The year 2021 was unprecedented in the strain it placed on cybersecurity professionals. From the beginning of the year through now, incident responders and network defenders have been whipsawed by a seemingly endless array of unparalleled back-to-back security emergencies. In the words of researcher Kevin Beaumont, “We’ve reached peak cyber for 2021. Please stop cybering.”
The year started with wide-scale remediation efforts stemming from the late-2020 discovery of the state-sponsored Nobelium cyber-espionage campaign that exploited SolarWinds’ widely used Orion platform. Amid the SolarWinds clean-up, security teams had to then grapple with the exploitation of four zero-day vulnerabilities in the Microsoft Exchange Server that sparked a global wave of hacks and breaches. Ransomware gangs accelerated their attacks on healthcare, education, and business organizations, culminating in significant incidents that brought down leading U.S. oil pipeline company Colonial Pipeline and the North American operations of a major meat supplier, JBS.
Thrown into this mix of high-profile incidents were dozens of other ransomware attacks, hacks, and espionage efforts affecting government bodies, healthcare providers, educational institutions, political organizations, and human rights workers across the globe. The Biden administration responded with a series of executive orders, directives, and new requirements for government agencies and critical infrastructure providers to turn the tide of the unrelenting digital malfeasance. At the same time, Congress stepped in with legislative measures to bolster the nation’s cybersecurity posture.
Now at the tail end of this already exhausting year, vulnerabilities in the ubiquitously deployed Log4j logging utility have forced already short-staffed and stressed-out security teams in every sector across the globe to quickly deal with this latest crisis setting the internet on fire. It’s also worth noting that this latest crisis arrives just as the rapid spread of the Omicron variant of COVID-19 is creating more chaos across workplaces and likely sidelining much-needed personnel.
CSO asked cybersecurity professionals what they think about 2021’s final burst of frenetic activity and what advice they have for their peers. We also asked them how best to manage the added stress of coping with Log4j patching and remediation efforts during what many had hoped would be a relatively work-free and relaxing holiday season. Their replies below have been condensed and edited for length and clarity.
Prepare for a marathon: Claire Tills, senior research engineer at Tenable
This year, the Log4Shell flaw truly rocked the internet-connected world. The scope of the incident is hard to fathom, and it’s easy to lose the forest when staring at this particular tree. It’s like a California Redwood.
But that’s not the only issue with which defenders need to contend. Earlier in December, SonicWall and Zoho disclosed vulnerabilities that have already been exploited in the wild or have great potential to be based on past attacker behavior. This has been the worst year for ransomware to date, with access brokers, ransomware groups, and their affiliates leveraging old and new tactics and vulnerabilities to target organizations in all sectors.
Responding to Log4Shell and the associated industry-wide weaknesses it exposes will be a marathon, not a sprint, as more vendors discover dependencies of which they were formerly unaware. However, this is like adding a marathon on top of the daily obstacle course defenders are already attempting to navigate, obstacles like addressing the 120 entries in Cybersecurity and Infrastructure Security Agency’s new Catalog of Known Exploited Vulnerabilities that were disclosed this year alone (around one-third of the total entries in the catalog so far).
On top of that, in the midst of the Log4Shell initial response, Microsoft released its final Patch Tuesday of the year, and it included a zero-day being actively exploited by attackers. No matter how you slice it, defenders are having a rough time. With only 24 hours in the day, effective prioritization and strategy are absolutely paramount.
Maintain work-life balance: Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance (NCA)
From responding to breaches like SolarWinds, to coping with the ongoing fallout of the COVID-19 pandemic, 2021 has been one of the most demanding years yet for cybersecurity professionals. And unfortunately, the discovery of the Log4Shell vulnerability, right in the middle of the hectic holiday period, means that these hard-working network defenders and incident responders won’t be able to put 2021 behind them just yet.
With a shortage of 3 million qualified professionals, the cybersecurity workforce was already under incredible stress as it is. The cybersecurity workforce is understandably feeling incredibly strained and is quickly approaching, if not already at, burn-out level. Combatting this fatigue by growing the talent pipeline has got to be one of the foremost priorities for the cybersecurity industry moving ahead. If not, the industry runs a real risk of having its talent leave for other less exhausting STEM careers.
CSOs can play a massive role in helping to alleviate some of this stress. Whether it comes to maximizing team members’ work-life balance or just being an empathetic and supportive leader, CSOs are a key cog in creating an ecosystem where their employees feel empowered and at ease, even during incredibly stressful periods.
Invest in cyber readiness: Asaf Karas, CTO of JFrog Security Research
The Log4j vulnerability has significantly affected the workloads of incident response and network defense teams. Since this vulnerability is easy to exploit and can quickly result in significant impact, organizations have had to immediately shift resources to handle and mitigate the risk. The amount of resources required to identify all the applications that are using this vulnerable component, directly and indirectly, is high effort. After the identification, the remediation and action plan also requires immediate execution.
Infosec teams are constantly challenged since attackers do not rest. We often see attackers taking advantage of weekends and holidays to launch attacks during those times that the teams are often understaffed. The approach to handle this should be with risk management and understanding that the team should be extra alerted and ready to react upon an incident. To be ready for the next battle, the team needs to invest during the year in cyber readiness and preparation of swift reaction in case of a security event by leveraging the existing tools in the market that offer automation and fast reaction.
Find perspective: Andy Hornegold, product lead at Intruder
It has been an intense year! We started with the continuing panic in the wake of the SolarWinds crisis. We’ve had the ProxyShell vulnerabilities and exploitation, we’ve seen remote access solutions like PulseSecure VPNs being used to compromise networks, and the Accellion and VMWare vulnerabilities. Then, along comes Log4j.
Log4shell is one of the high-priority vulnerabilities that has everyone searching to find where they’re vulnerable, patching where they can, and adding additional protection where they can’t. So, the workload for network defenders has increased massively over the last week. While some companies have on-call staff, others might not have on-call processes in place, and you’re suddenly pulling in people who have other commitments
Christmas is around the corner, and many people may already be on holiday. Trying to deal with Log4j was going to be difficult in any situation, but having it appear at the end of 2021 is like playing defense on hard mode. In short: It’s been a long hard week for defenders everywhere, a field day for the bad guys, and it’s just the icing on the top of 2021.
When you don’t know whether to laugh or cry, I would rather laugh. We work in totally bizarre circumstances. Step back and put it into perspective. We’re trying to find a needle in a haystack while nation-states, criminal enterprises, opportunists, and 14-year-olds in their bedrooms are all coming after us. That’s why whenever you see a major vulnerability like Log4j, the meme machine will start up, and it allows the community to bond over something in a dark time.
Thank security teams: Jim Crowley, Industrial Defender CEO
This one is more work than others. With everything else going on this year, why did this land on my desk today, a week before the holiday?
If customers have been practicing good hygiene and they have their software libraries turned on, and they’re doing their asset inventory, they will be able to quickly understand whether or not they have the issue, and then they can take some mitigation effects. The customers we talk to sort of take a deep breath and say, “ahhh…I got to go deal with this.” What it’s doing is preventing them from doing the stuff they really want to get done. All the day-to-day work comes to a stop while they have to scramble to go do this.
For management, recognize this is important work, and it’s unsung and unheralded. They need to recognize that the workers are under stress, and this is complicated stuff. Someone just stopping by and saying, ‘hey, thank you for doing this. We recognize what you’re doing. We recognize this is tough.’ That goes further than a lot of other things you can do to incentivize people. Go down deep into the guts and see those people who are patching systems. That is mind-numbing work, and no one gets a thank you for it.