Log4j Today – Prepare for What’s Next
January 26, 2022
Greg Foss, Lacework Labs
The holiday season is never complete without a significant security event unfolding as the year comes to an end. This past year was no exception, as the tech world rallied to understand and respond to Log4j – a critical set of vulnerabilities that affected nearly every industry around the world. Unfortunately, we will continue to see the fallout for months, if not years, to come, which is one reason why we’re thinking about the future of zero-day events like this and what comes next.
At Lacework, this vulnerability highlighted a few things across our diverse customer base. Notably, traditional methods of tailoring detections to specific offensive techniques cannot keep pace with the evolution of modern computing infrastructure. There are myriad ways in which a corporation can be breached, making it even more complex for a defender’s job to adapt alongside the evolving security landscape.
Apache Log4j’s critical Remote Code Execution flaw (CVE-2021-44228) and the five arguably less-severe vulnerabilities that followed is just one example that highlights the cascading impact that flaws within important open-source software libraries can pose; especially a core software library that products of all kinds rely on, suddenly shown to be susceptible to a vulnerability that allows an attacker to bypass the outer walls of the enterprise entirely, eventually surfacing deep within the organization’s perimeter.
Security is very much a data problem. You cannot patch what you don’t know you have. As we saw with this vulnerability, many affected entities did not immediately realize they were impacted. Furthermore, many companies were stuck in limbo while awaiting patches from affected vendors, implementing temporary workarounds until a long-term solution was made available. All the while, defenders scrambled to create signatures to detect exploitation attempts, which were quickly subverted through creative string manipulation. This process went on for weeks, while crimeware forums had already openly discussed this vulnerability within hours after public disclosure. It didn’t take long for prominent threat actors to begin taking full advantage.
For every Log4j-like vulnerability that is known, there are potentially hundreds of others that have yet to be discovered. Some of which are possibly being leveraged for covert access as we speak. While the exposure itself is essential to comprehend, find, and patch, it’s equally important to focus on improving our collective ability to detect post-exploitation activity, regardless of the initial access vector.
At Lacework, we focus on detecting changes across cloud infrastructure. While we may not know exactly why a process is suddenly communicating with a new external host, it’s an event that should be elevated for review nonetheless — allowing defenders to provide context via their unique infrastructure knowledge and determine the appropriate course of action.
Learn more about how Lacework responded to Log4j and how we’re preparing for what’s to come in the latest webinar, Dissecting the Log4j Vulnerability with Lacework’s Chief Architect, Ulfar Erlingsson, and the Director of Lacework Labs, James Condon, along with our special guest, Austin Gregory, Information Security Engineering Manager with Nylas.
Copyright 2022 Lacework Inc. All rights reserved.