December 20, 2021

Cybersecurity Journey to Zero Trust - 3

With Zero Trust things can get real, really fast. Learn how the Apache Log4j vulnerability chain just capped the year with another real-world example that drives home the importance of Zero Trust Security Architecture!

Cybersecurity has always been designed with a under a lock-and-key, moat around the castle mentality. However, in today’s fluid and supply-chain driven risk mitigation realm, the focus on perimeter defenses only ensure that external malicious actors are kept at bay. Unfortunately, these malicious actors are sometimes provided golden keys that land them directly inside the castle without having to fight a single knight or archer. That's where we find ourselves today, and with the current Apache Log4j vulnerability & Log4Shell Exploitation, zero-trust in real-time!

image-20220223172631-1

Source Credit: AdvIntel

For full details, and to download a PDF version of this content, see the Zero Trust in Real-time Whitepaper.

Zero Trust Setup

Gett’n real, in real-time…. this section explores how quickly the need for a Zero Trust Architecture be exposed.

Setup

  • The Common Vulnerabilities & Exposures (CVE) rating for this is a ’10.0’ out of 10 <and> what started as a 3.7 ramped up to a 9.0 within a week for the secondary CVE respectively and now a 3rd rated at 7.5 
  • Continued potential for additional follow-on CVE’s related to the original vulnerability (e.g. 2nd, 3rd and 4th CVE's related to Log4j)
  • Not only does this provide a level of numeric scale to the severity of this issue, but also the speed in which this can change dynamically, the criticality of the problem facing the overall community at large

Scope

  • Apache’s service is very broadly used in a variety of consumer and enterprise services, websites, and applications including numerous popular cloud-hosted services of the likes of Apple’s iCloud, Minecraft, Cloudflare and Twitter—as well as, in operational technology (OT) products—to log security and performance information:
  • An unauthenticated remote actor could exploit this vulnerability to take control of an affected system and provide them a C2 e.g. malware / phishing campaigns or simply exfiltration e.g. $ or info
  • The 2nd & 3rd flaws were found in the same logging utility, both that could potentially crash websites & serve as a DoS to those and other hosted services

Actions

  • Scale to find what apps have vulnerable versions of Log4j
  • Discover which apps have the vulnerability
  • Halt attacks against it today, don’t wait for a patch or WAF signature updates, and lastly…
  • Future proof your code and protect against the zero-day vuls as they come to pass

Zero-Trust Reality: The next battlefield

Battlefield

  • Breadth & Depth; unknown, undocumented and unseen? No, this had been in making for years…
  • How long must you play on a given battlefield?! This issue will be around for some time, as are other vulnerabilities and their malicious variants and actors developing against them ex. Mirai / SolarWinds / Spectre-Meltdown

Land & Expand

  • Where’s the beachhead?!  How do you stop an attack that is already inside your walls, within your fabric of operations and doesn’t need sophisticated threat actor involvement?
  • How quickly is the next Cyber / supply chain or infrastructure attack going to take this time? 

Campaign

  • In the initial hours, CISA and others tracking this had not identified any ‘active campaigns
  • Within days, several campaigns have already been detected in the wild ex. several were putting ransomware and remote-access-Trojans on Windows machines with Java installed.
  • Malicious actors will continue to sequence the vulnerability as detailed via MITRE’s cyber threat actor’s tactics and techniques.

Zero Trust Resilience®

How does the protection work and what mitigations take aim at future-proofing against the next incarnation?

  • Zero Trust Tenets
  • Granular Isolation (e.g. microservice, container, app
  • Continuous Enforcement on ‘every transaction’ 
  • Inline & Realtime Verification 
  • Universal Coverage & End-to-End Coverage 
  • Exploitation App Workloads/Services Limitation

This is the value of built-in resilience … as a complement to the rest of security!  The aim and goal should be preserving security resiliency during times of zero-day notification, through exploitation activities and the advancements or updated versions of attacks from the vector by deploying these Zero Trust framework based on NIST’s 7 tenets, strategies and tools of Zero Trust! 

*** For full details, download a PDF version of this content, see the Zero Trust in Real-time whitepaper

And don't miss out on continuing the Journey with Episode 4

Additional Resources

And for further Zero-Trust assets on Tech Zone, see:

Associated Content

home-carousel-icon From the action bar MORE button.

Filter Tags

Blog Announcement Intermediate Manage Zero Trust Public Sector