CISA: Log4j threat will linger for years—so be prepared

Log4Shell, the critical, remotely exploitable hole in the Log4j open source library sent shockwaves around the world when it was first disclosed in December, 2021. But it may not have produced as many dire outcomes as initially projected, a new report by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has found.

In its first major report, CISA's Cyber Safety Review Board (CSRB) said its analysis of the fallout from the December, 2021 disclosure of Log4Shell found no evidence of significant cyberattacks stemming from the widespread vulnerability - despite ample evidence of scanning, and attempts to exploit the hole. 

The surprising statement came in a 52-page report assessing the impact of Log4j, released on July 11. "Given the scale of use of Log4j, the ease of exploiting the vulnerable feature, and widespread reporting on the vulnerability, the Board expected to find during its review that the vulnerability had a significant impact on the safety of the digital ecosystem," the report reads. "However...the Board did not learn of any significant attacks impacting organizations, including attacks on critical infrastructure." 

But the report cautions that the lack of conclusive evidence of attacks shouldn't be taken as proof that attacks didn't occur. Indeed, the lack of evidence may be attributable to weaknesses in the systems for reporting and tracking malicious cyber activity.

Spotty tracking of Log4Shell attacks

Among the factors complicating the Board's work: the lack of an "authoritative source from which to understand exploitation trends across geographies, industries, or ecosystems;" a lack of reliable reporting from organizations that may have been the victim of Log4Shell exploits; and noisy data in which scanning by governments, security companies and other "white hat" actors is indistinguishable from scanning by malicious actors. 

With no central repository of information about Log4j-related breaches and no mandatory reporting requirements, CSRB and others were left guessing at the actual impact of the Log4j vulnerability on businesses and other organizations. 

Log4Shell: Get used to it

Going forward, CSRB recommended that organizations remain vigilant to the risk posed by Log4Shell "for years to come." At the same time, CISA needs to expand its capability to develop, coordinate, and publish authoritative cyber risk information, the CSRB report argues.

Many of CSRB's recommendations amount to "basic blocking and tackling." Organizations should invest in capabilities like vulnerability management, patch management and improved information technology (IT) asset and application inventories.

Focus on secure software development

But CSRB's report foresees a bigger role for development organizations as well. The Board recommends that development organizations ramp up their secure software development practices. That includes steps like adopting standard practices and technologies to build secure software in accordance with frameworks like  ISO 27034:2011160 and NIST’s Secure Software Development Framework.

CSRB also recommends that code maintainers formalize communications around security issues and take advantage of source code scanning and tools that provide software maintenance status and versions to heighten their situational awareness of applications and software used within the environment. Finally, organizations should embrace  Software Bill of Materials (SBOM) tooling, CSRB said.

Want to learn more? Get the full CSRB report, Review of the December 2021 Log4j Event here.