It was an unwelcome early Christmas gift shared with the entire world on December 9th, 2021.
Log4Shell rocked the industry when we realized just how dangerous and far-reaching its effects could be. The mad scramble to find and patch the flaw left many organizations wondering why they weren’t better prepared in the first place and what they need to do next.
Some are
still scratching their heads, prompting the
FTC to issue words of warning about remediating this dangerous flaw. With good reason – the Log4Shell vulnerability remains a prime target for bad guys. Without a patch, thousands of organizations relying on the affected Log4j library are still under severe risk of an attack.
Fortunately, we can learn a lot from the Log4Shell shock waves we’re feeling. Invicti’s Chief Product Officer Sonali Shah recently sat down with the founder of NOC and CleanBrowsing Tony Perez to peel back the layers and better understand how we can all stay agile in incident response.
Turning the tide on surprise security flaws
Log4Shell might be the
worst vulnerability we’ve ever seen. It impacts Apache Log4j, a popular Java logging library, and it’s incredibly easy to exploit. If the attacker is able to escalate the situation, it gives them the window to take full control remotely where they can steal data, hop from server to server, and even install ransomware.
There’s a strong possibility for bad actors to avoid detection by staying inside, staying hidden, and waiting for the right moment to strike, like we saw with SolarWinds. Couple that lingering threat with how pervasive the library is and how integral it can be for so many apps, and we’ve got a problem.
Log4Shell is an example of why it’s so important to have a handle on your threat landscape. As Sonali pointed out, mitigation becomes an issue when organizations aren’t aware of what’s in their asset inventory, or don’t even have an inventory to begin with. Identifying external applications and components, then defining the asset inventory, will give you a full picture of the potential threat landscape.
After getting a handle on what you know about the incident, an important next step is to scan your environment and identify the total scope of the problem. Then, work backwards leveraging critical elements of AppSec like
incident response, prioritization, frameworks, policies, and governance programs.
As in the case of Log4Shell, Tony noted that major security incidents tend to happen around holidays or in the middle of the night when it’s least convenient, spelling frustration for everyone from customers to the legal team. Ultimately, the key to success is having patience amidst the mayhem, going through these processes unemotionally and very pragmatically with a step-by-step approach that leaves little room for panic.
The integration of people, process, and technology
Effective incident response is all about having the right people covering the right processes, with the right technology at their fingertips. Sonali noted that in the case of Log4Shell, Invicti customers with these three boxes checked tend to have faster and more effective responses to new incidents. It’s often a matter of changing company culture, though, with top-down direction around security coming from the board, management teams, and executive leadership.
But it’s also important to dedicate some of your program to ensuring that you have defense in depth. Both defense in depth and defensive controls are important as the landscape continues to evolve at such a rapid pace, with new threats emerging daily. Organizations need to look at which defensive controls they have in place if they want to up their security game and be prepared for the next global vulnerability.
The key takeaway according to Sonali and Tony? Go back to the basics. That includes defense-in-depth along with having the right people and procedures in place with technology that is scalable and automated to expedite tedious processes. But most importantly, it includes knowing your attack surface and making sure that security is always top of mind for the entire organization.