How We Were Able to Help Our Customers With the Log4j 0Day

PUBLISHED ON January 25, 2022
LAST UPDATED January 28, 2022

Many security teams are still working overtime to patch and protect against any log4j-related exploits. But for many, the bulk of the work is now in the rearview mirror. We here at ThreatX are in that latter camp, and as I reflected recently on what the emergence of that vulnerability meant for our team, I feel really proud of our response to that 0day – both in terms of our technology and our team. I thought it might be valuable to share a look back at how and why we were able to provide such a fast and comprehensive response to this threat. Bottom line: We were able to provide our customers with same-day protection for the recent Log4J 0Day. We did that with an artful combination of our flexible platform, our attacker-centric behavioral analysis, and our 24X7 managed services and SOC team.

Team effort

For us, 0day protection starts in our SOC. We monitor CVE feeds, analyze new vulnerabilities and exploits for impact and criticality, and when necessary, enhance our attacker-centric behavioral analysis accordingly. We balance the risks of attack with the risk of false-positive blocks, and in the normal course of business, run our modifications in “beta” mode to ensure we’re catching only what we’re after. 

In the case of 0day protection, we err on the side of blocking, and fast-track that process, fine-tuning as the attack evolves. In the case of the Log4J vulnerability, we immediately understood the severity of the exploit, and had detection in place, “bumping” risk score for obvious log4j recon (always risky, but more so now that attackers are building dossiers for more sophisticated attacks). Additionally, we developed heuristics allowing us to detect and block requests from entities that were attempting the explicit exploits outlined in CVE-2021-44228.

Technology tactics

Other WAF solutions might have struggled to detect the serialized decoding, and the obfuscation techniques used as this attack evolved. Our technology allows multi-level serialized decoding, and through this capability we’re able to detect these evasion techniques. In addition, our network effect allows us to see multiple attacks in the wild, so we’re able to add to the protection as the attacks evolve.

Also critical, the ThreatX Platform was designed to allow rapid deployment of new risk analysis heuristics, without a code change or software deployment. That capability helps our customers in normal situations, where they (and we) refine and tune risk rating to match the business logic of their applications. But when things “get real” and there’s a 0day to mitigate, this capability is critical. Our architecture allows us to put new detection and protection logic in place in seconds, as we did on the morning of the vulnerability release in this case.

Learn more

We believe the combination of our flexible platform and our managed service offering (which extends to all of our customers) is the best protection against rapidly evolving threats like the Log4J vulnerability. Learn moreabout our solution.

Tags

About the Author

Tom Hickman

Tom has a long track record of building and scaling product delivery capabilities at mid- and growth-stage startups. He served as the VP of Engineering at Edgewise Networks, where he led engineering through early releases of Edgewise’s zero-trust micro-segmentation product. While at Veracode, a leader in AppSec, Hickman led engineering through an Agile transformation and helped the company become a true multi-faceted AppSec platform prior to its acquisition by CA Technologies in 2017. Tom holds a B.S. degree in mechanical engineering from the Georgia Institute of Technology.