Log4Shell and Threat Profiles

by Courtney Cohen, Director of Product Management

The Log4Shell attack has shown, once again, how important it is to know the cybersecurity postures of your entire vendor ecosystem so you ensure your organization remains protected, regardless of what the latest cyber threat is making the news.

Some may offer solutions that require you to provide your third parties with an additional assessment to fill out to determine if they are vulnerable to this latest threat, wasting valuable time. Luckily the CyberGRX platform provides a Framework Mapper feature on all company profiles that enables users to map their third parties' or their own completed CyberGRX assessment to other control frameworks. This includes industry-standard control frameworks (i.e. NIST, ISO, CMMC, etc.), as well as CyberGRX-developed Threat Profiles that aim to highlight users' specific vulnerabilities or impacted controls in the wake of real world cyber attacks. So, there's no need for you OR your third parties to spend extra time filling out additional assessments.

CyberGRX is dedicated to delivering real-time insights around recent cyber events to help our users quickly identify potential risks, and prioritize follow-up activities, which is critical in minimizing the impact of these attacks. To date, CyberGRX has provided Threat Profiles around a myriad of cyber events including SolarWinds, Kaseya Ransomware, Hafnium, Log4j and more. Threat profiles are continuously updated, so you can rest assured the controls identified are the most up to date.




How Does CyberGRX Develop Threat Profiles?

Identify the Threat: First, we must identify and track all formal and alternative names attributed to an event to ensure we are adequately and accurately updating our knowledge about the threat as more information becomes available.

Classify the Threat: It is important to distinguish proof-of-concept threats from actively exploited attacks and campaigns that combine attacks to achieve larger goals. This ensures the resulting Threat Profile mapping is narrowly focused on the specific event and the insights it enables are tailored to users' immediate needs. This also helps us identify additional Threat Profiles needed, if and when previously mapped events become part of larger attack scenarios. 

Track the Threat: CyberGRX resources dedicatedly follow ongoing security research into a threat as it evolves. Sources of this research include applicable CVEs, detection rules from SIEM, XDR and EDR platforms, as well as disclosures from the affected companies, software or open source project. 

Identify MITRE ATT&CK Techniques: CyberGRX employs the MITRE ATT&CK Framework to identify findings (learn more here). In the event of a cyber attack, we identify techniques that align with the TTPs discussed in the ongoing threat research. When vulnerabilities have previously been disclosed in a CVE, this effort includes cross-referencing its description and reference with candidate MITRE techniques to determine applicability.

Maintain Updated Techniques List: The above mentioned effort is ongoing in the days and weeks following a cyber event to ensure our technique list remains aligned with those disclosed by other researchers. CyberGRX is also diligent in ensuring the technique list is as comprehensive as possible, even as the threat evolves and additional techniques become applicable as new CVEs are discovered and assigned. 

Identify Primary CyberGRX Controls: Once the MITRE ATT&CK techniques are known, we must identify which controls within the CyberGRX Assessment are critical to the prevention and/or the mitigation of those techniques. This effort yields the primary controls list used during scoring analysis. 

Identify Supporting CyberGRX Controls: For each primary control we must also identify the supporting controls that help ensure better performance. For example: patching-related controls can be supported by asset-related controls by helping to ensure all affected systems are identified and verified. 

Develop New Framework: Finally, the CyberGRX team compiles all the information and knowledge gathered through the steps listed above into a custom control framework where each 'custom control' reflects a MITRE Technique used in the commission of the threat. 

Continual Monitoring: With the development and delivery of any Threat Profile, CyberGRX is dedicated to the continual monitoring of the threat so that we can adjust our output based on emerging findings, as they become available. 

If you are a CyberGRX customer interested in seeing if any of your third parties are vulnerable to the Log4Shell threat, your Customer Success Manager can help!

An overview of the critical controls being exploited in the Log4Shell vulnerability and prevalence of those controls within a customer's portfolio.


Third parties who have control gaps that have been identified to be exploited by the Log4Shell vulnerability. (Left) The most common gaps at a vendor portfolio level identified using our Predictive Intelligence. (Right)

If you are a CyberGRX customer interested in seeing if any of your third parties are vulnerable to the Log4Shell threat, your Customer Success Manager can help!

If you're not currently a customer but want to learn how you can gain complete visibility into your vendor ecosystem--so you can protect yourself from attacks like Log4Shell-- then we'd love to speak with you!

Book Your Demo