Organisations worldwide are still reeling from the discovery of a major security vulnerability in Apache Log4j, an open-source logging utility embedded in countless internal and commercial applications. By submitting a carefully constructed variable string to log4j, attackers can take control of any application that includes log4j. Suddenly, cybercriminals around the world have a blueprint for launching attacks on everything from retail store kiosks to mission-critical applications in hospitals. Read on to discover how enterprises should respond to this pervasive threat.

Here’s what you need to know

Log4j is a logging utility used by almost every cloud service and enterprise network in the world to gain access to servers. Patching it has become an arms race for enterprises and government agencies. It is just the latest software supply chain vulnerability (like the one that turned up in the massive SolarWinds attack) plaguing our digital lives.

If security teams overlook even one instance of log4j in their software, they allow attackers to issue system commands at will. Attackers can use those commands to install ransomware, exfiltrate data, shut down operations… the list goes on. Success will depend on network visibility, patching speed, and workflows.

Supply chain attacks

Attacks on software supply chains have boomed during the Covid-19 pandemic. In the summer of 2021, Atlassian’s bug exploit contained a ‘one-click’ attack, which allowed a hacker to get into the agile planning system of their code repository, making it possible to inject exploits into an unsuspecting user’s codebase. As many organisations have shown, you would not always know that someone had logged in and changed your software, and these are the kind of issues occurring daily

With attackers increasingly focusing on supply chain–style attacks, organisations must understand how to better protect themselves. Supply chain vulnerabilities can – and should – be policed before they can cause damage. Consider this the first step in any risk-based vulnerability management.

Shift tactics to meet shifting attacks

Supply chain attacks are increasing because attackers can reach large organisations that have not changed how they mitigate business technology and third-party risks in decades. Some companies have not synchronised with how the modern enterprise buys, builds and manages technology. Many are still running third-party due diligence based on spreadsheets written in the 90s. Those tactics worked at a time when the leading security risk from third-party breaches was the disclosure of proprietary data or the loss of services. But those tactics do not fare well when it comes to third-party risks aimed at a direct incursion meant to hobble or lock down your organisation with ransomware, and a vulnerability management strategy must take that into account.

Rather than targeting organisations directly, cybercriminals and nation-state hackers target software makers and software service providers. They inject attack code into software that other organisations then use. These attackers specifically target vulnerable software development pipelines and insecure cloud configurations and exploit software update processes.

How should enterprises respond to this pervasive threat?

You will not always win the race against time with every vulnerability in your organisation’s software. Attacks will happen. When they do, you need to shut them down quickly.

  1. First, organisations need better visibility into both software supply chains and endpoints. You need to know where all your endpoints are, what applications they’re running and understand the various components that go into those software applications. Once this is complete, you can take the next step – installing patches and updates before attackers take advantage of a known exploit.
  2. Organisations need a way of delivering patches and updates quickly and comprehensively. With complete visibility into software versions active on every endpoint, you can target your patches and updates. With an effective endpoint management system, you can install them promptly and accurately. Some endpoint management systems report that they have successfully installed patches, when in reality, they have not. A good practice is to audit some of your installations to ensure your system is performing as expected.
  3. Finally, they need hair-trigger segmentation controls over endpoints so that if attackers do penetrate their network through log4j or any other exploit, they can quickly isolate those endpoints through network segmentation. With a zero-trust solution in place for endpoints, you can detect attack activity instantly and isolate any compromised endpoints from the rest of your network. Zero-trust technology limits endpoint access only to authorised users by segmenting network traffic and blocks the ports and protocols that many ransomware and other malware strains rely on to move across networks.

Unfortunately, software component vulnerabilities like the log4j vulnerability will be an ongoing challenge for IT organisations for months and years to come. But by improving visibility into endpoints, patching quickly and accurately, and using zero-trust technology to contain malware attacks, organisations can minimise the damage of these vulnerabilities when an attacker strikes.

For more information and to learn how to identify, investigate and remediate Log4j, click here to book a live log4j demo.