Organizations should upgrade either Log4j or the applications that use this library following vendor instructions as soon as possible. If it's not possible to update them, follow the mitigations recommended by the Apache Foundation in the threat advisory.
Watch Cisco Secure and Talos experts discuss CVE-2021-44228 details, impact and steps for mitigation, an actively exploited vulnerability in Apache Log4j.
|Cisco Secure products||Apache Log4j coverage|
|Cisco Talos Incident Response (IR)||Cisco Talos Incident Response can provide proactive services such as compromise assessments and threat hunting to determine if known attacks have been exploited from CVE-2021-22448. If customers need emergency response, please call:
(44) 808-234-6353 (EMEAR)
Available at no additional cost to Cisco Secure customers.
SecureX provides a mechanism to search multiple sensors at once for evidence of any threat, including Log4j exploitation attempts. Use the browser plugin to investigate at any time, and use the workflow to automate the Log4j investigation, repeating it automatically, to check for updated information in the blog, and for new evidence in your environment.
SecureX provides visibility to customers when any of a customer's SecureX modules detect an interaction with any of the domains or file hashes known to be involved with exploits against the Log4J vulnerability. The customer is redirected to a SecureX threat response investigation of all indicators of compromise (IoCs) contained in the Talos Threat Advisory at the time of its publication. Workflows and orchestration can automate responding to future threats posted in Talos blogs.
|Cisco Secure Endpoint||Cisco Secure Endpoint rapidly detects evolving Log4j vulnerability exploits. Multiple prevention and detection techniques such as machine learning and behavioral protection block new and unknown threats. SecureX Threat Hunting and Advanced Search capabilities quickly uncover signs of exploitation attempts and post-exploitation activity such as lateral movement, suspicious command launch and others. With our built-in SecureX XDR platform, you get a fuller view of the threat landscape, automating response actions to isolate and quarantine compromised endpoints – reducing the time it takes to detect and remediate a threat.
Read Secure Endpoint blog
|Cisco Umbrella||Cisco Umbrella DNS layer security blocks any requests initiated to malicious domains that are known to be associated with this vulnerability. Cisco Umbrella’s Secure Internet Gateway (SIG) is a cloud-delivered security service that blocks users from connecting to malicious IPs, URLs, and it has multiple ways to protect against threat related activities that are associated with Log4j. It protects users while on and off the corporate network. Umbrella’s cloud delivered firewall with Snort IPS has Log4j related rules and can detect malicious activity associated with this vulnerability. Additionally, the Umbrella dashboard may be updated to provide attribution for the currently known and future IoCs related to the Log4j exploit within Umbrella's threat reporting.|
|Cisco Secure Network Analytics and Secure Cloud Analytics||Cisco Secure Network Analytics and Secure Cloud Analytics detect anomalous behaviors and issue observations or alerts when potentially malicious activity is occurring. Customers can research any prior interactions with known indicators such as IP addresses tracked by Talos and should create Custom Security Events and Watchlists to identify any future communication with the known indicators. Customers should keep a close eye on any issued detections that would indicate an attack might be underway, since the activity following this exploit can vary greatly. Potentially related detections include Suspected Cryptocurrency Activity, Watchlist Observations, Unusual Geographic Access, Lateral Movement, Data Hoarding, etc.
Read Security Analytics blog
|Cisco Secure Workload||Cisco Secure Workload delivers zero trust microsegmentation capability which enforces least privilege communication and restricts lateral movement. Secure Workload can identify processes associated with post-compromise activity based on published IoCs. An active exploit can be detected through process forensic behavior monitoring and compliance monitoring of all communications to report non-compliant connection attempts. Dynamic segmentation policy can provide targeted restrictions to further protect the environment against attack from vulnerable or compromised assets.|
|Network security||Network security appliances with IPS licensing, including Secure Firewall (Firepower Threat Defense), Secure IPS, the cloud delivered Cisco Umbrella firewall, Cisco ISR, and Meraki MX can detect malicious activity associated with the Log4J vulnerability. Snort IDs have been published. See details in our Talos blog post.
Read Network Security blog
|Cisco Secure Web Appliance||Cisco Secure Web Appliance defends against threats with multiple layers of antimalware technology and Cisco Talos threat intelligence, which is updated every three to five minutes. Every piece of web content accessed is analyzed using security and context-aware scanning engines. Cisco Secure Web Appliance analyzes traffic in real-time, breaks it into functional elements, and pushes elements to antimalware engines for inspection while maintaining high processing speed.|
|Cisco Secure Malware Analytics||Secure Malware Analytics helps identify malicious files and provides threat intelligence to all Cisco Secure products. It makes use of robust tools, search capabilities, correlations, and detailed static and dynamic analyses, as well that allow users to safely interact with samples and observe malware behavior directly. As attackers shift from identifying vulnerable hosts and applications, such as the vulnerability in Apache Lo4j, they will migrate to payloads that will be distributed through various methods such as email attachments and malicious URLs. Secure Malware Analytics is designed to capture and record the behaviors it observes from these techniques and alert users to potentially malicious files, activities and communications through direct integration with Cisco security products and 3rd party integrations.|
|Kenna Security||On Friday, 10 December 2021, Kenna saw the CVE-2021-44228 score dramatically change. The Kenna Platform helps customers identify and prioritize where CVE-2021-44228 has been detected on their network and helps security and engineering teams prioritize their remediation efforts. The Kenna vulnerability intelligence tool allows our customers to get a continual view of chatter about this vulnerability and over 40 other dynamically updated data points.|
|Secure Access by Duo||Attacks using vulnerabilities like Log4j often result in the attacker stealing credentials. Even when they are not used to establish the initial compromise, credentials play a significant role in most attacks as they allow attackers to move laterally or come back at future time. When attackers manage to gain access using a vulnerability such as Log4j, Duo MFA prevents them from accessing additional resources with those credentials. Device Trust adds an additional layer of protection by ensuring that only managed and trusted devices can access resources. Duo prevents attackers from gaining further access and coming back at will.|
|AppDynamics with Cisco Secure Application||Cisco Secure Application protects your production environment by: Identifying the runtime libraries your code is using; Detecting the vulnerabilities in those libraries; Detecting attacks while monitoring runtime behavior; and Protecting systems with policy to block runtime exploit behavior. This remote code execution vulnerability allows the attacker to run any code in your application, which could result in any number of malicious runtime behaviors such as shell command execution that could allow for complete control of your application and the underlying workload. Cisco Secure Application detect this shell command execution out of the box. It can also be configured to stop the command from executing as well as send events to your security team for further investigation.
Read AppDynamics blog.
|Latest blogs||Read the latest Cisco Secure product update blogs on how to maximize your security posture and respond to the threat:
Cisco Network Security
Cisco Secure Analytics
AppDynamics with Cisco Secure Applications
Cisco Secure Endpoint
Sorry, no results matched your search criteria(s). Please try again.
Activate incident response plans immediately for REvil - Kaseya supply chain attack.
Every Cisco Secure customer is entitled to the Cisco SecureX platform. See the value of SecureX integrations today and unlock every Cisco Secure product's full potential, speeding your investment time to value.