Visibility into agencies’ digital terrain is key to identifying Log4j vulnerabilities

From industry to government agencies, the impacts of the Apache Log4j vulnerability have been felt globally. The U.S. public sector has become especially vulnerable due to the magnitude of applications within agencies’ networks, its lack of resources and funding, and its involvement in escalating foreign conflicts.

The Cyber Safety Review Board (CSRB) established by Executive Order 14028, Improving the Nation’s Cybersecurity (May 12, 2021), recently released a report into the Log4j vulnerability, and included 19 recommendations. Before agencies can begin considering these recommendations and addressing vulnerabilities, it is critical that they gain full, accurate visibility into their digital terrain to determine their baseline.

Without this understanding of all the systems in play, agencies can’t confidently identify those that are vulnerable. Visibility must also be continuous to provide agencies with real-time awareness of the vulnerabilities on the network. Once this baseline is determined, then agencies can begin to implement the recommendations in the report and determine their next steps to mitigate future exploitation.

Through programs such as Comply-to-Connect (C2C) and Continuous Diagnostics and Mitigation (CDM), government agencies have access to resources that can provide full visibility into its digital terrain. From there, agencies should zero-in on specific recommendations made by the CSRB:

• Recommendation 6: “develop the capacity to maintain an accurate IT asset and application inventory,” should be one of the first recommendations considered, as agencies can’t reach vulnerable systems until they have a complete and continuous inventory of all hardware and software found within their network.
• Recommendation 5: “organizations should invest in capabilities to identify vulnerable systems.” Threat hunting programs can help agencies proactively identify risks, enable accelerated incident response, and adopt a mature security posture. These capabilities are critical to keeping agencies continuously operational and as a result, limiting the impact of vulnerabilities on the agency’s mission. The ideal threat hunting tool should also include credential scanning. Having full visibility into the digital terrain can help agencies identify threats, including default credentials and insecure authentications. These tools can take that capability a step further by providing automated asset management and monitoring across their network.
• Recommendation 12: “improve software bill of materials (SBOM) tooling and adoptability.” SBOMs include a list of code and versions found within applications to help expedite the identification of software packages within the network. The need for SBOMs was first demonstrated in the SolarWinds attack, as attackers breached supply chains software and released compromised SolarWinds binary and credentials. Damages from attacks like SolarWinds can be minimized with the use of SBOMs, when properly developed and maintained by contractors and agencies.

Developers and contractors often experience high team turnover, which can lead to SBOMs incorrectly tracking version changes. Agencies therefore must correctly leverage the SBOM provided for it to help them to identify vulnerabilities found within their systems. This issue has become more prevalent as the code for systems and application on which the government depends has evolved from traditional servers to web-based servers and now to the cloud.

SBOMs can also help the government at large identify existing vulnerabilities, but this can’t be achieved if all agencies don’t have SBOMs for their applications. As agency CIOs consider this recommendation, they must push contractors and original equipment manufacturers (OEM) to provide SBOMs and vulnerability information when available.

When implementing these capabilities, agencies should carefully consider security gaps that could be left by some CSRB recommendations, such as point-in-time vulnerability scanning, which inherently misses devices that are transient. If agencies don’t act on these new recommendations, the impact of vulnerabilities such as Log4j will remain unknown, and potentially catastrophic. To ensure maximum data collection and impact of a cyberattack, bad actors won’t immediately cause maximum damage to agencies systems once they gain access, but instead come in, perform reconnaissance, and exfiltrate data. Due to agencies’ lack of resources, it is critical for them to maximize the utility of existing programs and tools that automatically and passively scan for compromised devices to help stop these bad actors before they attack.

To help prevent the unknown impact of vulnerabilities, the public sector must also leverage their vendor community, contractors, OEMs and software and hardware providers to offer agencies information on existing vulnerabilities and SBOMs for all applications. This intel should be shared across government to keep all agencies informed and protected to fully implement their missions.

The recommendations in the CSRB report provide agencies with detailed guidance to lead their efforts in securing their network and identifying vulnerabilities, but none of these practices will be effective without first having visibility into their digital footprint.

Shawn Taylor is the vice president of threat defense at Forescout.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.