Live Demo
Blog   >   Cloud Security   >   High-precision threat detection for the Log4j vulnerability

High-precision threat detection for the Log4j vulnerability

The recent disclosure of the Log4shell exploit has impacted the operations of many organizations over the past few weeks.  It has also been a good reminder of the value of having the right security controls in place even before you think you may need them. When Log4shell was made public, Threat Stack customers immediately got the benefit of high-precision threat detection and our combination of rules with 24/7/365 Security Operations Center (SOC) monitoring and expertise. 

In this blog post, we’ll explore the ongoing efforts of Threat Stack to help our customers work through the Log4j vulnerability, and provide some insight into how we can help whenever the next vulnerability may hit. As Log4j became exploited, Threat Stack leveraged the following efforts to determine the impact on our customers: 

Asset Discovery 

Threat Stack added four new rules to the platform that were used to identify Java executables running on monitored hosts. While Threat Stack cannot locate an active Log4shell attack (not many tools can, at this point), these new rules now give customers more precision to start looking for indicators of vulnerability. 

Threat Hunting for Log4shell indicators  

The SOC team immediately began threat hunting for indications of the exploit across the entire customer base, including those who do not leverage Oversight monitoring. To aid the hunting, the team used data from a number of 1st party and 3rd party sources. This included partnering with the F5 Silverline WAF to get a list of IP addresses with known IOCs for Log4shell. The team continues to actively threat hunt around this vulnerability, updating efforts as new information comes out. 

Exploit monitoring 

The SOC team is also able to use four existing rules in the platform in combination with threat hunting to monitor customer environments for severity 1 alerts to detect malicious activity. In this case, these alerts could indicate customer post-exploit impact from Log4shell. Based on the telemetry collection from customers and continued threat hunting efforts, the team has been able to tune the rule set to get even more precise in detecting these impacts. 

Threat Stack has been able to arm our customers with a lot of data to detect signs of Log4shell. The team is always available to help customers, and specifically here to help work through any inquiries related to Log4shell. To this point this has included interpreting our threat hunting findings, notifications they may have received from other sources, or tuning rules in their environment. 

We’re available to help any organizations dealing with the Log4j vulnerability, or even talk through how we can help ahead of the next vulnerability that may hit. If you would like more details on our Log4shell efforts, or just want to explore our Application Infrastructure Security capabilities, reach out to us today and we can find some time to discuss.