The United States Cybersecurity and Infrastructure Security Agency (CISA) has released the first report of the Cyber Safety Review Board (CSRB), formed in February pursuant to President Biden’s May 2021 Executive Order on Cybersecurity. Public-Private Administration includes top cybersecurity officials from the federal government and select information security professionals from the private sector.
The council’s first task was to look into the Log4j crisis that emerged late last year. This crisis centered on a vulnerability in the open-source, Java-based Log4j logging utility used by tens of thousands of organizations worldwide. This flaw allowed attackers to engage in remote execution on the underlying servers running the vulnerable applications.
The CSRB thoroughly reviewed public reports, conducted interviews, sent information requests to 60 organizations, and met with representatives from 40 organizations to produce a detailed 52-page report. The report lays out the facts surrounding the Log4j crisis, presents findings and observations, and offers recommendations on how organizations can address persistent Log4j risks and better position themselves against similar vulnerabilities in the future.
The council’s work has been difficult due to the chaotic and evolving nature of the crisis. As the report notes, “unlike comparable studies of incidents in other industries (such as transportation), we had no accident site or damaged vehicle to inspect, no stress testing to perform on faulty equipment and no wiring diagrams to review.” Additionally, “The Log4j event is not over. Log4j remains deeply embedded in systems, and even in the short time available for our review, community stakeholders have identified new compromises, new threat actors, and new learning.”
The main starting point of the crisis came on November 24, 2021, when a security engineer from the Alibaba Cloud Security team within the People’s Republic of China (PRC) reported a vulnerability in the Java Naming and Directory feature Interface (JNDI) to Apache Software Foundation (ASF). Despite public reports to the contrary, no evidence of malicious exploitation of the flaw was found before it was exploited on December 9.
The Chinese government informed the CSRB that Alibaba notified the Ministry of Industry and Information (MIIT) of the vulnerability on December 13, 2021, 19 days after Alibaba’s engineer reported it to ASF and 17 days after a period stipulated in article 7.2 of the MIIT regulations. on managing network product security vulnerabilities, which would have required Alibaba to report vulnerabilities in its products incorporating Log4j. Additionally, multiple media outlets reported that MIIT suspended Alibaba from a cybersecurity threat information sharing platform partnership for not promptly reporting the Log4j vulnerability to MIIT, which CSRB did not. could not confirm.
According to the report, “the pace, pressure and publicity compounded the defensive challenges.” As a result, researchers discovered additional vulnerabilities in Log4j, contributing to confusion and “patch fatigue”, and “responders struggled to find authoritative sources of information on how to fix the issues. This frenetic time has resulted in one of the most intensive cybersecurity community responses in history.” At the same time, responders were beset by information overload, with reports of the event coming from a variety of sources.
The few organizations that responded effectively to the event “understood their use of Log4j and had technical resources and mature processes in place to manage assets, assess risk, and mobilize their organization and key partners to action. Most modern security frameworks call these capabilities best practices.”
Log4j mining was lower than expected
The board says it is not aware of any significant Log4j-based attacks on critical infrastructure systems, and “generally, exploitation of Log4j has occurred at lower levels than many experts had expected, given the severity of the vulnerability.”
A fog still hangs over the event as “No authoritative source exists to understand exploitation trends across geographies, industries or ecosystems. Many organizations do not even collect information on exploitation specific to Log4j, and reporting is still largely voluntary. But crucially, the Log4j event is not over.”
The ongoing nature of the event leads the Board to conclude that Log4j is an “endemic vulnerability and vulnerable instances of Log4j will remain in systems for many years to come, possibly a decade or more. Significant risk remains” .
How Organizations Can Manage Persistent Log4j Risks
The most significant section of the report offers 19 detailed recommendations on how organizations can address persistent Log4j risks and improve their cybersecurity operations. It delves into the details of the following four sets of thematic recommendations:
- Addressing Persistent Log4j Risks promoting continued vigilance in resolving Log4j vulnerabilities over the long term. Among the steps outlined in the report are:
- Organizations must be prepared to address Log4j vulnerabilities for years to come.
- Organizations should continue to report (and escalate) Log4j exploitation observations.
- CISA should expand its ability to develop, coordinate, and publish authoritative cyber risk information.
- Federal and state regulators should lead the implementation of the CISA guidelines through their regulatory authorities.
- Drive existing best practices in safety hygiene adopting industry-accepted practices and standards for vulnerability management and security hygiene. The steps described in this recommendation are as follows:
- Invest in capabilities to identify vulnerable systems.
- Develop the ability to maintain an accurate inventory of computing resources and applications.
- Have a documented vulnerability response program.
- Have a documented process for disclosing and dealing with vulnerabilities.
- Software developers and maintainers must implement secure software practices.
- Building a better software ecosystem by driving a transformation of the software ecosystem to move to a proactive vulnerability management model:
- Open source software developers should participate in community security initiatives.
- Invest in training software developers to develop secure software.
- Improve tooling and software bill of materials (SBOM) adoptability.
- Increase investment in open source software security.
- Open source software maintenance pilot support for critical services
- Invest in the future researching the possible cultural and technological shifts needed to address the nation’s digital security:
- Explore a baseline requirement for software transparency for federal government vendors.
- Examine the effectiveness of a Cyber Security Reporting System (CSRS).
- Explore the feasibility of creating a Software Security Risk Assessment Center of Excellence (SSRACE).
- Investigate the incentive structures needed to create secure software.
- Establish a government-coordinated task force to improve the identification of software with known vulnerabilities.
The CSRB report received strong positive reviews from industry and the head of the department under which CISA operates. “The Cyber Safety Review Board’s report on Log4j is a detailed account of what happened in December 2021, and we applaud its constructive analysis,” said the former Google security engineer and now Chainguard CEO Dan Lorenc in a written statement. “The report is packed with specific information and ideas on what can be done to prevent or mitigate the next Log4j.”
Department of Homeland Security Director Alejandro N. Mayorkas said, “CSRB’s first-of-its-kind review has provided us – both government and industry – with clear and actionable recommendations that DHS will help put in place. to strengthen our cyber resilience and advance the public-private partnership so vital to our collective security.”
Copyright © 2022 IDG Communications, Inc.