Log4J Vulnerability: Using Behavioral Anomaly Detection to Spot Active Attacks

Vulnérabilité de Log4j : utilisation de la détection d'anomalies comportementales pour repérer les attaques actives

Editorial Lacework

December 17, 2021

Editor’s Note: Log4j is an unfolding situation that we are closely monitoring. We will be updating our blog on a regular basis so check back for updates.

Lacework Impact: We have confirmed that our service was not impacted by the Log4j vulnerability.

Après étude et analyse, les ingénieurs de Lacework ont déterminé que notre service n'avait pas été touché par la vulnérabilité Log4j. Par souci de prudence, nos ingénieurs continueront à surveiller tous les aspects de la plateforme Lacework afin d'en assurer la sécurité.

The disclosure of a critical vulnerability with pervasive impact across the internet and cloud computing is something that makes our hearts sink. Last week was no exception. Apache disclosed a devastating zero day vulnerability that affects Apache Log4J, a popular Java logging library that is ubiquitous in server-side and cloud software.

While no one can fully defend against zero-day attacks, Lacework’s monitoring is highly effective at detecting any of the anomalous activities that result from the exploits of a zero-day vulnerability. With our patented Polygraph® technology, Lacework automatically learns the characteristics of your cloud workloads, and how those activities and behaviors evolve. From this baseline, Lacework raises an alert on any unexpected changes, providing the historical and runtime context to aid in investigations.

Because Lacework uses machine learning to build a unique, detailed behavior model for each individual cloud environment, identifying unexpected activity is relatively easy, based on what has been seen before. For example, in some customers impacted by the Log4J vulnerability, we identified processes talking to new IPs that were associated with active exploitation of Log4J — in some cases they were systems that never talked to external IPs, which made it even more unexpected. By automatically uncovering this activity, your security and incident response teams can find potential exploits and take action faster.

The first priority after learning of a new zero day vulnerability is to identify what systems are impacted and patch them as quickly as possible — but this is often easier said than done. As a partial silver lining, Lacework is able to help our customers protect themselves as they progress, by monitoring their cloud environments for malicious activity while they are in the process of patching. Let’s walk through 3 steps you can take to make these difficult days a little less painful.

1. Discover what systems may be impacted
To be well prepared for the eventuality that a new vulnerability is disclosed, it’s necessary to have an automated way to uncover and track a complete inventory of cloud assets — which is why we gather information about customers’ cloud accounts, including all workloads, repositories, and containers. In addition to cataloging the full details of your cloud environment, Lacework flags any known security vulnerabilities, and explains their scope and runtime context, even as new ones appear in the software development lifecycle.

Every day, for each of our customers, Lacework proactively re-scans all active images and hosts for any newly-discovered vulnerabilities. The morning the new Log4j vulnerability was disclosed, Lacework immediately re-scanned and raised critical vulnerability alerts in the Lacework dashboard for impacted customers. If you’re a Lacework customer looking for more details about how to find this vulnerability on hosts, in containers, and in non-OS packages, you can read this support article for more details. Once you know the scope, it’s time to take action and start patching.

2. Detect any active attacks through runtime security monitoring
Patching can take time and depending on what systems are impacted, it can be pretty complex. Lacework enables you to closely monitor impacted resources for any activity that may indicate that the vulnerability is being exploited, which is especially helpful during this stressful period. For this, Lacework provides continuous visibility into the full context and activities of all running processes and our unique technology for identifying new suspicious behavior without needing to write new rules or policies.

3. Prioritize and fix the vulnerabilities — based on risk and context
As you look to update the impacted systems, it can be a daunting task depending on how many systems are involved. It can also be daunting to figure out what implications updates may have on the rest of your environment — will it break anything or impact customers or operations? Seeing more context around the discovered vulnerabilities is important, especially when you need to decide which ones to patch first. Afterall, if you have a long list of things to remediate, you want to start with the most critical ones versus randomly choosing which ones to do first. Lacework recently announced a new risk-based vulnerability scoring system that’s designed to help with this very problem. By combining insights from build and runtime data, the scoring gives a more complete picture of the prevalence and risk of the vulnerability. In addition to seeing the specific systems, containers, and packages it’s found in, you can find context about whether it’s in a test or production environment, accessible on the internet, etc.

What we’ve seen in the wild — so far
Based on the current activity observed by Lacework Labs, it appears that many attackers are doing their own reconnaissance and seeing how they can take advantage of this in their own campaigns. Not only are attackers doing reconnaissance work and gathering information about vulnerable hosts, but there is already evidence that Mirai and Kinsing malware is being distributed through this attack vector. For more details, check out this blog from Lacework Labs.

While this unfortunately won’t be the last widespread zero day we face, we can do more to aid in speeding up the response and providing more protection in the process. With Lacework, you can pinpoint the vulnerable containers and hosts, surface anomalous activity that may be associated with an active attack, and prioritize fixes with better context. Instead of fumbling around in the dark, you can shine a light on the darkest corners of your infrastructure and proceed with confidence.

Please follow us on LinkedIn, Twitter and our blog for ongoing updates.

Copyright 2021 Lacework Inc. All rights reserved.