The Log4j vulnerability – how can we all do better next time?
Accept there are some risks you don’t control but which nonetheless you can’t ignore
Sponsored Feature Friday the 10 of December 2021 is etched in the memory of many IT professionals, but not for reasons they will look back on with fondness. That was the day, just as most American workers were logging off for a long weekend, when a critical vulnerability in an obscure but essential piece of software code first came to widespread attention.
Log4j is an open-source logging library, embedded in apps and services across the Internet. Its job is to record all the activities that go on behind the scenes in a range of computer systems. Log4Shell, a component within the library, turned out with no warning to be a potential back door which if left unfixed could be used by attackers to break into systems, steal passwords and logins, extract data, and infect networks with malicious software.
In short, to raise hell. Cue cancelled leave in IT departments around the world as ways to patch the flaw were desperately sought. The ramifications are still being felt 18 months on as the bad guys continue to look for ways to get into the heart of critical systems through this keyhole.
Wake up call on software interdependence
How on earth could this have come about, and what can be done to see it doesn't happen again? To answer these questions, it is first important to confront some of the realities around modern software deployment, argues Toby Lewis, Global Head of Threat Analysis at cybersecurity company Darktrace.
"Log4j was a wakeup call for many people about how technology is structured and how it is used," he explains. "There is a widely held misconception that every bit of software code is written from scratch, independently of all other code. The reality, which Log4j demonstrates, is a level of interdependence between all developers. The way software is developed and shared creates a supply chain-type risk whereby people are reliant on their suppliers to keep things secure."
This method of software deployment makes obvious business sense. After all, car manufacturers don't create a new fuel injection system every time they design a model. But it can also lead to a so-called 'zero-day', an unknown and unprotected gap in defences that attackers can leverage. Once they spot a zero-day vulnerability, attackers need to figure out how best to maximise their returns from it, safe in the knowledge that no defence lies between them and their malicious objectives.
It's just a matter of timing. Was it a coincidence that the Log4j vulnerability became apparent just before a holiday, catching people off their guard at the worst possible moment? Or was it part of a plan by the cybercrime underworld who had understood the potential for trouble some time back and bided their time? Lewis suspects the latter: "With a big zero-day that nobody knows about, attackers have one go to make a really big splash," he explains. "So targeting it around a holiday makes sense."
While attackers homed in on a smash and grab opportunity to be exploited at scale, defenders were caught napping: "With Log4j, for a short period there was no fix, no patch," recalls Lewis. "Everyone was locking systems down as best as they could. But even with a patch you have the problem of how to fix a library of software you don't have any control over. As an end user organisation, do you ever really know what makes up the software components that you rely on every day? Log4j was an example of a small bit of code that people use without thinking, so much so that nobody really knew where it sat in their environment. There was no easy way of finding out where it was installed."
Should we live with inherent vulnerability?
This all begs the question of whether it is ever feasible to achieve familiarity with every bit of third-party code in an organisation. Given the size of the task, must we not simply accept some level of risk? Live with an inherent vulnerability that may never be fully resolved?
Commercial reality dictates that we engineer our technology stacks and build our networks in a way that accepts some level of risk and compromise, says Lewis. But that doesn't mean giving in to the bad guys. "We're starting to hear about Zero Trust environments and network segmentation that tries to break systems apart so you can quarantine an infected part," he notes. "Then it comes down to your in-service security operations. How do you detect malicious activity in the first place?"
The classic method of threat intelligence, rules and signatures represents one approach. But Darktrace take the line that you need complementary technologies at play, including AI and machine learning. "Of course in a zero-day scenario you're not looking for something that's happened before, but something inherently strange," says Lewis. "You need to be able to spot things that aren't already known about."
The Darktrace philosophy centres on the idea that an attacker can never fully mimic real users. There will always be an inherent difference between how a user behaves and how an attacker behaves. This means defence is about more than just a list of bad IP addresses that can be blocked.
"By looking at user behaviour you can start to spot a wider range of activity," explains Lewis. "Our approach revolves around self-learning AI. It focusses attention on learning about the defenders, which is easier than learning about the attackers."
Once the Darktrace software has learnt how legitimate users are using a network, it has an opportunity to spot when someone is on the network who shouldn't be there. Whether it's Log4j or some other vulnerability like ransomware or a 'nation state' attack, it comes down to spotting subtle anomalies in when and where someone is logging on to a system, and their subsequent behaviour.
Why hackers need legitimate user behaviour to copy
Even when attackers are armed with some sort of adversarial AI, perhaps based on ChatGPT, they still need a degree of visibility of a legitimate user to know what behaviour to copy. This necessitates that there has already been a security lapse of some sort, to give the malicious AI something to feed off.
It is always desirable therefore to shore up defences in advance of an attack. Darktrace PREVENT helps here, playing the role of an attacker looking for weak points in a system. It's a powerful tool that gives defenders a much better understanding of how they are exposed to potential wrongdoing, says Lewis. "It's more than a simple vulnerability scan," he explains. "At the end of the day, you have to accept that there is no ideal setup. There is always risk. But it is important to understand that risk and manage it."
It remains absolutely vital for organisations to realise how one compromised user can lead to compromise in other parts of the estate however: "Attackers will look to jump from one platform to the next, identifying critical pathways through environments that give them the least possible resistance," he adds. "Hit the sweet spot and they have a path to the Crown Jewels. At Darktrace, we're all about giving the CISO as much information as possible so they can make informed decisions, rather than blindly accepting risk as many currently do."
Crises like Log4j, along with endless headlines about ransomware, have at least raised the profile of cybersecurity and made clear that it is an issue for everybody in an organisation, not just the CISO: "Security for such a long time was a talking point for the IT department," claims Lewis. "Recent events have changed that and made it a problem for the whole business."
Management too are now realising that there needs to be a degree of compromise between security and the running of the business. Log4j and ransomware have brought home to everybody that there are some risks you don't control but which nonetheless you can't ignore. As a result, we may be seeing a more pragmatic approach to managing security risk amongst organisations which have moved on from seeing it as a line in a budget and a regulatory box to be ticked.
Lewis concludes: "At Darktrace we want to ensure the least possible disruption to see to it that everybody keeps their job."
Sponsored by Darktrace.