After OpenSSL (Heartbleed), Microsoft (Hafnium), SolarWinds, Kaseya and Treck (Ripple20), the common web server Apache and other software are the next big names to get into the spotlight of the CVE vulnerability collection. The reason is Log4Shell, a Zero Day vulnerability in the Java library Log4j. The incident further cements what is beginning to take on an almost frustrating clarity for cybersecurity managers: There is no such thing as 100 percent security, much less peace of mind. The Log4Shell vulnerability in Log4j threatens all the cornerstones of cybersecurity: availability, integrity and confidentiality.
The big bang for waves of attacks in the years to come
What makes Log4Shell particularly dangerous is not only the ease and immediacy with which attackers can gain access to networks. Using unauthenticated remote code execution (RCE) - i.e., without any password or other authentication - attackers can trick Internet-connected servers into downloading and installing malware. It is primarily the long-term compromise of networks that is of concern.
Log4Shell effectively provides the big bang moment for next year's cyberattacks - from trivial cryptominer to lucrative ransomware attacks to large-scale disruption of critical infrastructures. Even those who have patched the vulnerability cannot rest assured:
- The vulnerability, documented as CVE-2021-44228, has existed for over a year.
- Information about it was published before a patch was available, giving everyone from script kiddies to advanced persistent threats (APTs) miles ahead in exploiting it. The German Federal Office for Information Security (BSI) recently confirmed the sharp increase in scanning activity for vulnerable systems on the Internet.
- The vulnerability allows a wide range of attack vectors, massively increasing the flexibility and variability of attack signatures.
- The Java library Log4j hides in a myriad of systems and applications. As the BSI writes, "The library is often integrated directly by software manufacturers into the delivery files of their own software and is therefore independent of the library version generally installed on the operating system."
- The Log4Shell vulnerability is not just "open house", but acts like a "government bond". Attackers can use the chance of access to hide payloads in networks and install backdoors that can still be used successfully 20 years from now. Log4Shell thus offers a unique opportunity, especially for state-sponsored adversaries and Advanced Persistent Threats, to make a strategic investment that will defy any firewall update in the years to come.
In the final consequence, every company should assume that its network has long been compromised. With Log4Shell, attackers had about one year to successfully complete the most difficult and crucial step for a cyberattack, the initial access to the network without being detected. Indeed, Microsoft reported that since the vulnerability was made public, malware such as Cobalt Strike has also begun to reappear with increasing frequency. The tool is popular with pentesters and cybercriminals for gaining access to networks, fortifying them, and collecting and stealing network information - in short, installing an effective backdoor.
Critical infrastructures particularly at risk
For this reason, Log4Shell is a massive threat, also and especially for industrial companies and critical infrastructures. First, a large part of the security here is based on securing the access points, i.e., the perimeters. The inner structure of the Operational Technology (OT) networks in particular is largely insecure. An existing infiltration usually remains undetected for months or years due to a lack of visibility. Second, in the past, attackers in these sectors have shown great endurance, patience and a willingness to wait.
Above all, the findings on the vulnerability in the Java library Log4j show that companies can neither trust the block list signatures of their security service providers nor the security promise of their suppliers of hardware and software. Log4Shell and the above-mentioned vulnerabilities are very likely only the tip of the proverbial iceberg. Insecure systems, zero day vulnerabilities, lack of basic security (in the sense of security by design) have long been the new normal. And it's time to respond appropriately to this reality.
Defense-In-Depth strategies include not only perimeter security but also homeland security. OT monitoring and threat detection provide a view inside the network
Intrusion detection with an inside view
Trust is good, but control is still the only option. In the cybersecurity field, this implicates to the well-known principle of Defense In Depth. It combines various components that include active and passive measures, behavioral analysis and reasoning, segmentation and organizational measures. The goal is to detect, contain and mitigate both novel threat vectors and successful penetrations (typically firewalls and authentication measures), as enabled by Log4Shell. Traditional cybersecurity, on the other hand, still focuses on initial detection and defense directly at the entrance to the network (i.e. the city gate and the city wall on the figure above).
The network map of the Next Generation OT Intrusion Detection System provides detailed information on the OT structure and the communication behavior of all systems and applications.
In OT security practice, the crucial second line of defense is achieved via OT monitoring with threat and intrusion detection. OT monitoring sits (see first figure) atop the bell towers to obtain a complete picture of the inner workings of a network. Not only does this create complete visibility into the OT. Threat detection continuously compares the current communication with the expected, permitted communication and reports any anomalies. As a result, it also identifies uncharacteristic, suspicious changes in communication behavior that are novel and indicative of malicious behavior - from communication via backdoors, to lateral movement and spoofing activities, to direct interference with industrial processes. Actions of adversaries within the OT network become visible, traceable, and can be mitigated in real time, even if they use previously unknown signatures.
In the face of zero day vulnerabilities and multiple attack vectors, a second line of defense is essential to react flexibly and securely to the constantly changing threat situation.