Detecting the Log4j Exploit – December 2021

Using Network Visibility for Cyberthreat Hunting and Detection and Response

Detecting the indicators of compromise from cyberattacks such as the current Log4j exploit requires knowing what penetrated your network and its perimeter defenses. It also requires knowing what is executing within your IT infrastructure. Network packet data reveals this information to the SOC and SecOps team through manual threat hunting and automated detection and response (i.e., NDR, XDR) and SIEM. This knowledge is obtained by reliably monitoring and analyzing network traffic, which is what the cPacket Networks visibility fabric does.

The streamed and stored network packets plus KPIs reveal the underlying security, health, and performance of enterprise networks by inspecting and analyzing network packets. Our cVu® NG NetworkPacket Brokers have the unique ability to analyze every packet on every port using our custom hardware acceleration to help find vulnerabilities like the Log4j exploit.

How to Hunt for the Log4j Exploit in Your IT infrastructure

To hunt for the exploit, use any of our cVu NG NPBs and the cClear® Analytics Engine and follow the steps below to detect an infection, and if necessary take follow-on remediation actions.

Typical deployments place the cVu NG in strategic locations to acquire network packets via network taps installed at strategic vantage points.  Using this deployment approach will allow our customers to follow the steps below to understand immediately if this vulnerability impacts them:

                     1) Access the cClear User Interface and select Fixed Filters                     

                     a. Create four individual filters using the strings below:

                                          1 – \$\{jndi\:

                                          2 – \$\{jndi\: 

                                                       ldap

                                          3 – \$\{jndi\:

                                                        rmi

                                          4 – \$\{jndi\: 

                                                       dns

                     b. Select Ignore Case

                     c. These filters should be applied to the ports you want to analyze.  In this example, we                                    recommend “All Smart Ports”

                     d. Enabling the Filter will allow it to be provisioned on “All Smart Ports” across all cVu NG                                   devices connected to the cClear.

                                        1 – It’s automatically running!

 2) Jump into the Dashboards Menu on cClear

                     a. Select the Smart Filter Details Dashboard

                     b. Select the required Devices, Port Groups, and then the filters you created based on the                               names you entered.

                     c. This will immediately show whether there are any packets being seen on these filters.

NOTE – The Filters were modified to show that our network is under attack.  This is only for the purposes of this article and has been put back to correctly track the Filters created above. 😊

 3) For ongoing alerting there are several options.

                     a. For all cVu NG devices – cClear – Edit the Dashboard and enable the Alert Tab

                                      i – Specific Notification Channel can be configured via Grafana in the

                                           Alerting Menu.

                                         1 – Options include Slack message or Syslog etc.

                     b. For specific cVu NG device/ports – cVu – Leverage the built-in Analytics capabilities

                                      i – Jump to the Config Status and adjust the Thresholds       

                                      ii – Access the Alerts Page and enable sending the alert to Syslog or another

                                             SIEM platform.

Wrap-Up

This visibility, observability, and underlying data are always available when using our visibility fabric, analytics, dashboards, and powerful search that facilitates manual threat hunting and automated detection and response.

If you find that the Log4j is in your infrastructure or any active attack, you should alert your security team. If you need assistance following the instructions provided in this blog, then reach out to the cPacket Networks support team via the customer portal. Also, contact us if you are not sure which of our NPBs are “Next Generation” (NG).

If you are not currently a customer and would like to know more about how you can best secure and assure the performance of your organization’s IT infrastructure now or during a future vulnerability, please reach out via our website.  https://www.cpacket.com