Vulnerabilities like Log4j remain responsible for security breaches a full year after the discovery of the flaw. In the months after widespread reporting about the vulnerability, 40% of Log4j downloads remained vulnerable to exploitation.
Rapid Response — by Both Security Teams and Hackers
What made this exposure so damaging was how widespread this piece of code is and how hard it is to find exactly where it’s used. This open-source logging code from Apache was the most popular java logging library, clocking in at over 400,000+ downloads from GitHub. The code is embedded in many internet services and apps, including Twitter, Amazon, Microsoft, Minecraft and others. As an easily accessible piece of open-source logging code, developers used it rather than taking the time to create new code during development. In days after its discovery, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), said in a CNBC interview, “The Log4j vulnerability is the most serious vulnerability that I’ve seen in my decades-long career.” She went on to say, “This is not something that will be patched and finished. This is something that we are likely going to be working on for months, if not years, given the ubiquity of the software and ease of exploitation.”
Publication of the vulnerability moved security teams to action. Apache listed all the projects affected by the Log4j flaw but publicizing the flaw also prompted bad actors to take advantage of slower-moving or understaffed team responses. Cybersecurity software business Check Point noted that within days of reporting the vulnerability, more than 60 new variations of the exploit were introduced in less than 24 hours.
Flaw Still Inspires New Attacks
The initial Log4j vulnerability exposure was widespread and pervasive, but the danger remains, still threatening businesses. Threat landscapes shift with time. For example, Log4Shell is a vulnerability in Log4j 2. It allows a remote attacker to take control of a device on the internet if the device is running specific versions of Log4j 2. Apache created a patch, but that patch left part of the vulnerability unfixed, requiring second, third and fourth patches to fix new vulnerabilities as they were found. Threat actors rely on security and IT teams to be too busy and users too uninformed about threats to simply ignore these patches. As recently as November 2022, Iran-linked threat actors exploited Log4Shell via unpatched VMware. CISA observed suspected threat activity at a Federal Civilian Executive Branch (FCEB) organization. They determined that cyber threat actors had exploited the Log4Shell vulnerability in an unpatched VMware Horizon server. From there, they installed crypto mining software to the server, moved to the domain controller, compromised credentials and then implanted Ngrok reverse proxies on several hosts.
This may be among the newest iterations of the Log4j threat, but they assuredly won’t be the last. And, of course, there will be new threats that arrive in new ways through other vulnerabilities. It’s clear that updating software and encouraging users to install patches isn’t enough. Even when organizations do their best to stay up to date on all patches, threats morph and move fast enough to make those patches outdated. It may seem updating devices and software belongs in the realm of IT. Still, given the urgency of security weaknesses and their business impact, security retrofitting needs to be a full-time concern.
Retrofitting as a Central Task for Cybersecurity Teams
Large organizations with thousands of devices and arduous processes for software and hardware updates remain especially susceptible, whether that’s to the Log4j vulnerability or as-yet-unknown vulnerabilities. Here are some tips on how to structure your team’s response plans and ensure you can retrofit security controls in the face of modern cybersecurity threats.
- Make addressing vulnerabilities a security team function. Software patches and device updates frequently fall to IT teams to accomplish. However, as noted above, patches and updates frequently can’t be done quickly enough to head off threats before they cause harm. Rather than overburden busy IT personnel, make threat vigilance and mitigation a security team function. Keep your security team on target by ranking priorities in order of urgency. Consider expanding this team if they’re stretched thin. Considering the cost to the business of falling prey to these attacks, the expense of expanding the team should be a reasonable price to pay for the added protection.
- Watch the watchers. Governments worldwide support cybersecurity agencies whose main mission is to warn organizations about cybersecurity threats. In the U.S., that organization is CISA. In the U.K., it’s the National Cyber Security Centre (NCSC). You can sign up to receive alerts from these and other trusted organizations. They describe the threat and offer resources and advice on how best to mitigate damage to your organization.
- Communicate early and often. Ensure there are open lines of communication between your cybersecurity and IT teams, as well as other mission-critical teams within your organization. Neither team can watch or know everything. Additionally, if the worst happens, it’s wise to have open communications with your vendors, partners and customers. If they put you at risk or you put them at risk, you need to know how and with whom to communicate if disaster recovery steps become necessary.
- Deepen your defense. Criminals are crafty. They will always look for — and find — the next opening to exploit. Your security practices should range from simple (strong passwords, multi-factor authentication or user controls) to more complex (vulnerability hunts or hackathons to find holes). Your organization might find a good threat-hunting program beneficial. The more security layers your organization erects, the less damage cyber criminals can do.
- Document — and practice — your plan. Disaster recovery plans go way beyond natural disasters. Resilient companies understand how all-encompassing modern disaster planning needs to be. Cybersecurity disaster planning outlines who own and runs the plan, where are the assets that require protection, how to stop damage and loss, when the plan should be updated and what strategies will best protect your company. Like any good plan, it’s not a one-and-done task. Security threats evolve, so your plan must be updated and practiced to ensure it’s current and that each team member understands the role they play.
Organizations of all sizes are vulnerable to security threats. Strengthening your security posture remains the only option in a world where cybersecurity threats continue to multiply.