The number 1 piece of advice for log4j
Now that the dust has settled a bit on the log4j vulnerabilities and we're beginning to build up a better picture of the situation, e2e have provided some more guidance on how to ensure your organisation is as protected as possible. This post complements our regularly updated blog, which provides our initial response and subsequent updates, including new patches and information on the latest industry guidance. You can view the update blog here.
Why is log4j such a concern?
There is a lot of noise around the log4j vulnerabilities and so cutting through that to get to simple advice that has the most impact on improving your security posture can be hard. We're well aware that this blog adds to that noise, but have kept it deliberately simple and to the point to arm organisations of any size with a quick, straightforward set of actions that can have a sizeable impact, whilst we await the world to patch it's software. In a nutshell, log4j is causing concern globally due to a few key differences to a 'normal' zero-day exploit:
- It is used so widely – we still don't know everything that is running log4j, even if your direct software doesn't use it, or has a patch available, downstream (in the supply chain) software may be using it and creating a way in for attackers that could still impact your organisation.
- Detecting an attack is difficult; due to the all-encompassing nature of the vulnerabilities, potential attack surfaces are a constantly moving target, which makes detections that your cyber security operations team see unreliable.
- As speed is of the essence, patches from vendors have also been unreliable, with multiple re-worked patches required as original patches were incomplete.
- Attackers have a long exposure window to exploit – the time in which organisations are vulnerable is expected to be several weeks, possibly months.
- There is a lot of noise for Security Analysts to deal with – made worse by researchers and cyber companies scanning the web, alongside attackers, to find vulnerabilities.
As a result of this, patching and reaction to potential attacks are difficult to get right, in a timely manner, with many organisations chasing indicators of attack (IOAs), to limited success. The sheer levels of noise that security teams are seeing (that could be genuine attacks, researchers or cyber companies looking for vulnerabilities or even their own internal/external scans) mean that teams that focus on indicators of attack are effectively playing 'whack-a-mole'. This can lead to burnout and stress and, as a result, can do more harm than good.
What do e2e recommend?
Even organisations with the largest in-house teams or outsourced Security Operations Centres (SOCs) will find a need to prioritise to ensure the best coverage against potential attacks and get the best return on their spend, be that in time and/or money. Instead of focusing on indicators of attack, there are a few more practical tactics that organisations should be looking at:
- Spend your time working on securing your key assets (such as physical, virtual/IaaS servers)
- Implement an Endpoint Detection & Response (EDR) tool onto these assets, where supported, asap (such as Microsoft Defender)
- Update logging policies, network traffic monitoring and implement asset management/deeper systems monitoring and inventories to give you security team the best data possible
By taking these simple steps, you will bring more focus to your defences, leading to a better use of time, reduced risk of burnout and stress and improved chances to detect real attacks and prevent them causing damage. You will also improve your cyber defences for the long run and come out of this threat in a better position.
What's the easiest thing to do right now?
If we had to leave you with one single piece of advice to tackle immediately and have the biggest impact, it would be to install an Endpoint Detection and Response (EDR) tool on any high-risk asset that supports it and connect this to your Security Operations Centre (SOC) as soon as possible. Not only will this allow 24/7 detection and response to this threat and similar attacks, but it would also let you know if log4j is intalled. This will help you determine if you are vulnerable, recommend hardening steps, as well as detect second stage attacks (indicators of compromise), giving your SOC a better chance of a better response, with less noise from any potential indicator of attack.
Focus on those indicators of compromise, not the indicators of attack.
The beauty of this advice is that it also works as a longer term detect and response strategy and as a result is the best use of your time and money and will make this type of cyber crisis
'Business As Usual' for your business.
Finally, keep an eye out for staff stress and overload – this is a challenging time and situations like this put huge pressure on individuals and teams.
If you are an e2e customer, please continue to engage with the SOC via Cumulo.
If you are not an e2e customer, then please get in touch via our contact us form to talk about how we can support you.
Follow our regularly updated blog for more news and patches as released
The NCSC guidance can be found here
A good overview of potential, fixed & known software vulnerabilities is available here.