Months after it was discovered in December of 2021, the Log4j remote code execution exploit (Log4Shell) is still impacting businesses and government organizations throughout the world. To call it the worst cybersecurity vulnerability since SolarWinds would not be an exaggeration, and – with millions of devices and software packages affected – it’s a problem that won’t disappear any time soon.
In 2022, cyber threats are on the rise: experts predict increased rates of ransomware, phishing attacks and other malicious cyberactivity throughout the year. Organizations already have a lot to worry about, and with Log4Shell, that list has only gotten longer. In this article, we will explain how to maintain your mission resilience in the face of Log4Shell and similar attacks, starting with immediate response.
Four Steps to Defend Against Log4Shell Exploits
Log4Shell – or CVE-2021-4228 – is a major zero-day vulnerability in versions of the popular Java logging package Log4j. Since its disclosure on December 9th of 2021, most organizations have implemented basic response actions to mitigate risk, especially after the Cybersecurity Infrastructure Security Agency (CISA) issued a list of recommendations.
But even two months on from its discovery, businesses are still being affected by Log4Shell-directed attacks, and organizations must go beyond the bear minimum to protect themselves in the short term. In addition to CISA’s recommendations, Securicon recommends the following steps:
- Update boundary sensors on the perimeter of your network to detect and alert on attempted Log4Shell exploits. Ensure that firewalls and other host-based sensors are configured for the same purpose.
- Engage in Log4Shell-based exploitation exercises to validate your “Protect,” “Detect” and “Respond” functions, as described by NIST’s Cybersecurity Framework (CSF).
- If you discover a Log4Shell-vublnerable system that hasn’t been tested yet, assume the worst: clear and secure the system to discover potential compromise and restore trust. Ideally, this should be part of your routine cybersecurity strategy.
- Get an independent assessment from expert cybersecurity consultants who can assist with any of these steps, implement federal-level security controls, or provide advanced training activities to harden your operations immediately.
These actions will provide more robust protection against Log4Shell-based attacks than patching alone – however, they may not protect against emerging variants or use cases of the vulnerability, and more is required to sustain mission resilience for the long term.
An Evolving Threat
Although many businesses have already applied basic patches for Log4Shell, it remains a dangerous and developing attack vector. At the beginning of January 2022, millions of Log4j-directed attacks were detected per hour, and – while they have slowed – they have not come to a stop. In fact, attackers are continually finding brand new ways to exploit the vulnerability.
With a practically unlimited potential for abuse – and with so many devices left unprotected – Log4Shell represents a significant and enduring risk, even for businesses who have applied recommended patches. Potential impacts include:
- Reduced Customer Trust and Reputation – Log4Shell can lead to serious breaches of sensitive data, leaving a permanent impact on customer trust and brand reputation. Vulnerable categories of data range from personally identifiable information (PII) to controlled unclassified information (CUI) and financial details.
- Loss of Productivity and Revenue – Log4Shell is being used to commandeer networks for the purposes of launching ransomware and botnet Such incidents cost time and resources to resolve, tying up employees and leading to reduction in revenue.
- Safety Incidents and Loss of Life – while it may be hard to believe that a simple software bug could lead to injury or even death, attacks on operational technology (OT) are a rapidly growing concern for critical infrastructure, manufacturers and energy producers. Log4Shell can lead to OT attacks, which represent a serious safety risk.
- Expensive Lawsuits – the Federal Trade Commission (FTC) recently warned that it will prosecute organizations who do not act to protect customers from Log4j vulnerabilities, citing the $700 million settlement with Equifax in 2019. This warning applies even if the vulnerability originates from a third-party vendor.
- Sustained Presence of Attackers – after gaining a foothold through Log4Shell, cyber actors can establish a backdoor to use for extended reconnaissance and lateral movement across an organization’s network. This means any of the aforementioned risks can recur even when the original vulnerability has been patched.
Ultimately, it is difficult to predict all the permutations that Log4Shell will take over the coming year. Rather than looking for a quick fix, organizations should be working to improve their mission resilience from the ground up to survive in a constantly changing cyber landscape.
Four Steps to Protecting Your Mission Resilience
Mission resilience is your organization’s ability to prepare for unexpected disruptions and respond to them effectively. An organization with mission resilience can maintain mission-critical operations in the face of a
grave business threat without faltering in the delivery of basic products and services. Above all, it exercises constant vigilance to detect malicious actors and expels them as soon as they are detected.
Because Log4j is prevalent throughout the software supply chain, your organization can be affected by it indirectly: all it takes is one vulnerable partner to endanger your operations. For this reason, we recommend the following steps to build up your mission resilience against Log4Shell and similar threats –
- Take inventory of your software supply chain and identify single points of failure – this includes potentially vulnerable third-party connections and dependencies. Communicate with partners to ensure that they are applying adequate security controls, or remove them from your organization if necessary.
- Ensure that your data backups are secure and up-to-date. This will minimize operational disruptions and enable your organization to recover quickly in the case of data deletion or encryption by ransomware.
- Develop a Continuity of Operations Plan (COOP) that describes how your mission-critical functions will be sustained following a disaster event for up to thirty days. Drill all relevant employees and decision makers so they are prepared for an emergency.
- Partner with an expert cybersecurity consultant like Securicon who can provide your organization with vulnerability and penetration testing/assessments, governance, risk and compliance (GRC) services, security architecture review and more.
Expertise You Can Trust
In 2022, government agencies and businesses across every industry are caught in the middle of a rapidly escalating cyber war: not only will Log4j continue to threaten businesses in the coming year, but new zero-days will likely be discovered with a similar impact. Now more than ever, organizations need a partner they can trust to find security gaps and strengthen their resilience in the face of business threats.
To learn how Securicon can help your business, visit our contact page.