Log4Shell Rapid Response 1-Page Emergency Checklist of What to do First

LOG4SHELL RAPID RESPONSE - IF THERE’S NO TIME and RESOURCES ARE SCARCE! 

What to do if you’re unable to do anything else, if resources are scarce and situation is critical: 

1. Assign a team as large as can be spared and dedicate them to the effort.  Focus immediately on: INTERNET-FACING SERVERS first (DMZ, bare metal on prem and virtual, containers, cloud-based) tackling externally facing servers and devices first, Apache servers foremost.  See: https://logging.apache.org/log4j/2.x/download.html

  • Then move to critical internal servers when ableDon’t try to tackle everything all at once.  Focus on what’s most important first.  

2. Keep Antivirus, EDR and IDS/IPS and NGFW (Next-gen firewalls and WAFs) up-to-date and check these and SIEM / UEBA / Other tools for indicators of compromise in the network & related to Log4J - Log4Shell.  Respond per normal incident response process, eradicate/clean, lock down and patch those initially exploited assets) - as soon as possible!

3. Use Existing Vulnerability Management and Scan Tools like Rapid7, Qualys and Tenable to detect Log4J Vulnerabilities & determine most critical – patch soonest (external first, then internal)

4. Check customer vendor portals for your products and what to do or look for related to Log4Shell and heed.  Contact your security product and IT vendor representatives for any help.

5. Use the following website as a concise list to tackle things and assign critical tasks by IT function and by deadline as seen here: https://ciso.uw.edu/2021/12/10/apache-log4j-patch-now/ 

6. Use My Playbooks 2A and 2B (coming soon) and - for now - the CISA or ASD sites for critical info on where to go deeper https://www.cisa.gov/uscert/ncas/alerts/aa21-356a and https://www.cyber.gov.au/acsc/view-all-content/advisories/mitigating-log4shell-and-other-log4j-related-vulnerabilities  and ...

7. Determine other critical systems and begin patching (internal if external is done) - have a team start to look at all systems and longer-term strategy.  Use a scan tool such as Trend's or other to help: (I make no guarantees in any links herein; use completely at your own risk!) - https://github.com/NCSC-NL/log4shell  (see all available items including "scanning")

8. Mentor – coach – communicate and support others.  Use teamwork, be resilient, and avoid burn out!  Use my playbooks to tackle systematically with less friction!  (2A and 2B - coming soon)

An excellent resource (slides()worth looking at go understand this one better:

https://github.com/NCSC-NL/log4shell/blob/main/detection_mitigation/Log4Shell%20for%20OES.pdf

#RCE #Log4Shell #Infosec #Cybersecurity. - CYBER Y'ALL! - @CyberYall

Comments

Post a Comment

Popular posts from this blog

Slay the Log4Shell Dragon TEAM 2 - Hunt and Detect Attacks Playbook

Image
Slay the Log4Shell Dragon Playbook TEAM 2 – Hunt and Respond Playbook Struggling with how to tackle the Log4J / Log4Shell Dragon and low on resources? First, as I've said before, start with my “ RAPID LOG4SHELL RESPONSE 1-PAGE CHECKLIST ” to begin immediate actions to tackle this issue.  In that 1-pager, I provide concise guidance to get started quickly.   However, for medium and larger sized companies, this approach might not be enough , although it is a great and immediate start.   Simply patching alone will likely not meet the expectations in the case of the Log4J / Log4Shell vulnerabilities, if there is a breach.  A more comprehensive approach is required to reduce risk.  I’ve therefore put this playbook together to help go above and beyond just a patching-based approach and hope it proves useful.   My goal was to provide something that would help ensure a high enough level of due diligence for risk reduction of this issue.   In this article I’ll provide a TEAM 2 PLAYBOOK o
Read more

Slay the Log4Shell Dragon TEAM 1 - Protect and Detect Vulns Playbook

Image
Slay the Log4Shell Dragon Part 2A - TEAM 1 -  Immediate Protection and Detection Struggling with how to tackle the Log4J / Log4Shell Dragon and low on resources? First, start with my “ RAPID LOG4SHELL RESPONSE 1-PAGER - 8 STEP CHECKLIST ” to begin immediate actions to tackle this issue.  In that 1-pager, I provide concise guidance to get started quickly.  However, for medium and larger sized companies, this approach might not be enough, although it is a great and immediate start.   Simply patching alone will likely not meet the expectations in the case of the Log4J / Log4Shell vulnerabilities, if there is a breach.  A more comprehensive approach is required to reduce risk.  I’ve therefore put this playbook together to help go above and beyond just a patching-based approach and hope it proves useful.   My goal was to provide something that would help ensure a high enough level of due diligence for risk reduction of this issue.   In this article I’ll provide a TEAM 1 PLAYBOOK of recomm
Read more

Keys to Working Smarter Not Harder in Cybersecurity Part 5 of 5

Image
Welcome to the last in the series - part 5 of a  discussion about working smarter not harder in cybersecurity.   We'll look at: How to tackle the huge tasks with bite-sized chunks and baby steps  What to do instead of trying to defend everything despite competing priorities Baby Steps and less is more  It’s been said that a long journey begins with a single step.  It’s also been said that to eat a large steak, you have to do it one bite at a time.  Remember the movie “What About Bob?”  Baby steps folks.  Small incremental progress in important things like low-hanging fruit is key.   A “Less is More” philosophy should be a basis of a better approach in cybersecurity.  Also, “try softer” rather than “try harder” is another important strategy.  Trying too hard usually ends up backfiring and causes too much friction.  All of these things are behavioral patterns on the human and process side of things.   For example, why try to implement 30 items in a  STIG checklist  when the attack to
Read more