CVE-2021-44228 – aka Log4Shell is a critical zero-day vulnerability that requires immediate action to address for all businesses and individuals. After it was announced on December 9th, 2021 – IT teams have sprung into action to address this real threat that exposes organizations and end-users to bad-actors’ attacks. Teams need to either patch or mitigate an attacker’s ability to execute code right now.
Focusing on the post-mortem of this event, let’s consider a few items that may have helped or may mitigate similar issues in the future:
- Complete and accurate software inventory – Having a complete listing of software, including the library dependencies, would have helped organizations accurately triage and address this vulnerability. Many enterprise tools are written on shared libraries similar to Log4j. Having analyzed and determined what tools are available may have helped triage the response from the team. Many teams were scrambling to identify if they were impacted which could have been addressed with an up-to-date inventory before the event.
- Network segmentation – Properly segmenting the network, including the utilization of a network demilitarized zone (DMZ), is crucial to contain the impact of a compromised host. If an impacted host has direct access from the internet to the internal network – an attacker will easily move throughout the organization instead of being constrained to a DMZ.
- Web Application Firewall – The attack path for the Log4j vulnerability highlights the capability of a Web Application Firewall which could mitigate this type of attack. A Web application firewall would require secure sockets layer (SSL) decryption to be effective.
- Decommissioning of legacy systems – Shutting down legacy systems and closing unnecessary ports is crucial for reducing the attack surface for an organization. Organizations tend to forget systems that may no longer have a business need. Such systems should be shutdown.
- Incident response planning – Preparing for an incident, including having a formalized plan that’s tested and rehearsed, is an important initial step. Scrambling to address issues while they are happening can be chaotic and infective.
- System and application threat modeling – In depth threat modeling, including the considerations of supply chain attacks, should be included into the System/Software Development Lifecycle. Evaluating in-depth risk potential would assist organizations in understand their attack surface and help mitigate attack impacts.
If your organization needs assistance with this issue or planning for the next event; please do not hesitate in contacting the Elliott Davis Cyber Team.
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.