Share Blog Post
Recently, a critical vulnerability has been found in the popular Java-based logging package Apache Log4j2. This vulnerability allows an attacker to execute code on a remote server commonly known as remote code execution (RCE). Let’s learn more about this vulnerability and how organizations can defend against it.
What is Log4j2?
- Log4j2 is an open-source, Java-based logging framework widely incorporated into Apache web servers.
- The zero-day vulnerability CVE-2021-44228 in Apache Log4j2 is referred to as Log4Shell and it impacts version 2 of Log4j between versions 2.0-beta-9 and 2.14.1.
- The flaw is triggered when a specially-crafted string—provided by an attacker via different input vectors—is parsed and processed by the vulnerable component of Log4j2.
- Looking at the vulnerability being widely exploited, it is recommended to analyze Log4j2 and patch as soon as possible.
Handling the Bug the Cyware Way
Cyware’s virtual cyber fusion center (vCFC) empowers customers to address such zero-day vulnerabilities. Our virtual cyber fusion center allows organizations to quickly identify threats and respond in an automated manner, thereby reducing manual intervention and response times. The virtual cyber fusion suite delivers advanced capabilities for threat intelligence sharing and security orchestration, automation, and response (SOAR) in an integrated manner.
With the recently identified Log4j2 vulnerability being exploited in the wild, security teams at Cyware are abreast of the Log4j2 vulnerability with relevant threat feeds pouring in from multiple sources. Our threat intelligence platform, Cyware Threat Intelligence eXchange (CTIX), enables our customers to aggregate the threat intel and channelize the actions on the influx of information. This allows them to ingest, aggregate, parse, and take action on threat feeds by triggering Cyware Orchestrate workflows via our CTIX platform. Our Cyware Orchestrate workflow works in tandem to efficiently execute tasks related to threat hunting and actioning on threat intelligence collected from CTIX. Furthermore, security teams can maintain continuous situational awareness by sharing real-time threat alerts using Cyware Situational Awareness Platform (CSAP).
Defending Against Log4j2 Using Cyware Products
Threat Ingestion via CTIX
In CTIX, threat intelligence is ingested from various sources. Furthermore, parsing and identification of the CVE and related IOCs are done by tagging within CTIX. Subsequently, the Cyware Orchestrate workflow is triggered via CTIX Rule.
Retrospective Search via CFTR and Cyware Orchestrate
The IOCs related to CVE are pushed to SIEM and EDR platforms to perform retrospective searches. It can be configured to look for IOCs in real-time. Moreover, any blocking action on malicious HASH/IP/Domain can be taken via Cyware Orchestrate workflow.
Hunting and Enrichment via CFTR and Cyware Orchestrate
The IOCs are enriched using enrichment tools like IBM Xforce, VirusTotal, Hybrid Analysis, etc. All the details of CVE and related IOCs are published as CSAP alerts to stakeholders to share correct information and keep them aware. Users can check the vulnerability management (VM) platform for whether the signatures/plugins are available for performing scans to look for assets vulnerable with Log4j2. Further, they can perform remediation action on assets found infected with the vulnerability, record the incident and actions in Cyware Fusion and Threat Response (CFTR), and notify the VM team and asset owner about the presence of the vulnerability and actions taken to remediate it. If the required signatures/ plugins are not found in the VM tool, users can notify the VM team.
Incident Notification via CSAP and Email
The incident and remediation actions are recorded in CFTR. All the notifications related to the incident are timely sent to relevant stakeholders via CSAP and Email. This keeps the audience updated with information about all the stages of the incident.
The Bottomline
As the cybersecurity industry at large continues to gain in-depth insights into the impact of this vulnerability, we will continue to help our customers detect, analyze, investigate, and mitigate threats. Besides applying the latest security updates to remediate this RCE vulnerability, organizations must have a robust cybersecurity framework in place.
Avkash Kathiriya
Avkash is the SVP of Research and Innovation in Product at Cyware. He has 12+ years of experience in the information security domain, including SOC/CSIRT Management, Cyber Fusion, Red Team, Cyber Resilience, Threat Hunting, Threat Intelligence and research, Enterprise Security Architecture, and Cybersecurity Governance. Previously, he worked as Senior Manager of Information Security at HDFC Bank.
Tags
Posted on: December 16, 2021
Related Guides
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
