2 min read time

ArcSight Response to Log4j (CVE-2021-44228)—targeting Cyber Attacks

by   in Cybersecurity

A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j tool used in many Java-based applications was disclosed publicly on December 9, 2021. This vulnerability is also known as the Log4shell/Logjam vulnerability. When exploited, it can enable threat actors to take full control of affected systems. CVE-2021-44228 has been given the highest severity rating (10.0) by NIST. 

CyberRes continues to analyze this remote code execution vulnerability and is taking swift remediation action to help protect our customers, wherever possible. 

We would like to announce that we have the following official resources available to support customers who are dealing with this issue:

ArcSight Detection Package 

In addition to the above, a free ArcSight detection package has just been published on ArcSight Marketplace to help ArcSight customers fight Log4j-targeting cyberattacks. We strongly encourage customers of ArcSight ESM, ArcSight Logger, and ArcSight Recon to visit the page and deploy the content package. 

Apache Log4j (CVE-2021-44228) Monitoring: Special ArcSight Content Pack 

Package Details 

While more details are available on the ArcSight Marketplace page, we’d like to share some of these details here as well. The following resources are available in this package: 

For ArcSight ESM

  • Real-time detection of any suspicious activities related to Log4j-targeting attacks, using real-time threat intelligence feeds (through MISP Model Import Connector—available to all ArcSight ESM customers for free)
  • Real-time alert and search on Log4j suspicious activities detected by an IDS
  • Real-time alert and search on Log4j vulnerabilities reported by Nessus Vulnerability Analyzer solution, a supported IDS, or from webs server logs
  • These detections will fall under the following MITRE ATT&CK techniques:
    • T1190-Exploit Public-Facing Application
    • 002-Spearphishing Link 

For ArcSight Recon and Logger

  • Hunt and search queries to detect RCE attempts utilizing a variety of log sources, including Proxy events, Nessus and Snort signatures, Vulnerability Analyzer/scanner solutions, Sysmon events
  • Hunt and search queries to detect the installation of Log4j components, across the organization, utilizing Sysmon events
  • Hunt and search queries for detection of special text codefrom proxy logs’ UserAgent header fields

Conclusion 

We are excited to make this content available to our customers to help them combat this latest global cyberthreat. Please note that we will continue to update the pages mentioned at the top of this blog post with new content as it becomes available. 

Finally, we want to thank all our customers for choosing ArcSight, for sharing your feedback and experiences, and for giving us the opportunity to help keep your organizations secure. 

Labels:

Security Operations