Contact
QR code for the current URL

Story Box-ID: 1095755

Rhebo GmbH Spinnereistr. 7 04179 Leipzig, Germany http://www.rhebo.com
Contact Mr Jens Pacholsky +49 341 393790191
Company logo of Rhebo GmbH

Why the BSI recommends anomaly detection to identify Log4Shell-related attacks

Recommendation aims to provide fast and effective mitigation for vulnerable and potentially compromised organizations

(PresseBox) (Leipzig, )
In its working paper »Critical Vulnerability in Log4j - Detection and Response«, the German Federal Office for Information Security (BSI) underlines the persistent and complex danger of the Log4Shell vulnerability in industrial networks as well. Patching the vulnerability in the short to medium term is considered unrealistic for many companies. For this reason, the BSI recommends continuous monitoring and analysis of network communication via anomaly detection in addition to rule-based query analysis. Industrial anomaly detection solutions, as offered by Rhebo, a Landis+Gyr Company, enable companies to detect on compromises that have already occurred, active exploits and other malicious activities in the operational technology (OT) and industrial control systems (ICS) at an early stage. The vulnerability, documented as CVE-2021-44228, allows attackers to execute arbitrary code on systems using the widespread Log4j library without authentication.

Fast and complete security patching unlikely

»Naturally, the first priority is to update all existing Log4j libraries in the company to the most recent version. However, many companies are thus embarking on the proverbial search for the needle in the haystack,« said Rhebo CTO Martin Menschner. Companies often lack clarity over which applications use the vulnerable library. Moreover, as the BSI explicitly points out, it is not sufficient to update the Log4j library via the global software management of operating systems. They stress the point that only the respective »software manufacturers who have integrated the library into their programs [can] carry out the update.« The resulting mitigation complexity is further complicated by the fact that Log4j has already been updated several times since the vulnerability became known.

In addition, according to the BSI, all known mitigation measures that affect the use of the library are currently based on disabling the problematic functionality. Systems in companies that are absolutely dependent on the functionality of the Log4j library thus run the risk of no longer being functional after implementation. Particularly companies providing critical services, for example critical infrastructures and industrial companies, find themselves in a catch-22 situation.

In addition, companies should not be lulled into a sense of security even after an update. »The Log4Shell vulnerability could already have been exploited in some companies. This means that adversaries might have already compromised IT or - via lateral movement - Operational Technology (OT) networks and established access via backdoors,« adds Martin Menschner. After all, the vulnerability has existed for over a year. And security organizations worldwide have observed a massive increase in network scans and attacks since Log4Shell officially became known in December 2021 (see also Rhebo's commentary on Log4Shell).

Anomaly detection should be a priority

For these reasons, the BSI recommends that organizations immediately implement enhanced measures to detect suspicious and malicious communications. In addition to the evaluation of request data (e.g., via web server logs), the BSI explicitly mentions anomaly detection at the network level. »This solution not only detects previously unknown attack patterns typical of zero-day vulnerabilities,« added Martin Menschner. »It also reports operations that indicate existing compromises, such as lateral movement, scans, change of functions and command structures in systems.« Rhebo's Next Generation OT Intrusion Detection offers a solution tailored specifically to Operational Technology networks and Industrial Control Systems.

The OT Monitoring observes all communication within an industrial network, while the integrated Threat and Intrusion Detection identifies any anomaly, i.e. deviation, in the communication behavior and reports it in real time. It detects any communication that is novel or unusual in the monitored network and indicative of malicious behavior - from backdoor communications, lateral movement and spoofing activities to direct interference with industrial processes. With anomaly detection, actions of adversaries within the OT network become visible, traceable, and can be mitigated in real time, even if they use previously unknown signatures or have hijacked authenticated user accounts. To get anomaly detection up and running quickly, Rhebo offers on-demand technical operational support as well as a comprehensive managed protection service. To assess the risk of whether a network compromise has already occurred, an OT risk assessment and security analysis is also recommended.

For more information on the Rhebo OT anomaly detection please visit https://rhebo.com/en/our-products/rhebo-industrial-protector/

Rhebo GmbH

Rhebo develops and markets innovative industrial monitoring solutions and services for energy suppliers, industrial companies and critical infrastructures. The company enables its customers to guarantee both cybersecurity and the availability of their OT and IoT infrastructures and thus master the complex challenges of securing industrial networks and smart infrastructures. Since 2021, Rhebo is part of the Landis+Gyr AG, a leading global provider of integrated energy management solutions for the energy industry with around 5,000 employees in over 30 countries worldwide.

Rhebo is a partner of the Alliance for Cyber Security of the Federal Office for Information Security and is actively involved in Teletrust - IT Security Association Germany and Bitkom Working Group on Security Management for the development of security standards. https://rhebo.com/

The publisher indicated in each case (see company info by clicking on image/title or company info in the right-hand column) is solely responsible for the stories above, the event or job offer shown and for the image and audio material displayed. As a rule, the publisher is also the author of the texts and the attached image, audio and information material. The use of information published here is generally free of charge for personal information and editorial processing. Please clarify any copyright issues with the stated publisher before further use. In case of publication, please send a specimen copy to service@pressebox.de.
Important note:

Systematic data storage as well as the use of even parts of this database are only permitted with the written consent of unn | UNITED NEWS NETWORK GmbH.

unn | UNITED NEWS NETWORK GmbH 2002–2024, All rights reserved

The publisher indicated in each case (see company info by clicking on image/title or company info in the right-hand column) is solely responsible for the stories above, the event or job offer shown and for the image and audio material displayed. As a rule, the publisher is also the author of the texts and the attached image, audio and information material. The use of information published here is generally free of charge for personal information and editorial processing. Please clarify any copyright issues with the stated publisher before further use. In case of publication, please send a specimen copy to service@pressebox.de.