA block over 99% of identity-based attacks. It relies on cryptographic authentication tied to a physical device, blocking the credential interception techniques that made the Stryker attack possible.

Traditional MFA approaches, including app-based push notifications, are increasingly vulnerable to adversary-in-the-middle attacks and MFA fatigue. In a fatigue attack, an attacker triggers repeated push notifications until the user approves one out of frustration. In an adversary-in-the-middle attack, the attacker intercepts the authentication session in real time, capturing both the credentials and the MFA approval. Neither attack works against FIDO2-based authentication because there is nothing to intercept or approve.

CISA is specifically calling for FIDO2-level assurance for privileged accounts. To learn more about what phishing-resistant MFA is and how to implement it, see Cisco Duo's guide to phishing-resistant MFA.

Multi-admin approval for high-impact actions

Multi-admin approval means a single compromised identity cannot unilaterally execute destructive operations. This is the control that could have limited the blast radius at Stryker. But it only works if the identities approving those actions are themselves verified through strong, phishing-resistant methods.

Without multi-admin approval, an attacker with one set of compromised administrative credentials can wipe devices, push malicious configurations, and modify security policies with no second check. With it, destructive actions require verification from multiple verified administrators, reducing the blast radius of any single compromised account.

What to look for in an identity security approach

The Stryker attack and the CISA alert point to a set of capabilities that any identity security platform should provide for organizations managing endpoint infrastructure. The question is not whether to strengthen identity controls for administrative access, but what those controls should look like.

Phishing-resistant authentication without hardware keys. FIDO2-level assurance has historically required expensive hardware key rollouts. Cisco Duo's proximity verification uses Bluetooth Low Energy between a user's laptop and mobile device to establish phishing-resistant authentication at FIDO2-level assurance without shipping and managing hardware tokens. Cisco reports 50%+ cost savings compared to traditional hardware key deployments. This covers the full authentication lifecycle: OS login, application access, and mid-session verification.

Post-authentication session protection. Authentication does not end at login. Attackers increasingly steal session cookies to bypass MFA entirely, no credentials needed. Duo Desktop replaces traditional session cookies with cryptographic challenges that cannot be replayed, closing the post-authentication gap that most identity solutions leave open.

Unified identity visibility across fragmented environments. Most enterprises run multiple identity providers, including on-premises Active Directory, Entra ID, and often a third cloud provider. Duo Identity Intelligence creates a converged identity graph across these sources, surfacing dormant accounts, excessive privileges, and identity drift between HR systems and directory services. This is exactly the visibility needed to implement CISA's least-privilege recommendation at scale, not just for Intune but across the entire administrative landscape.

Risk-based access policies driven by user trust scores. Rather than static role assignments, Duo continuously evaluates user trust based on behavior, device posture, and cross-platform signals, then enforces differentiated access policies in real time. Administrators flagged as high-risk can be automatically stepped up to stronger verification or temporarily restricted.

Cisco secures its own global workforce of 125,000 users and 285,000 devices with Duo, and has been recognized as a Gartner Peer Insights Customers' Choice for User Authentication two years running.

To understand the foundational principles behind this identity-centric security approach, see Cisco Duo's guide to identity security.

Two questions every security leader should ask this week

The Stryker attack was not exotic. It was predictable and preventable with identity controls that already exist. The CISA alert confirms what security architects have known: endpoint management systems are critical infrastructure, and they deserve the same identity rigor as your most sensitive applications.

Every security leader should be asking two questions this week:

  • Who has administrative access to our endpoint management platform?

  • Would we detect it if one of those credentials was compromised?

If the answers are not immediate and confident, the hardening work starts with identity.

Download the Guide to Restoring Trust in Identity to learn more about strengthening identity controls for administrative access and reducing risk in your environment.