Graylog GO logo

How To DETECT LOG4J RCE WITH GRAYLOG AND GREYNOISE

Introductions- 

Jeff Darrington:

Hey Abe, I’m glad we are here to meet today. For everyone watching, this is Abe, Graylog’s Director of Professional Services Enablement. And I’m Jeff Darrington, Senior Technical Marketing manager here at Graylog. And today we’re here to talk about this new RCE that just came out for Log4J. It appears it has major a reach in organizations and in the internet, in the connected applications on the internet. So Abe, what do you think?

Abe:

I think this vulnerability’s a big one, Jeff. Thanks for inviting me, and this one’s a doozy. I think it’s going to be kind of the same for those in the red team world, something like SMB 0867, where it’s just around for years; the long tail now on that one is it still works today in a lot of environments. And I think Log4j is going to be like that in a lot of places here, it’s going to pop up in pen tests. And then after a few years, once most of it’s been covered up. It’s going to pop up in chains of pen tests and stuff like that. So I think it’ll be around for quite a while. And yeah, it’s a doozy pretty trivial to you and in everything.

The Set-Up- 

Jeff Darrington:

So it’s interesting. We’re talking about this. As we can see in the background, we have our login screen to Graylog and it’s clear we have an integration with GreyNoise that can integrate with our logs and highlight some things here I think everyone should know if they don’t know already. It gives us a quick synopsis of what with GreyNoise.

The Walkthrough- 

Abe:

Sure. When I was first asked, Hey, if you were to look for Log4J, how would you do it? This is exactly how I spun it up in this lab. And what I’m using is a tool called GreyNoise. We have a really easy integration with it. It’s in our data tables of lookups. I’ll show you that in a second, but for now, what we’ve got is we’ve got the GreyNoise webpage, and I wanted to show you what this looks like. If I go looking for something like Log4J not even paying attention to the banner at the bottom of the page showing me, but let’s just say that wasn’t there for now. I can go look at the tags and I can type something like Log4J and this is what we’re going to actually leverage in this little bit today. So I can see the Log4J RCE attempt. I can see a long list of this threat intelligence source, GreyNoise. Who’s great threat intelligence feed in one of the first places that I saw mentioned in an article about Log4J Hey, look at the data analysis from GreyNoise, you can integrate a look up table in Graylog from GreyNoise. Despite the fact that we don’t always agree on the spelling of the word gray, but can integrate that with just your API key. So from them, you can grab these tags in your data, such as Apache log4J RCE. They’ve even leveraged with benign or malicious. Pretty much everyone watching traffic from a firewall at scale needs some sort of a threat intelligence feed and GreyNoise, a as a very great one. So if I’m looking up these tags, I can see a lot of data individually from the GreyNoise website and really nicely laid out. This is a fantastic UI, but I’ve got a few different sets of data here. If I go back to my Graylog instance, and I actually log in, take a look and I’ll show you how I leverage this in this lab environment here. So I have some firewall traffic being monitored. My first page is my indexing failures, and I see none, which is fantastic. Let’s take a look at the pipeline rules that we’re using here in this lab. If I look at the manage the rules, I look at the Log4J traffic pipeline here. Hopefully you can read that I’ll even, I’ll zoom it in a little bit. So it’s a little clearer to see, but this rule here, when you’re on the Abe net, which is my network and there’s been an external IP address lookup such as going to GreyNoise, all I’m doing is looking inside the tags for the exact string, the name that they gave it, and then I’m giving it an additional field, threat flag, Apache Log4J, this way I can build kind of instances specific to this case and really start narrowing down the traffic that I’m looking at. What that looks like when I actually see some traffic, let’s pull up a little search page, something that just kind of threw a couple of visualizations together, Log4J And here it is. So I’ve got one in there right now, the threat flag Log4J just from trying it a couple of moments ago, sitting in the last 15 minutes. But if I wanted to, I can even go ping that address. I’ll ping it and cause some more traffic. So the firewall sees me hitting that IP address with an actual valid tag. This one I happen to know is benign. This one I happen to know is not malicious, but when I hit that and oh, if I was watching my logs live, I would’ve seen it change live. So there I’ve second instance, the second sighting showing up and whatever other dashboard visualizations I wanted to put in here, such as whether it’s benign or malicious color-coded, where this came from. I can see, however, I want to build my table and visualize that information. So at this point here, I made the one rule, feel free to rewind, take the screenshot if you want. I’m sure we could follow it up in written form for people to copy and paste. But for the most part, it’s insert the lookup table. Add that to it, and then search through those tags to find the tag that you’re looking for in this particular case, our Log4J RCE.

Recap-

Jeff Darrington:

Excellent. So you covered off your lookup table. Is there any other little small pieces here you’d have in configuration like the adapter? How easy is it to set up?

Abe:

Setting up the adapter? Well, again, this is an integrated product. So when I go to the lookup tables, the I’ve got my enterprise lookup here. I can show you what it looks like. This is the data that is returned from GreyNoise. When I look that up. So I can see first scene, last scene, I can see all that same data and I can massage that into my messages however I want to, and setting it up is absolutely as simple as creating adapter, GreyNoise and giving it a name, ignoring the red error I just got from my lab environment, giving it a name and dropping in an API token. So it’s as simple as giving it a name and putting in your API token.

Jeff Darrington:

That’s pretty sweet. That’s pretty quick. Excellent. So for today, I guess we’ve just talked about something, everybody wants to know in the future, how you would look for this problem or look, look for this RCE in your network. Once you’ve got what you’ve hear got shown and configured, pretty much you could search for this on a regular basis in your logs and indicate where you might be vulnerable.

Abe:

That’s exactly it, Jeff. So you and build your visualizations however you want to see them, and away you go. This is a pretty rinse lather repeat any of those tags that are available from the threat Intel feed. I showed you GreyNoise, but there’s plenty of thread intel feeds out there that go nicely with log management solutions. So I know a really good log management solution and here’s one really-

Jeff Darrington:

Excellent.

Abe:

Good threat Intel feed.

Jeff Darrington:

Excellent. And you can take it down or up a notch by adding some alerts notifications in there as well.

Abe:

Yep.

Wrap-Ups- 

Jeff Darrington:

Excellent. Abe. Thanks for joining me today. This is really, really good. I’m hoping we can get people on board and get this intelligence in their Graylog instances.

Abe:

Awesome.

Jeff Darrington:

Thanks very much. All right. Have a good day.

Abe:

You too. Thanks.

Jeff Darrington:

See ya.