Hunting for log4shell Compromises скачать в хорошем качестве

Hunting for log4shell Compromises

Presenter: José Ángel García Guijarro (SIA CERT, ES) The revelation on December 9th of the CVE-2021-44228 Apache log4j vulnerability (log4shell) has heavily impacted IT-teams worldwide, due to how widespread the library is, how easy is to exploit the vulnerability and the fact that public exploits where available. However, the main problem for some organizations is the fact that the exploits may have been used as early as December 1st as a 0-Day exploit by state or criminal actors. As a result of these concerns, SIA IRT team conducted two compromise assessments in different organizations, requiring tailored approaches for each one. For this task we had to developed a custom approach that involved close collaboration with the onsite security and networking staff in order to overcome the challenges of detecting a compromise in the entire organization. This presentation intends to provide an adequate representation of the issues and solutions adopted in order to scale up the retroactive detection of a successful log4shell exploitation using the tools available on each organization and how to overcome previously undetected monitoring gaps. About the Presenter Jose Angel has been working in cybersecurity since 2013 as part of CERT for entities in the financial, health and energy sectors as malware analyst and senior incident responder. Also, since 2021 as a certified forensic specialist. In his duties he has collaborated in efforts oriented towards protecting critical infrastructure collaborating with Incibe, CCN-CERT and EDA. Currently working as part of a multidisciplinary incident response team within SIA CERT (ES), helping organizations to respond and to prepare for cybersecurity incidents. Our competencies range from forensic analysis, creation of policies and procedures for incident response, compromise assessment, design training exercises to evaluate readiness of our partners. During the last two years SIA CERT (ES) has acquired extensive experience responding to company-wide incidents involving ransomware and data breaches.