Cybersecurity and Infrastructure Security Agency officials are hailing an “extraordinary” federal response to a critical vulnerability in widely used software, while also warning that remediation efforts are far from over.
Eric Goldstein, CISA’s executive assistant director for cybersecurity, said as of Monday, no agencies are known to have been compromised by the vulnerability in the Java “Log4J” library. The exploit, called “Log4Shell,” was discovered in early December.
CISA issued an emergency directive requiring agencies to patch or mitigate all known instances of internet-connected applications with Log4J by Dec. 24. Goldstein said agencies have remediated “thousands of vulnerable internet-connected assets” on their networks.
CISA also called in the Department of Homeland Security’s Vulnerability Disclosure Platform, which is provided through BugCrowd, to find instances of Log4J on DHS networks.
Goldstein said researchers discovered 17 previously unidentified assets that were vulnerable to Log4Shell.
“We have seen extraordinary attention on this vulnerability across federal agencies,” Goldstein said in a call with reporters. “I think, frankly, the most dedicated focus that we have ever seen for an effort like this.”
But Goldstein also said the vulnerability will have a “long tail of remediation,” as it affects hundreds of millions of devices around the world. CISA has set up a page dedicated solely to Log4J remediation guidance.
“We do know that particularly for smaller or medium sized agencies, the resources to mitigate this vulnerability may be extensive,” he said. “And so we are working with individual agencies and across government to ensure that they are making progress in remediating any assets that are currently unaddressed, both by patching or by deploying alternate mitigation measures that we prescribed in our directive.”
Officials said attackers may be using Log4Shell to gain access to a victim’s networks, but are waiting to exploit the access until attention on the issue has died down.
“We do expect Log4Shell to be used in intrusions well into the future, and for this reason, we are remaining focused on driving remediation of vulnerable assets for months to come,” CISA Director Jen Easterly said. “And in driving adoption of strong security practices like zero trust architecture that will help detect and limit the impact of potential intrusions.”
Goldstein also noted CISA is urging organizations to use a “persistent hunting model where they are heightening detections, lowering alert thresholds for any assets or networks upon which vulnerable products are running.”
CISA is working through its Joint Cyber Defense Collaborative to get more information about how Log4Shell is being exploited. JCDC was established last summer as a public-private cybersecurity planning organization. Several major cloud providers, telecommunications companies and cybersecurity firms are involved in the collaborative.
Easterly said CISA is in “constant communication” with the cybersecurity vendors involved in JCDC.
The exploit has also put fresh urgency behind the Biden administration’s push to use Software Bills of Material, or SBOMs, to improve federal cybersecurity. An SBOM is “a nested inventory for software, a list of ingredients that make up software components,” according to the National Telecommunications and Information Administration.
President Joe Biden’s cybersecurity executive order from last May directed CISA and other lead agencies to consider how to use SBOMs across government purchases.
Goldstein said using SBOMs are among the core actions CISA believes will help avoid future “Log4J” scenarios by ensuring agencies can understand and prioritize vulnerable software in their environments.
“We are very much in the in the operationalization phase at this point, focusing both on how can we drive adoption of SBOM for federal agencies and federal vendors, and then more broadly for critical infrastructure and the broader community as a whole,” Goldstein said.