Background
The increasing number of security breaches in networks is constantly on the rise as attributed to the increase in the informational value in business organizations. These attacks are sometimes stealth and hardly noticed until the respective network is subjected under in-depth investigation by examining traffic capture or by live monitoring the network. For this purpose, this project is tailored to demystify a log4j attacks as perceived to have occurred in a network capture, this is simply meant to confirm the claims such the responsible parties can take the necessary courses of actions to avert further effects of the perceived breach. The importance of network security cannot be emphasized enough, attributed to the major roles network systems play in the corporate and social scenes, the business operations in a given organization are inclined on how efficient the network is in terms of its non-functional parameters; security, reliability and scalability (Elliott, 2021). In-line with security attributes, the investigation and the ultimate fortification of networks is simply geared towards upholding the CIA attributes of a respective network; Confidentiality, Integrity and Availability.
Mostly found in Apache, log4j is a Java-based logging utility, the major functionality in Apache server is to log info mostly related on security and performance. The outcome is to ensure easy error debugging. The utility has lately been on the spotlight after a disclosure of three major security flaws leading to remote code execution and denial of service (Tuttle, 2022). The RCE and denial of service are critical security threats impacting the whole CIA triad, log4j is ubiquitous in nature. The flaw exists in Java Naming & Directory Interface lookups usually facilitated by default versions; log4j 2.0-beta9 and log4j 2.14.1. Attackers can be able to exploit the feature to launch either of the two major attacks, these ranges from different vectors including; internet-facing systems, internal systems, networking components, VMs SCADA systems and cloud-hosted applications (Subagya, et.al 2021). To investigate the presence of a log4j attack, network traffic capture can be instrumental in providing insights in this direction. Log4j is widely flawed in terms of remote code execution under the CVE-2021-44832. In this security flaw, attackers execute codes remotely on a target host, this is mostly geared towards affecting the systems’ unavailability. In this sense, the attacker only needs to gain access into the respective directory, with the execute permissions set to allow, an execute command is executed to run any code as per the attacker. This can be intended to affect the availability attributes or to simply affect the confidentiality of the information flow (Cheng, 2018).
Wireshark is a critical networking tool designed to analyze protocols, monitor network traffic and sometimes deploy specific techniques such as packet inspection to identify attacks that may have taken place in a live capture. This investigation deploys all levels of packet inspection to identify the attacks that may have taken place in the capture. In this case, deep, packet inspection (DPI), Medium Packet Inspection (MPI) and Shallow Packet Inspection (SPI) to deeply analyze the captured network traffic for specific attacks (Yahia and Atwell, 2018). From a blind perspective, the inspection is narrowed down to identify denial of service and remote code execution as the major threats and attacks emanating from log4j attacks.
Log4j: A Java-based Logging Utility
Figure 1: Network Capture
As illustrated in the captured traffic, the network traffic is characterized by different unusual traffic which could be a pointer to one or the two attack threats as posed in the log4j attack surface of the Apache server. Normally, network traffic would be characterized by UD
P, TCP, HTTP and HTTPS protocols, other unusual protocols as demonstrated in the capture is a sure pointer to anomaly in the network traffic hence a confirmation of a cause of alarm. In this case, the presence of traffic such as CLDAP, NTP, MDNS and ICMP
DFIR analysis is a part of the larger digital forensics and computer security, in this sense, forensics is intended to examine digital media to extract pieces of information that can be used as pointers towards the occurrence of a given attack or scenario. In this case, the DFIR approach of analysis is undertaken against a network capture in the form of deep packet analysis to examine specific network protocols so as to generate pointers towards ascertaining the possibilities of an attack having occurred. As mentioned, some protocols such as CLDAP are unusual in network traffic, this means that the presence of such traffic in a capture is an indication of a possible intrusion (Itodo, et.al 2021). In this sense, the examination is tailored towards the examination of these specific protocols. In scope, digital forensics is primarily meant to uncover pieces of information from digital media as evidence of a possible abuse of a given computer system.
Figure 2: Protocol Hierarchy
The above figure illustrates a hierarchy of protocols in the capture, as such, a normal TCP flow would be characterized by HTTP, TCP, UDP and the related protocols, in this case, there is a abnormal high number of ICMP and APDU. As a part of the DFIR investigation, this is face pointer towards the possibilities of attacks having taken place in the network traffic capture.
I/O graphs
Figure 3: I/O graph
I/O graph is a statistical illustration of the number of packets flowing in a given chunk of time/ interval. The above graph is an illustration that demonstrates the number of packets at an interval of 10 minutes. As demonstrated, the number of packets seem to be fluctuating to a maximum of 1500 after every 5000 seconds. I/O graph can be customized to display the number of packets per second or millisecond, this is instrumental specially to identify the cases of flood attacks, as mentioned, some of the log4j versions were characterized by the flaws that could allow for denial of service attacks, there is a possibility of denial of service attacks in the packet flaws in the DFIR investigation in terms of the number of packets flowing per second/ millisecond (Fathima and Santhiyakumari, 2021).
Relaying endless ICMP requests is one of the techniques used to instigate denial of service, as mentioned, it is not usual for a network flow to contain large numbers of ICMP packets thus could be a pointer to a denial of service attack.
Detecting Log4j Attack through Network Traffic Capture
Figure 4: ICMP Packets
As illustrated in the capture above, the source of the ICMP packets emanate from different sources which indicate a possible distributed denial of service attack.
Figure 5: Flow Graphs
Flow graphs are vital aspect of DFIR investigation with diverse aspects of packets flowing in and out of the network. A flow graph entails packet time, directions, ports and comments as packets flow in a given network connection. As demonstrated in the above illustration, a flow graph filtered for ICMP packets suggests a possible SYN flood attack as alleged from the log4j security flaws.
Packets carry the actual information as instigated in a given communication channel. As it would be in a legitimate communication, packets contain different pieces of information flowing from one endpoint to another. Packet contents could also be indicators of a possible intrusion by its contents. In this PCAP file, a deliberate investigation of the packet contents as demonstrated shows either empty packets or attempted login (Baggan, et.al 2020). In the DFIR perspective, a dissection of these packets reveals empty flows hence a possible intrusion from crafted packets.
Figure 6: Empty Packets
A conventional TCP flow would contain some information, as illustrated in this flow, the packets are conspicuously empty which points a possible attack from crafted packets from the attackers.
Communication technologies is perhaps the most innovative aspect of the 21st century owing to the innovative business solutions derived. In the places I have witnessed the use of communication technologies in the contemporary business space, there is a good end as well as a bad end characterized by various security and misuse aspects. This involves security attacks or simply abuse of computer systems, in the efforts to curb the misuse and security aspects in the technological field, there are different approaches to counter. Digital Forensic Investigations (DFIR) investigates the specific aspects of packets in communication to identify the pointers to misuse or security attributes. The first aspect towards the investigation of PCAP files and the possible attacks, log4j is an Apache implementation in log4j which can negatively impact the communication within Java applications. Java is one of the most commonly used Object-Oriented programming language, owing to its portability and the ease of usage, Java is used for different projects for different business solutions, different versions of Java are also characterized by vulnerabilities according to the development tricks, Java 8 and 7 for instance make use of log4j in Apache Servers which are the subjects of investigations in this DFIR investigation (Martínez Llamas, 2019). Log4j is characterized by server security flaws that can culminate into different security breaches as captured in the PCAP file. Deploying forensics techniques, I have used DFIR for an in-depth investigation of network traffic, digital forensics in this perspective employs deep packet inspection technique to examine network traffic as captured. In this case, the investigation starts from the protocol hierarchy, this is a statistical approach of analysis as far as Wireshark as protocol analyzer is concerned. As demonstrated in the hierarchy, the illustration shows a general view of the number of packets from individual protocols within the capture. In the experience we all have had with networks, a client- server communication is characterized by TCP and HTTP/HTTPS traffic, the presence of other protocols which surprisingly have a significant high statistically. Additional to the protocol hierarchy, I/O graph is also another important statistical analysis tool in Wireshark that is also set to give the statistics of different packets within a network capture. As I have demonstrated in this investigation, an I/O graph illustrates the number of packets flowing per given time. This can be customized to demonstrate the flow of packets/ seconds, I have used the 10 minutes interval owing to the number of protocols and packets, a suspicious flow can be illustrated by significantly large number of packets per second/ milliseconds. This would be an indication of flood attacks as illustrated by the presence of ICMP packets. As part of deep packet analysis, the investigation can be furthered to examine specific packets in terms of the packet contents as they flow to and from the respective endpoints (Ramírez Sanabria, 2020). On investigation the packets do not seem to contain some significant contents as a normal traffic would be, this means that the packets flowing must have been crafted for a flooding type of attack. In these attacks, packets do not contain any significant information indicating any form of significant communication, instead empty packets are sent in the form of ICMP.
DFIR Analysis: Examining Specific Network Protocols
To further the attack in this PCAP capture, there are requests for authentication between the server and the client, usually, this would be a HTTPS flow in network systems, however, the protocols in this scope indicates a brute force type of approach to gain access into the server. Client-server connection is usually a sensitive channel of communication which means that the data related is also sensitive and must be treated with utmost care to enhance the confidentiality, integrity and the availability aspects of the system. In this sense, a brute force attack in this perspective would result into a compromise in integrity and confidentiality and sometimes the availability attributes of the whole system as articulated in the CIA triad. The security of any computer system is summarized under CIA triad describing the major non-functional aspects of any given computer system. The table below is a summarized report.
|
DFIR investigation |
Findings |
Recommendations |
|
Malware |
Possible malware attacks evident in the packet content; docx, exe files |
Anti-malware programs, firewall systems as well as security policies especially on the application policy front |
|
Brute force breach (client-server password breach attempt) |
Possible brute force password breach evident in the HTTPS authentication requests |
Password security such as age/ length & validation via policies in Active Directory (AD), password encryption in WEP specially for LAN/ WLAN Access Points (APs) Input validation for server-side handling forms to avert injection attempts (SQL injection) |
|
Flood attack (ICMP SYN) |
Possible ICMP flood attack evident in the protocol hierarchy, I/O graph and flow graphs |
Use SYN flood detection/ packet filtering/ port security as well as firewall rules to secure the network. |
Conclusion
The security of computer systems is sometimes elusive owing to diverse methods and techniques to launch intrusions. This is as a result of a wider attack surface and attack vector in which intruders can launch attacks. Equally, security measures have also been put in place to counter these attacks, among them, digital forensics investigation (DFIR) is used to investigate a possible occurrence of an attack. DFIR investigation in this perspective is an in-depth packet dissection to uncover traces of a possible attack in the respective network communication. This entails the number of packets per unit time, packet contents and protocol statistics from the capture. It is however paramount to ensure security irrespective of the communication set-up, it is vital to set up different means to guarantee the confidentiality. Integrity and availability aspects of the respective information system (van Oorschot, 2020). The in-depth examination techniques as used in this investigation reveals two possible attacks that might have taken place, these include a brute force type of attack intended to bypass the conventional means of authentication and a flooding attack as illustrated by the numbers of ICMP packets flowing in the network at capture time as demonstrated.
There are several updates of Apache released for diverse reasons including for security patches, in this respect, a new logging version (log4j) was released for Java 8. This was intentionally released to address the discussed vulnerabilities. This was followed by another version; log4j 2.16 also for Java version 8 and log4j 2.12.2 for Java 7. This was attributed to the rampant cases of denial of services under the CVE 2021-45046 in the previous version. The continued of Apache Foundation applications necessitated a deep need for the revamp in the server leading to the subsequent versions reaching to log4j.217 as this was also necessitated by the infinite recursion under the CVE 2021-45105. Security vulnerabilities in this respect have always resulted into serious implications in the respective applications, for this purpose, security can be viewed from the perspective updates and patches designed to tailor the respective Apache server to its latest server (Neuburger, et.al 2021). The new versions of log4j have the discussed vulnerabilities updated, the continuous evolvement of security flaws in Java versions also makes it paramount to consider additional layers of security. For instance, in this case, it is important to keep in mind security layers such as intrusion detection and prevention. IDS/ IPS systems are set to detect and prevent intrusions according to the configuration parameters. In this case, unknown or untrusted IP addresses can be disallowed access, this can be accompanied by port security in ACL rules along with frequent penetration testing. The frequent security evaluation is set to uncover vulnerabilities as per the changes in the continual use and addition of new IT resources. Permissions are also other major security flaws in computer systems, Log4j version 2 is also characterized by RCE vulnerabilities, this is a vulnerability facilitated by the execute permissions in the wrong directory. In this manner, the attackers can simply run any code in these directories should they gain access into the locations. It is thus important to consider security in this perspective such that only relevant permissions are allowed in a given directory (Elsayed and Zulkernine, 2018).
Reference List
Baggan, V., Sarangi, P.K., Prasad, D. and Snehi, J., 2020, December. Augmenting Border Gateway Protocol with Multi-protocol Label Switching for Enhancing Network Path Restoration. In 2020 9th International Conference System Modeling and Advancement in Research Trends (SMART) (pp. 306-309). IEEE.
Cheng, F., 2018. The Platform Logging API and Service. In Exploring Java 9 (pp. 81-86). Apress, Berkeley, CA.
Elliott, E., 2021. Troubleshooting. In Introducing. NET for Apache Spark (pp. 185-206). Apress, Berkeley, CA.
Elsayed, M. and Zulkernine, M., 2018, May. Towards security monitoring for cloud analytic applications. In 2018 IEEE 4th International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing,(HPSC) and IEEE International Conference on Intelligent Data and Security (IDS) (pp. 69-78). IEEE.
Fathima, K.M. and Santhiyakumari, N., 2021, March. A Survey On Network Packet Inspection And ARP Poisoning Using Wireshark And Ettercap. In 2021 International Conference on Artificial Intelligence and Smart Systems (ICAIS) (pp. 1136-1141). IEEE.
Subagya, N., Wijajarto, A. and Almaarif, A., 2021. Implementasi Dan Analisis Hadoop Element Availability Berdasarkan Daemon Log Monitoring Menggunakan Log4j Logging. eProceedings of Engineering, 8(5).
Itodo, C., Varlioglu, S. and Elsayed, N., 2021, March. Digital forensics and incident response (DFIR) challenges in IoT platforms. In 2021 4th International Conference on Information and Computer Technologies (ICICT) (pp. 199-203). IEEE.
Martínez Llamas, J., 2019. Analysis and Design of Digital Forensics and Incident Response Procedure (Doctoral dissertation, Telecomunicacion).
Neuburger, J.D., Mollod, J.P. and Proskauer Rose, L.L.P., 2021. Trends in Privacy and Data Security: 2020. Proskauer.
Ramírez Sanabria, P.R., 2020. Guidelines and tools for a digital evidence investigation process: a case study for a business data leak.
Schmeelk, S.E. and Dragos, D.M., Integrating Cybersecurity Labs into Traditional Curriculum Design.
Tuttle, H., 2022. 2022 CYBER LANDSCAPE. Risk Management, 69(1), pp.18-23.
van Oorschot, P.C., 2020. Computer Security and the Internet. Springer International Publishing.
Yahia, A. and Atwell, E., 2018. Evaluation of the capabilities of Wireshark as network intrusion system. Journal of Global Research in Computer Science, 9(8), pp.1-8.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
