The Log4j vulnerability that was discovered on Thursday, December 9th, is still a pressing issue for many companies. Since its discovery, we’ve received many questions from customers, most of which we have gathered on this FAQ page. If you have any questions regarding the Log4j vulnerability, you can find the answer to many of them here.
What is a good approach to this exploit?
- For inbound access:
- Block attacks with an IOC address (scanning activity).
- Keep the IOC list up to date.
- Use the IPS function to scan for the attack string in packets.
- Check the latest versions of NGFW vendors.
- Use an endpoint solution EDR at the web server (Signature based, Behavioral base).
- If you have a log server and a webserver in separate segments, make sure to do all checks also at the segment boundary (decryption required).
- Use an EDR solution at the log server.
- Block all outgoing traffic from the log server, especially LDAP and RMI protocols.
- Use IPS/anti-virus malware detection for inbound packets from rogue LDAP servers.
- Stop C2 connections using methods like blocking, IPS.
- Ensure servers have no outgoing connections where possible.
Should I prioritize blocking inbound or outbound internet traffic?
Outbound traffic should be restricted for potentially vulnerable systems offering services. Enforce strict inbound access policy with Zero Trust and full detection and mitigation of high-severity vulnerabilities.
Should I block outbound traffic from my server networks in the firewall?
Yes, blocking unnecessary outbound traffic can help prevent the attack from connecting with a malicious source.
Do customers need additional rules in their firewalls (blocklists, IOC, IPS signatures etc)?
Additional rules can reduce the likelihood and impact of an attack. Ensure correct policy configuration is in place.
Will signatures in my endpoint protection solution help?
Signatures help with detection of known indicators but must be kept up-to-date due to constantly developing evasion techniques.
My firewall has IPS signatures for LOG4J, is this sufficient?
IPS signatures on firewalls are helpful, but traffic needs to be decrypted, and one must stay ahead of new evasion techniques by threat actors.
Can I expect incognito Log4j activity?
New exploitations may always emerge, but current detections are based on the overall pattern rather than specific instances.
Does removing a certain java file on my filesystem help?
Removing JndiLookup.class eliminates the exploit risk but may break dependencies.
I found an at-risk application environment with Log4j and turned off logging. Is that correct?
Turning off logging is not a solution and can lead to lack of visibility, contrary to a healthy security process. Removing the JNDI class from the Log4j library is a form of remediation but can affect application functionality.
What about DNS? How can I block malicious DNS requests that resulted from Log4J?
Initially, attacks may not use DNS, but command and control traffic might in later stages. Blocking advanced DNS queries requires specific products/licenses, e.g., DNS Security by Palo Alto Networks. Blocking known bad domains or newly registered domains can be effective.
Will blocking LDAP, LDAPs traffic and RMI help?
Blocking known protocols helps, but should be done at the application level to be effective. Blocking all traffic and allowing only required traffic is a better approach.
Does blocking traffic from certain countries help?
It can help, but a better strategy is to block all non-essential traffic or only allow expected traffic, which can also be managed via geo-IP.
Will special IOC’s in my SIEM software help?
General SIEM software can detect undefined use cases but is limited in protection. Patches are the only real solution. Stay updated with IOCs for early detection.
How do I know if someone has already hacked my system?
Proactively inspect your environment using scanning tools and lists of vulnerable software from NCSC and CISA.
How to find out if we have been exploited?
Analyze historical data from endpoints and networks. Use tools like Cortex XDR Pro to query for suspicious LDAP activity before the patch and for behavior indicating threat actions.
From a compliance perspective, what can we do today?
Document all steps and actions for an audit trail during Log4j vulnerability mitigations.
To what extent can a Zero Trust approach reduce the impact of such a vulnerability?
Zero Trust minimizes the likelihood and impact by defaulting to deny all access unless explicitly permitted, coupled with traffic inspection and segmentation to limit the ‘blast radius’.