Taking log4j as an example, how to evaluate and classify security risks

author | Owen Garrett

translator | Knowingly mountain

planning | Ding Xiaoyun

Open source software supports the vast majority of Internet oriented applications . Availability of such projects 、 Availability and quality improve the innovation ability of enterprises , And help them succeed . They are good public goods , Deserve praise and protection .

The prevalence of open source means that any vulnerabilities that have been discovered will have a far-reaching impact . The attacker saw a huge opportunity , A large number of enterprises and users must respond quickly , Identify vulnerable software instances in the applications they develop and the third-party applications and components they use .

in fact , Software vulnerabilities are very common . that , How security professionals assess the potential risks of vulnerabilities , And focus the organization's efforts on fixing the most important vulnerabilities ？

1 Establish full visibility —— You can't protect what you can't see

The security team is responsible for the integrity of the entire application , Include all open source components and third-party dependencies that are not developed by enterprise developers . A lot of work has been done to improve the security of the software development process , And pass “ Move left ” Planning and SBOM(Software Bill of Materials, Software bill of materials ) To track dependencies , Make the code deployed in the production environment highly secure . however , Whenever a new vulnerability is released , How to quickly identify where these vulnerabilities will occur in the code that has been deployed to the production environment ？ The first step in a security program is usually to get a complete picture of CI/CD Visibility of pipeline wide application code security , From the build phase to the deployment phase , And across all applications and infrastructure , Including running containers 、Kubernetes、 Cloud provider 、 Virtual machine and / Or bare machine . Eliminate your blind spots , In order to detect and reduce the destructiveness of the attack as soon as possible .

2 Focus on the most important things ： Availability and vulnerability

After gaining full visibility , Organizations often see tens of thousands of vulnerabilities in large infrastructures . However , The list of theoretical vulnerabilities has little practical use . Of all the vulnerabilities that businesses can take time to fix , The most important thing is to find out which vulnerabilities have the greatest impact on the security of the application , So you have to fix them first .

In order to find out these loopholes , The key is to understand vulnerability （Vulnerability, Weaknesses in deployed software that can be exploited by an attacker to produce specific results ） And availability （Exploitability, An attack path that can be used by an attacker to gain benefits ） The difference between .

Vulnerabilities that require high-level and local access are often less of a concern , Because it is difficult for remote attackers to obtain the attack path ( Unless the attacker has gained advanced access to the local host , They have a chance to gain further control ). Of concern are vulnerabilities that may be triggered by the following factors , for example , Remote network traffic that will not be filtered by firewall devices , And a host that directly receives traffic from untrusted network sources .

3 Evaluate and classify potential exploits

When the vulnerability is divided according to its availability and the priority of repair is determined , You need to consider some or all of the following criteria ：

• The severity of the vulnerability ：CVSS(Common Vulnerability Scoring System, Common vulnerability scoring system ) The score provides a baseline for the severity of the vulnerability , Can be used to compare vulnerabilities . However ,CVSS The score does not take into account the context of the actual application and infrastructure , Therefore, there is a certain gap from obtaining accurate information .
• Attack vector —— Network and local system access ： Network access vulnerabilities are often the first step in an attack , The local system access vulnerability can only work after the attacker enters the application . This means that you need to immediately block any network attack path that could cause the service to be attacked , At the same time, find the potential attack behavior on the service node , And take corrective measures .
• Close to the attack surface ： Is there an attack path , An attacker can reach and exploit this vulnerability through this path ？ When considering the attack path , Consider that an attacker may bypass the firewall 、 Load balancer 、 Agents and other jump points , And solve any of the attack points , Also let developers update 、 Testing and redeploying vulnerable applications .
• The existence of a network connection ： Although all the vulnerabilities that can be accessed from the outside deserve attention , But vulnerabilities in applications with universal network connectivity are the most noteworthy . Attackers usually use reconnaissance (Recon) Technology finds these vulnerabilities .

The key here is to add the runtime context to the vulnerability data , In this way, the most vulnerable vulnerabilities can be identified , And determine which vulnerabilities to fix first , Because they pose the greatest danger to the security of applications .

Consider using open source ThreatMapper And other tools to help you identify the most vulnerable vulnerabilities . As conditions change , You need to keep running these tools , Put safety work where it is most needed .

4 Restrict reconnaissance activities

Attackers usually follow a prepared script , Use in MITRE ATT&CK The tactics and techniques recorded in . These tactics follow the network killing chain model , Start with reconnaissance , Then make a preliminary attack . Initial attacks are usually aimed at gaining limited local control , Then the attacker has a lot of options to explore 、 Upgrade privilege 、 Install permanent control systems and reconnaissance of adjacent systems , In order to spread horizontally and find larger trophies .

The effectiveness of reconnaissance activities should be limited , The first step is to determine the attack path that an attacker may take . In order to realize double insurance , Ensure that every attack path is protected by filtering technology ：

• adopt WAF Capture and discard known reconnaissance traffic ;
• Use protocol and source based filtering techniques to restrict clients that can access these paths ;
• Use additional application level filtering ：
• Ensure that the transaction is authenticated ;
• about API Traffic , Ensure that the transaction is from a trusted client .

ThreatMapper It can visualize the attack path of the most easily exploited vulnerability , So you can decide how to turn them off .

5 collect “ Attack metrics ” and “ Damage index ”

Although every effort has been made to protect the attack surface and limit visibility , But attacks can still occur for a variety of reasons —— Zero Day Attack 、 Sabotage of the supply chain 、 Yes, the shadow IT And other unmanaged assets , wait . adopt NVD released CVE About every day 50 individual , Therefore, it is very possible to find new vulnerabilities in the product .

therefore , Another key line of defense is monitoring the internal network 、 Host and workload attack metrics (IoA) And damage indicators (IoC).

IoA Can include detection from unusual sources 、 Reconnaissance traffic , Or it may indicate the existence of C2C( Container to container ) The Internet 、 Remote telemetry or attempted network traffic .IoC Indicates that there is a problem with the host , The attacker has entered , Including abnormal process behavior 、 File system access or file system modification .

It is recommended to build “ Red team ” function , Let it scan the application regularly , Find out the attack signal and its impact on the organization . Look for something that can help you automate and manage a large number of IoA and IoC Tools for events , Including minimizing false positives 、 Store events for subsequent analysis , The most important thing is to relate Events , In order to understand the attack characteristics and the penetration of these attacks into the application . With this knowledge , You can deploy targeted countermeasures , Block reconnaissance or attack traffic from inside or outside , And isolate the damaged workload .

6 Conclusion

Log4j Tell us , Loopholes are inevitable , But this should not be an obstacle to organizations using open source code as an innovation and other valuable goals . When guiding the organization to carry out safety work , Security executives can gain full visibility into application traffic across all infrastructures , A strategy that combines vulnerability assessment and prioritization , Keep alert when looking for signs of attack , Reduce and Log4j Risks associated with the next major vulnerability .

Author's brief introduction

Owen Garrett yes Deepfence The company's product and community Directors , by Deepfence Open source strategy based on security technology . He thought he was Riverbed、NGINX and F5 Companies such as 20 Years of experience in software engineering and product leadership , stay Deepfence Guide the company's Roadmap , Create an open source for cloud native applications “ Safety and observability ” platform . Prior to joining Deepfence Before ,Owen Leader NGINX Product development of , Give Way NGINX It has become one of the most widely deployed open source projects , Protected more than 5 Billion websites , At the heart of countless ecosystem projects .Owen It has many patents in network technology , Often give speeches at technical meetings , Is the thought leader of industry activities .

Link to the original text

https://www.infoq.com/articles/assessing-security-risks/?