February 24, 2023 By Ronda Swaney 4 min read

Vulnerabilities like Log4j remain responsible for security breaches a full year after the discovery of the flaw. In the months after widespread reporting about the vulnerability, 40% of Log4j downloads remained vulnerable to exploitation.

Rapid response — by both security teams and hackers

What made this exposure so damaging was how widespread this piece of code is and how hard it is to find exactly where it’s used. This open-source logging code from Apache was the most popular java logging library, clocking in at over 400,000+ downloads from GitHub. The code is embedded in many internet services and apps, including Twitter, Amazon, Microsoft, Minecraft and others. As an easily accessible piece of open-source logging code, developers used it rather than taking the time to create new code during development. In days after its discovery, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), said in a CNBC interview, “The Log4j vulnerability is the most serious vulnerability that I’ve seen in my decades-long career.” She went on to say, “This is not something that will be patched and finished. This is something that we are likely going to be working on for months, if not years, given the ubiquity of the software and ease of exploitation.”

Publication of the vulnerability moved security teams to action. Apache listed all the projects affected by the Log4j flaw but publicizing the flaw also prompted bad actors to take advantage of slower-moving or understaffed team responses. Cybersecurity software business Check Point noted that within days of reporting the vulnerability, more than 60 new variations of the exploit were introduced in less than 24 hours.

Flaw still inspires new attacks

The initial Log4j vulnerability exposure was widespread and pervasive, but the danger remains, still threatening businesses. Threat landscapes shift with time. For example, Log4Shell is a vulnerability in Log4j 2. It allows a remote attacker to take control of a device on the internet if the device is running specific versions of Log4j 2. Apache created a patch, but that patch left part of the vulnerability unfixed, requiring second, third and fourth patches to fix new vulnerabilities as they were found. Threat actors rely on security and IT teams to be too busy and users too uninformed about threats to simply ignore these patches. As recently as November 2022, Iran-linked threat actors exploited Log4Shell via unpatched VMware. CISA observed suspected threat activity at a Federal Civilian Executive Branch (FCEB) organization. They determined that cyber threat actors had exploited the Log4Shell vulnerability in an unpatched VMware Horizon server. From there, they installed crypto mining software to the server, moved to the domain controller, compromised credentials and then implanted Ngrok reverse proxies on several hosts.

This may be among the newest iterations of the Log4j threat, but they assuredly won’t be the last. And, of course, there will be new threats that arrive in new ways through other vulnerabilities. It’s clear that updating software and encouraging users to install patches isn’t enough. Even when organizations do their best to stay up to date on all patches, threats morph and move fast enough to make those patches outdated. It may seem updating devices and software belongs in the realm of IT. Still, given the urgency of security weaknesses and their business impact, security retrofitting needs to be a full-time concern.

Retrofitting as a central task for cybersecurity teams

Large organizations with thousands of devices and arduous processes for software and hardware updates remain especially susceptible, whether that’s to the Log4j vulnerability or as-yet-unknown vulnerabilities. Here are some tips on how to structure your team’s response plans and ensure you can retrofit security controls in the face of modern cybersecurity threats.

  1. Make addressing vulnerabilities a security team function. Software patches and device updates frequently fall to IT teams to accomplish. However, as noted above, patches and updates frequently can’t be done quickly enough to head off threats before they cause harm. Rather than overburden busy IT personnel, make threat vigilance and mitigation a security team function. Keep your security team on target by ranking priorities in order of urgency. Consider expanding this team if they’re stretched thin. Considering the cost to the business of falling prey to these attacks, the expense of expanding the team should be a reasonable price to pay for the added protection.
  2. Watch the watchers. Governments worldwide support cybersecurity agencies whose main mission is to warn organizations about cybersecurity threats. In the U.S., that organization is CISA. In the U.K., it’s the National Cyber Security Centre (NCSC). You can sign up to receive alerts from these and other trusted organizations. They describe the threat and offer resources and advice on how best to mitigate damage to your organization.
  3. Communicate early and often. Ensure there are open lines of communication between your cybersecurity and IT teams, as well as other mission-critical teams within your organization. Neither team can watch or know everything. Additionally, if the worst happens, it’s wise to have open communications with your vendors, partners and customers. If they put you at risk or you put them at risk, you need to know how and with whom to communicate if disaster recovery steps become necessary.
  4. Deepen your defense. Criminals are crafty. They will always look for — and find — the next opening to exploit. Your security practices should range from simple (strong passwords, multi-factor authentication or user controls) to more complex (vulnerability hunts or hackathons to find holes). Your organization might find a good threat-hunting program beneficial. The more security layers your organization erects, the less damage cyber criminals can do.
  5. Document — and practice — your plan. Disaster recovery plans go way beyond natural disasters. Resilient companies understand how all-encompassing modern disaster planning needs to be. Cybersecurity disaster planning outlines who own and runs the plan, where are the assets that require protection, how to stop damage and loss, when the plan should be updated and what strategies will best protect your company. Like any good plan, it’s not a one-and-done task. Security threats evolve, so your plan must be updated and practiced to ensure it’s current and that each team member understands the role they play.

Organizations of all sizes are vulnerable to security threats. Strengthening your security posture remains the only option in a world where cybersecurity threats continue to multiply.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today