Log4j – what steps to take next?

The past week, the world of IT and cybersecurity has been busy with the vulnerability in log4j, dubbed log4shell, which turned out to be quite hard to track down and mitigate. Due to the widespread usage of log4j and the simplicity of exploiting it, the vulnerability can result in serious compromises within all organizations like data breaches and ransomware. Northwave strongly advises to prepare for possible attacks and incidents in the near future, and to help organizations better prepare and improve upon their ability to respond should the worst happen we have identified the most important actionable measures to take right now.

To help you with identifying and addressing a possible Log4j incident, ask yourself the following questions:

  1. Do we have an up-to-date incident response process and plan in place?

Make sure you have an up-to-date incident response process and plan in place to use when a security incident occurs. Within these, make sure the following items are strongly defined:
•    The roles, tasks, and responsibilities during a security incident. Who do you absolutely need when a security incident occurs and what do they need to do? During an incident it is crucial that this division of roles and responsibilities is fully clear and that those involved are aware of it. We recommend having at least the following roles in place: a coordinator, a technical lead and a business lead.
•    The escalation path. Who is going to call who at which point, and who is in charge? At the time of an incident, internal scaling and communication is key to success. Make sure that the way of scaling up and to whom to scale up is clear.
•    Decision making. Who is responsible and mandated to make key decisions? During incidents, high impact decisions will need to be made under high time pressure. Make clear agreements about who is allowed to make which decisions. Decisions that we see as key within the first 24 hours following an incident are: shutting down the network, defining priorities within systems and processes, and managing internal/external communication.
•    External help/advice. Make sure you know how and when to bring in external help and what these parties can help you with. Consider forensic investigations or incident/crisis coordination assistance,  and make sure that all responsible know how to contact these parties at all times.

  1.     Are our people prepared to act on an incident?

Incidents always occur at times when no-one expects it, and when it is the least convenient. The upcoming holiday season fits this description perfectly, so prepare the people who will have to act during an incident. Consider the following:
•    Have a team on standby. Set up (at least temporarily) picket shifts to cover the evening hours, weekends, and holidays. At Northwave we have seen consistent proof that times like the December holiday season are often used to launch a cyberattack.
•    Go through the incident process with the key participants. Make sure it is clear to everyone what their role is in the event of an incident. Investing time in this now will increase the likelihood that you act quickly as a team as the steps to take are fresh in everyone’s mind.

  1.    Do we have the insight and overview of our organization?

As an organization, make sure you have an overview of key risks, assets, and the expected impact during incident. At the time of an incident, many actions and decision you need to make will require information. As a baseline, make sure you have the following:
•    Critical processes. Have an overview of the most important processes, applications, systems, and servers that are involved in the operation of your organization.
•    Asset List. Have an overview of the most important assets for the organization. Include servers, applications, and operating systems.
•    Technical Infrastructure Overview. Have an overview of the organization’s technical infrastructure e.g. network drawings.
•    Suppliers. Have an overview of your suppliers, including applied services and contact information for each.

  1.    What measures can we take at this moment?

The best way to be prepared for an incident is to minimize the chance and impact of an incident.
•    Enable detection measures. Map out what you do and do not currently monitor, and supplement this with additional detection measures where possible. Pay extra attention to possible exfiltration of data, which often occurs during cyber attacks these days.
•    Have offline backups and test them. Keep your backups offline as much as possible after they are created. Backups are hugely important for recovering after a cyber-attack, and we recommend you follow the 3-2-1 backup approach.
•    Contact your suppliers. Determine if your suppliers are using log4j and then jointly determine if measures need to be taken.

  1.    What measures can we expect to take as an organization during an incident?

During incidents, you can assume that actions must be taken at a rapid pace that may have an impact on the organization. To account for this, assess the following measures:
•    Isolating affected systems. During incidents, affected systems should be isolated as soon as possible. In some cases, the only available route to mitigate the risk is to isolate all systems and disable all network connections.
•    Changing credentials. Changing credentials is an important measure after a compromise. This may be limited to credentials linked to a compromised server, but in some cases all credentials within an organization should be reset.
•    Communication. Deploying effective internal and external communications as a measure during an incident allows an organization to maintain control over the situation. Incidents often impact the business and will potentially be noticed by employees, partners, and external stakeholders. Communicating proactively will help you stay in control as an organization.

What will Northwave do?
For Northwave SOC customers using NIDS, or Endpoint Monitoring based on ESET or Microsoft Defender for Endpoint, Northwave is able to detect exploitation attempts. For detection on endpoints to be possible it is required to have an EDR agent (ESET or Defender for Endpoint) installed on the vulnerable host. Northwave is continuously updating our detection measures based on the latest information available. Northwave Vulnerability Management customers will also be informed if vulnerable Log4j instances are detected in their infrastructure.

Northwave considers the previously communicated network scan insufficient as a ways to check whether you are vulnerable. We strongly advise a filesystem scan in order to check if Log4j is in use.

Northwave will continue to monitor any developments regarding this vulnerability, and update our page at https://log4shell.northwave.nl/ accordingly with our findings[14] .

If new critical information about this threat arises, we will reach out to you. If you need additional information, you can call us by phone or send us an email.

E-mail: [email protected]

Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909