Apache Log4j or simply Log4j is a component of the Apache Logging Services. It records events, which include system errors and routine operations, and sends diagnostic messages about the recorded events to system administrators. However, Log4j has become more known as a cyber threat as researchers identified in late 2021 that this Java-based logging utility comes with a remote code execution exploit.
There has been renewed interest in Log4j with the US Cyber Safety Review Board (CSRB) releasing a report that dissected the long-term effects of this vulnerability. The Board is now characterizing Log4j as an endemic vulnerability, saying that “vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer.”
Just like COVID-19, Log4j is set to become a constantly present risk. There are tools to address it, but it may never be completely eliminated. Just like COVID-19, it is difficult to locate the potential sources of a problem without undertaking comprehensive and thorough testing. As the authors of the CSRB report suggest, security teams are usually unable to clearly determine where vulnerable software resides unless a comprehensive review of IT assets and continuous security validation are conducted.
Log4j’s endemic status is posing a challenge to the cybersecurity capabilities of organizations. It is not going to be easy to specifically identify software that may bear the Log4j vulnerability. It is advisable to adopt a new cybersecurity approach and go beyond what is conventional.
The need for enhanced external attack surface management
External attack surface management refers to the identification and management of risks and threats posed by web-enabled assets and systems. It entails the use of technologies and processes that discover and manage assets exposed to external threats. With the digital transformation and changing cyber threat landscape organizations are facing, it is inevitable for external attack surfaces to expand staggeringly. Thus, it is crucial to boost attack surface management in response to the evolution of threats, especially persistent and hard-to-root-out ones like Log4j.
Log4j’s endemicity presents the need for an external attack surface management strategy or solution that runs continuously to make sure that threats are spotted and dealt with promptly. This means an EASM that automatically conducts digital footprint and risk discovery, analysis, and testing. Continuous testing is not viable with manual or human-driven efforts, as it is not only resource-exhaustive but also time-consuming. Before vulnerabilities are discovered and addressed, a threat actor may have already exploited it and inflicted considerable damage on an organization.
A good external attack surface management solution needs to have the ability to conduct effective reconnaissance to find security weaknesses and possible doorways (for threat actors) such as exposed cloud storage and open ports. Once these possible vulnerabilities are identified, security tests, particularly automated red teaming, are undertaken to determine the best ways to plug the security gaps.
Addressing an endemic threat
Log4j is regarded as one of the worst vulnerabilities encountered over the last decade. Until now, organizations are having a hard time dealing with it, even with big security teams involved. One of the reasons for this persistence is the legacy mindset many organizations tend to have, wherein cybersecurity solutions are input-based and difficult to scale. Organizations that continue to follow traditional solutions use systems that do not conduct tests frequently and deeply enough.
To escape from a legacy mindset, it is important to acknowledge how expansive and amorphous the Log4j problem is. This vulnerability affects an extensive range of devices and applications, not just old systems but also those that have been deployed recently. It does not have a specific or unique form for it to be easily detected and remediated.
As such, the appropriate solution is one that continuously scans for potential threats. This requires 100 percent visibility of exposed external assets, the identification of high-risk exploitable vulnerabilities, and the ability to determine the resiliency of existing attack surfaces (to enable response prioritization). All of which are features of a good EASM solution, as described earlier.
To emphasize, EASM does not completely eradicate the Log4j problem. However, it allows organizations to be prepared in case the vulnerability is exploited and a cyberattack ensues. It provides an efficient way to handle an endemic threat, which may occur anytime and recur unpredictably.
The Log4j and COVID-19 parallels
Log4j is scored 10 or critical under the CVSS vulnerability metric, which means it should be treated seriously and considered a top priority for cybersecurity teams. It is important to bear this in mind because a recent study, as reported by VentureBeat, shows that 70 percent of the organizations that reported that they encountered the Log4j issue are still having difficulties in implementing security patches on their potentially vulnerable assets. They are unable to prevent new instances of Log4j exploits because of this failure to patch.
The study also reveals that there are firms that saw their Log4j exposure rise. More than a fifth of the organizations that have assets vulnerable to the Log4j exploit say that they experienced a tripling of their exposure to the threat based on the incidents they observed in July 2022 as compared to the incidents in January 2022.
Senior security operations analyst (Forrester) Allie Mellen, in an interview with VentureBeat, says that the inability of companies to mitigate Log4j boils down to the lack of comprehensive software inventory. “Without an accurate inventory of where the function is used, it can be very challenging to track down every single application it is used in the enterprise,” explains Mellen.
This is like countries or states that do not have systematic COVID-19 response. They do not have sensible testing and infection tracking schemes as well as faulty or manipulated data on infections. It should not come as a surprise that they are still lagging in their ability to keep the infections under control.
The existence of cybersecurity frameworks like MITRE ATT&CK can also be likened to World Health Organization’s (WHO) guidelines and updates. MITRE ATT&CK provides information and guidance on how to detect and handle the threat, while the WHO helps the health agencies of different countries in better understanding the pandemic and knowing how to address it as effectively and efficiently as possible.
Log4j continues to linger just like the current pandemic, and cybersecurity analysts believe that it will affect organizations that fail to prepare for it. It’s like COVID-19 continuing to ravage regions or areas with low vaccination rates and stubborn refusal to abide by sensible pandemic control measures.
For the COVID-19 pandemic, which is slowly becoming endemic, there are vaccines and therapies available to control the disease. When it comes to Log4j, there are cybersecurity solutions that make it possible to cope with the threat without having totally ended it. External attack surface management solutions, in particular, provide a good primary line of defense. However, EASM needs to cope with the evolving nature of the threat and anticipate it as a manageable but possibly ineradicable threat.