How did your IT firm react to Log4j?

Written By Taylor Axtmann

Preparation is often half the battle, and that holds for many things – but more often than not, it holds especially true with cybersecurity. On Friday, December 10, 2021, news broke of the active exploitation of a critical vulnerability (CVE-2021-44228) in a standard component of Java-based software, referred to as Log4j.

Labeled the “most serious” security breach ever, Log4j is a flaw in one of the internet’s most commonly used pieces of code. For years Log4j was code that software applications used to log – or keep track of – application activities. It’s code that has been used all over the internet as part of the Java programming language, which has been a foundational language for software since the 90s. So, if the internet has been using Log4j for so long, why is it considered potentially the most significant security breach of the past decade?

A few weeks ago it was discovered that Log4j could be used to allow bad actors to seize control of application servers by running and logging a lousy line of malicious code. A simple line of destructive code could give anyone the keys to running off with an organization. This kind of oversight rarely, if ever, occurs.

Log4J Vulnerability Tests Agility of Internal & Outsourced IT

With such an incredible vulnerability exposed, organizations of every size have rushed to review their environments and remediate where they can. This kind of event has the power to lay bare the organizations that are most intimate with their environments and those that engage in active management – whether that is via a third-party provider or in-house IT.

Here are some steps that we took to keep our clients safe in response to the Log4j vulnerability:

Enumeration, Mitigation, and Attack Detection

Working with our partners, we leveraged a 3rd party external tool for both Windows and Linux that downloads and executes the latest detection methods published by Florian Roth.

The tool, championed by Datto, allowed us to:

  • Scan all JAR files on the system for signs of insecure versions of Log4j

  • Search TXT and LOG files on a system for indicators of a potential attack

  • Automatically inoculate against future exploit attempts by setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to TRUE.

Sophisticated Scanning & Custom Scripts

Our team also deployed sophisticated scanning, using custom scripts to scan, log, and identify areas for review. We cross-pollinated information gathered by our security team with ongoing releases from software vendors, alongside environment risk maintenance documentation, to rapidly identify the software and systems that were in immediate need of patching. From there, our team generated a risk heat map – allowing our team to address the greatest to least risk in a measured approach, and we deployed patching.

Blocking External Communication

We also created strict firewall and web filtering rules to monitor for and block potential attempts from Log4j exploits at maintaining communication with Command and Control (C2) infrastructure.

Additional Actions

We recommend the following actions in addition to the immediate actions we performed above:

  • If you use an outside IT or cybersecurity provider (e.g., internal SOC, Managed Security Service Provider [MSSP], Managed Services Provider [MSP], etc.) ensure they are aware of, monitoring, and taking appropriate actions on any alerts associated with the presence of Log4j in your environment

  • Ask them specifically for evidence of outbound traffic as a result of a Log4j exploitation attempt

  • Install or modify an existing Web Application Firewall (WAF) with rules that automatically update with the latest information

  • CISA will be maintaining a repository of information and affected software here

  • The Dutch National Cyber Security Center is maintaining another valuable and trusted repository

Additional Resources

Taylor Axtmann
Previous

How Law Firms Can Make Cybersecurity a Priority in 2018
Next

XDR, EDR, MDR, and SIEM | Understanding Extended Detection & Response