Landis+Gyr | Blog

Log4Shell: Why the BSI recommends anomaly detection

Written by Jens Pacholsky | 20-Jan-2022 14:10:31

In its working paper "Critical Vulnerability in Log4j - Detection and Response", the German Federal Office for Information Security (BSI) underlines the persistent and complex danger of the Log4Shell vulnerability in industrial networks as well. Patching the vulnerability in the short to medium term is considered unrealistic for many companies. For this reason, the BSI recommends continuous monitoring and analysis of network communication via anomaly detection in addition to rule-based query analysis. Industrial anomaly detection solutions, as offered by Rhebo, a Landis+Gyr Company, enable companies to detect on compromises that have already occurred, active exploits and other malicious activities in the operational technology (OT) and industrial control systems (ICS) at an early stage. The vulnerability, documented as CVE-2021-44228, allows attackers to execute arbitrary code on systems using the widespread Log4j library without authentication.

Fast and complete security patching unlikely

 

"Naturally, the first priority is to update all existing Log4j libraries in the company to the most recent version. However, many companies are thus embarking on the proverbial search for the needle in the haystack," said Rhebo CTO Martin Menschner. Companies often lack clarity over which applications use the vulnerable library. Moreover, as the BSI explicitly points out, it is not sufficient to update the Log4j library via the global software management of operating systems. They stress the point that only the respective "software manufacturers who have integrated the library into their programs [can] carry out the update." The resulting mitigation complexity is further complicated by the fact that Log4j has already been updated several times since the vulnerability became known.

In addition, according to the BSI, all known mitigation measures that affect the use of the library are currently based on disabling the problematic functionality. Systems in companies that are absolutely dependent on the functionality of the Log4j library thus run the risk of no longer being functional after implementation. Particularly organizations providing critical services, for example critical infrastructures and industrial companies, find themselves in a catch-22 situation.

Furthermore, companies should not be lulled into a sense of security even after an update. "The Log4Shell vulnerability could already have been exploited in some companies. This means that adversaries might have already compromised IT or - via lateral movement - Operational Technology (OT) networks and established access via backdoors," adds Martin Menschner. After all, the vulnerability has existed for over a year. And security organizations worldwide have observed a massive increase in network scans and attacks since Log4Shell officially became known in December 2021 (see also Rhebo's commentary on Log4Shell).

Anomaly detection should be a priority


For these reasons, the BSI recommends that organizations immediately implement enhanced measures to detect suspicious and malicious communications. In addition to the evaluation of request data (e.g., via web server logs), the BSI explicitly mentions anomaly detection at the network level. "This solution not only detects previously unknown attack patterns typical of zero-day vulnerabilities," added Martin Menschner. "It also reports operations that indicate existing compromises, such as lateral movement, scans, change of functions and command structures in systems." Rhebo's Next Generation OT Intrusion Detection offers a solution tailored specifically to Operational Technology networks and Industrial Control Systems.

The OT Monitoring observes all communication within an industrial network, while the integrated Threat and Intrusion Detection identifies any anomaly, i.e. deviation, in the communication behavior and reports it in real time. It detects any communication that is novel or unusual in the monitored network and indicative of malicious behavior - from backdoor communications, lateral movement and spoofing activities to direct interference with industrial processes. With anomaly detection, actions of adversaries within the OT network become visible, traceable, and can be mitigated in real time, even if they use previously unknown signatures or have hijacked authenticated user accounts. To get anomaly detection up and running quickly, Rhebo offers on-demand technical operational support as well as a comprehensive managed protection service. To assess the risk of whether a network compromise has already occurred, an OT risk assessment and security analysis is also recommended.