Vulnerabilities like Log4j remain responsible for security breaches a full year after the discovery of the flaw. In the months after widespread reporting about the vulnerability, 40% of Log4j downloads remained vulnerable to exploitation.

Rapid Response — by Both Security Teams and Hackers

What made this exposure so damaging was how widespread this piece of code is and how hard it is to find exactly where it’s used. This open-source logging code from Apache was the most popular java logging library, clocking in at over 400,000+ downloads from GitHub. The code is embedded in many internet services and apps, including Twitter, Amazon, Microsoft, Minecraft and others. As an easily accessible piece of open-source logging code, developers used it rather than taking the time to create new code during development. In days after its discovery, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), said in a CNBC interview, “The Log4j vulnerability is the most serious vulnerability that I’ve seen in my decades-long career.” She went on to say, “This is not something that will be patched and finished. This is something that we are likely going to be working on for months, if not years, given the ubiquity of the software and ease of exploitation.”

Publication of the vulnerability moved security teams to action. Apache listed all the projects affected by the Log4j flaw but publicizing the flaw also prompted bad actors to take advantage of slower-moving or understaffed team responses. Cybersecurity software business Check Point noted that within days of reporting the vulnerability, more than 60 new variations of the exploit were introduced in less than 24 hours.

Flaw Still Inspires New Attacks

The initial Log4j vulnerability exposure was widespread and pervasive, but the danger remains, still threatening businesses. Threat landscapes shift with time. For example, Log4Shell is a vulnerability in Log4j 2. It allows a remote attacker to take control of a device on the internet if the device is running specific versions of Log4j 2. Apache created a patch, but that patch left part of the vulnerability unfixed, requiring second, third and fourth patches to fix new vulnerabilities as they were found. Threat actors rely on security and IT teams to be too busy and users too uninformed about threats to simply ignore these patches. As recently as November 2022, Iran-linked threat actors exploited Log4Shell via unpatched VMware. CISA observed suspected threat activity at a Federal Civilian Executive Branch (FCEB) organization. They determined that cyber threat actors had exploited the Log4Shell vulnerability in an unpatched VMware Horizon server. From there, they installed crypto mining software to the server, moved to the domain controller, compromised credentials and then implanted Ngrok reverse proxies on several hosts.

This may be among the newest iterations of the Log4j threat, but they assuredly won’t be the last. And, of course, there will be new threats that arrive in new ways through other vulnerabilities. It’s clear that updating software and encouraging users to install patches isn’t enough. Even when organizations do their best to stay up to date on all patches, threats morph and move fast enough to make those patches outdated. It may seem updating devices and software belongs in the realm of IT. Still, given the urgency of security weaknesses and their business impact, security retrofitting needs to be a full-time concern.

Retrofitting as a Central Task for Cybersecurity Teams

Large organizations with thousands of devices and arduous processes for software and hardware updates remain especially susceptible, whether that’s to the Log4j vulnerability or as-yet-unknown vulnerabilities. Here are some tips on how to structure your team’s response plans and ensure you can retrofit security controls in the face of modern cybersecurity threats.

  1. Make addressing vulnerabilities a security team function. Software patches and device updates frequently fall to IT teams to accomplish. However, as noted above, patches and updates frequently can’t be done quickly enough to head off threats before they cause harm. Rather than overburden busy IT personnel, make threat vigilance and mitigation a security team function. Keep your security team on target by ranking priorities in order of urgency. Consider expanding this team if they’re stretched thin. Considering the cost to the business of falling prey to these attacks, the expense of expanding the team should be a reasonable price to pay for the added protection.
  2. Watch the watchers. Governments worldwide support cybersecurity agencies whose main mission is to warn organizations about cybersecurity threats. In the U.S., that organization is CISA. In the U.K., it’s the National Cyber Security Centre (NCSC). You can sign up to receive alerts from these and other trusted organizations. They describe the threat and offer resources and advice on how best to mitigate damage to your organization.
  3. Communicate early and often. Ensure there are open lines of communication between your cybersecurity and IT teams, as well as other mission-critical teams within your organization. Neither team can watch or know everything. Additionally, if the worst happens, it’s wise to have open communications with your vendors, partners and customers. If they put you at risk or you put them at risk, you need to know how and with whom to communicate if disaster recovery steps become necessary.
  4. Deepen your defense. Criminals are crafty. They will always look for — and find — the next opening to exploit. Your security practices should range from simple (strong passwords, multi-factor authentication or user controls) to more complex (vulnerability hunts or hackathons to find holes). Your organization might find a good threat-hunting program beneficial. The more security layers your organization erects, the less damage cyber criminals can do.
  5. Document — and practice — your plan. Disaster recovery plans go way beyond natural disasters. Resilient companies understand how all-encompassing modern disaster planning needs to be. Cybersecurity disaster planning outlines who own and runs the plan, where are the assets that require protection, how to stop damage and loss, when the plan should be updated and what strategies will best protect your company. Like any good plan, it’s not a one-and-done task. Security threats evolve, so your plan must be updated and practiced to ensure it’s current and that each team member understands the role they play.

Organizations of all sizes are vulnerable to security threats. Strengthening your security posture remains the only option in a world where cybersecurity threats continue to multiply.

More from Risk Management

Security Awareness Training 101: Which Employees Need It?

4 min read - To understand why you need cybersecurity awareness training, you must first understand employees' outsized roles in security breaches. “People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of…

4 min read

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read

Will Commercial Spyware Survive Biden’s Executive Order?

4 min read - On March 27, 2023, reports surfaced that 50 U.S. government employees had been targeted by phone spyware overseas. On the day of that report, President Joe Biden signed an executive order to restrict federal agencies’ use of commercial spyware. The timing of the order was linked to this specific phone-targeting exploit. But spyware infiltration of government officials — and by government officials — has been a recurring problem globally. Commercial spyware has long been entwined with statecraft and spycraft, both…

4 min read

How to Boost Cybersecurity Through Better Communication

4 min read - Security would be easy without users. That statement is as absurd as it is true. It’s also true that business wouldn’t be possible without users. It’s time to look at the big picture when it comes to cybersecurity. In addition to dealing with every new risk, vulnerability and attack vector that comes along, cybersecurity pros need to understand their own fellow employees - how they think, how they learn and what they really want. The human element — the individual and…

4 min read