We use cookies to improve your experience. Do you accept?

Skip to main content

Cyware’s Approach to Handling Apache Log4j2 Vulnerability

Cyware’s Approach to Handling Apache Log4j2 Vulnerability - Featured Image

Cyware Fusion and Threat Response (CFTR) Dec 16, 2021

Recently, a critical vulnerability has been found in the popular Java-based logging package Apache Log4j2. This vulnerability allows an attacker to execute code on a remote server commonly known as remote code execution (RCE). Let’s learn more about this vulnerability and how organizations can defend against it.

What is Log4j2?

  • Log4j2 is an open-source, Java-based logging framework widely incorporated into Apache web servers.

  • The zero-day vulnerability CVE-2021-44228 in Apache Log4j2 is referred to as Log4Shell and it impacts version 2 of Log4j between versions 2.0-beta-9 and 2.14.1.

  • The flaw is triggered when a specially-crafted string—provided by an attacker via different input vectors—is parsed and processed by the vulnerable component of Log4j2.

  • Looking at the vulnerability being widely exploited, it is recommended to analyze Log4j2 and patch as soon as possible.

Handling the Bug the Cyware Way

Cyware’s virtual cyber fusion center (vCFC) empowers customers to address such zero-day vulnerabilities. Our virtual cyber fusion center allows organizations to quickly identify threats and respond in an automated manner, thereby reducing manual intervention and response times. The virtual cyber fusion suite delivers advanced capabilities for threat intelligence sharing and security orchestration, automation, and response (SOAR) in an integrated manner.

With the recently identified Log4j2 vulnerability being exploited in the wild, security teams at Cyware are abreast of the Log4j2 vulnerability with relevant threat feeds pouring in from multiple sources. Our threat intelligence platform, Cyware Threat Intelligence eXchange (CTIX), enables our customers to aggregate the threat intel and channelize the actions on the influx of information. This allows them to ingest, aggregate, parse, and take action on threat feeds by triggering Cyware Orchestrate workflows via our CTIX platform. Our Cyware Orchestrate workflow works in tandem to efficiently execute tasks related to threat hunting and actioning on threat intelligence collected from CTIX. Furthermore, security teams can maintain continuous situational awareness by sharing real-time threat alerts using Cyware Situational Awareness Platform (CSAP).

**Defending Against Log4j2 Using Cyware Products **

Threat Ingestion via CTIX

In CTIX, threat intelligence is ingested from various sources. Furthermore, parsing and identification of the CVE and related IOCs are done by tagging within CTIX. Subsequently, the Cyware Orchestrate workflow is triggered via CTIX Rule.

Retrospective Search via CFTR and Cyware Orchestrate

The IOCs related to CVE are pushed to SIEM and EDR platforms to perform retrospective searches. It can be configured to look for IOCs in real-time. Moreover, any blocking action on malicious HASH/IP/Domain can be taken via Cyware Orchestrate workflow.

**Hunting and Enrichment via CFTR and Cyware Orchestrate **

The IOCs are enriched using enrichment tools like IBM Xforce, VirusTotal, Hybrid Analysis, etc. All the details of CVE and related IOCs are published as CSAP alerts to stakeholders to share correct information and keep them aware. Users can check the vulnerability management (VM) platform for whether the signatures/plugins are available for performing scans to look for assets vulnerable with Log4j2. Further, they can perform remediation action on assets found infected with the vulnerability, record the incident and actions in Cyware Fusion and Threat Response (CFTR), and notify the VM team and asset owner about the presence of the vulnerability and actions taken to remediate it. If the required signatures/ plugins are not found in the VM tool, users can notify the VM team.

Incident Notification via CSAP and Email

The incident and remediation actions are recorded in CFTR. All the notifications related to the incident are timely sent to relevant stakeholders via CSAP and Email. This keeps the audience updated with information about all the stages of the incident.

The Bottomline

As the cybersecurity industry at large continues to gain in-depth insights into the impact of this vulnerability, we will continue to help our customers detect, analyze, investigate, and mitigate threats. Besides applying the latest security updates to remediate this RCE vulnerability, organizations must have a robust cybersecurity framework in place.

Looking for an effective cybersecurity posture? Book a demo now!

Related Blogs