Learning from the Log4j threat to prepare for the next crisis?

On 10th December 2021, the security world sprung into action as the CVE-2021-44228 vulnerability concerning, Log4j, landed on all our front doorsteps, like a lump of coal rather than an early Christmas present. The exploit is now being widely scanned by attackers to identify and exploit targets of interest. The range of threats leveraging this vulnerability include opportunistic and financially motivated threat actors (for example ransomware operators), along with espionage focused threats. IT and security professionals worldwide are fearing that they will spend their December holidays in the digital trenches. 

Log4j is a Java software library (or building block) which can be built into applications to help perform logging and monitoring. Libraries such as log4j are easy to integrate and thus widely used, across both open and closed source applications. While other vulnerabilities that have come to light in 2021, such as those impacting on-premise Microsoft Exchange servers, it's the scale that this software is used at which makes it particularly concerning. The potential impact of this vulnerability is severe, and in particular, some organisations may not even know that they are using Log4j in their environment. We are likely to see this vulnerability being used for some time to come, due to the complexity of identifying the vulnerability in enterprise environments and as attackers become more familiar with integrating it into their current arsenal.

Our Threat Intelligence team is tracking this threat and supporting clients with technical measures to detect and mitigate threat actors from exploiting this critical vulnerability. As executives, board members and security leaders, you have the unique opportunity to determine the appropriate level of action. The first step in that process is preparedness.

How to be prepared for business vulnerabilities 

Now it's the Log4j vulnerability, next month it might be something completely different. Forewarned is forearmed. With the right information, your response to even the most drastic crisis such as a ransomware attack, can help you weather the storm, recover and emerge stronger.

Therefore, the question arises: what can you do to prepare? In this blog we provide you with an overview from a crisis organisation perspective:

1. Understand the business impact of a vulnerability

Often there is a disconnect between the business and IT of the organisation. In the situation of the Log4j vulnerability, IT should for instance worry about:

  • Being aware of the infrastructure and potential attack surface
  • Patching the affected software and appliances if possible.
  • Limiting external access to appliances/servers where feasible. Moving these devices to a separate VLAN or other segregated network is a good start.
  • Monitoring for malicious traffic or anomalous events across the impacted appliances/servers.
  • Identifying threat actor post-exploitation behaviour.
  • If the service is not mission critical consider shutting it down until the above recommendations can be put in place. 

As the Board however, you don't need to understand all the technical details of Log4j vulnerabilities and other vulnerabilities alike. What you do need is to understand the business impact that such a vulnerability can have, because it is not 'just an IT-party'. Herewith it is of utmost importance that you have highly skilled security professionals that you can trust during a cyber crisis and that are able to digest and communicate the threat.

2. Have a solid, but moreover resilient crisis management organisation, including:

  • Clear roles and responsibilities
    Clear roles and responsibilities are crucial during a crisis. This means that a crisis team should be appointed, based on the right set of skills and capabilities. Not for every type of crisis an IT/security representative is needed, but be ready to have a seat at the table for this person in case the crisis is IT/security related.
    Also, be ready to have a 'devil's advocate' at the crisis response team table. This is someone who challenges the decisions that are being made, because a brain under stress might take shortcuts, focusing on the short term, resulting in bad decisions. Are you really going to pay for the ransom? 
  • Back-up team
    From a technical point of view, it's important to have back-ups of your data and software. But this line is not about data, but about back-up crisis management team members. A crisis may take up several days to even weeks. No normal human being can make the right decisions after being on a stressful 12-hour shift. Therefore, make sure you have a back-up team in place that can take-over.
  • Have your plans and procedures ready
    Although a crisis will always go beyond the expected, plans and procedures can serve as a solid baseline that guide you through the crisis. Have your working procedures ready, including a clear crisis definition as well as processes including aspects such as how to activate a crisis response team (in case email communication or other communication platforms are not available) and communication templates.
  • Train your team & simulate
    It is crucial to have a well-trained team. With learning how to drive a car, you don't drive safely after just studying the theory book. The same applies to crisis management practices. Therefore it is important to periodically train the crisis management team, as well as simulating in order to rehearse quality-decision making in pressured situations as well as learning about team dynamics.

3. The golden hour - the moment when there is still room for maneuver

In case a ransomware crisis (or any other crisis) strikes, the golden hour is the time that organisations need to alert their key people and gather key facts about the crisis. It is crucial to take a moment to organise your crisis management team, before rushing into actions and making unfounded decisions. Yes, there is no time to lose in a situation such as a ransomware attack, but getting yourself organised serves as the fundament for further response procedures.

4. Act according to your organisation's values

When making decisions during a crisis, validate them according to your organisation's values. Is one of your organisation's values 'teamwork'? Consider if you have taken into consideration the critical, but worthy comment of your security engineer. When acting according to your values, you can always explain why you made certain decisions when challenged afterwards. 

5. Long term vision

Especially in a leadership position, keep in mind the long term vision of your organisation and how short term decisions can impact your long term position. Your team will better understand the why of your plan as integral to your organisational vision and purpose. 

In today's interconnected landscape threats such as the Log4j vulnerability will continue to  occur. Being prepared for the consequences and potential crisis such threats may cause, nevertheless makes you and your organisation resilient.

Follow us

Contact us

Pascal Huizinga

Pascal Huizinga

Senior Manager, PwC Netherlands

Tel: +31 (0)61 201 17 20

Curtis Hanson

Manager, PwC Netherlands

Tel: +31 (0)63 000 56 09

Sanne Amber Maas

Sanne Amber Maas

Manager, PwC Netherlands

Tel: +31 (0)62 214 43 58