Skip to main content
All CollectionsProduct InfoSecurity
Log4J Vulenrability Detection Case Study
Log4J Vulenrability Detection Case Study
Alex Patnick avatar
Written by Alex Patnick
Updated over a month ago

Using Faddom, you can discover potential security issues, from external and internal sources, as well as discover specific weakenesses on servers such as issues with SSL certificates and CVEs. Below we layout the procedure for detection a Log4J vulnerability

Setup

The first stage is to make sure that Faddom is collecting external traffic. To do this you can follow our guide on How to Enable Data Collection for External Sources. Once this is set, Faddom will collect traffic that is outgoing to the internet from your servers.

Make sure to let Faddom run for 12-24 hours after updating this setting so that it can collect accurate traffic.

Identifying Attacks

Once Faddom is collecting external data, we can use the tools available in Faddom to see if there are any servers that have been attacked.

Since the vulnerability stems from having local servers access malicious LDAP servers over the internet, this is the kind of traffic we need to look for. The easiest way to do this is to go to the Inventory > Server Types > LDAP. If you do not see LDAP, you can add a new server type by clicking the plus and entering LDAP as the name and using ports 389 and 636.

Now, select LDAP and you will have a list of all the LDAP servers that are being accessed on your network. Hopefully, all the LDAP servers listed are servers that are internal to your network, most likely your domain controllers. If you see an external server here, it is likely that you have been attacked using this vulnerability.

If you do see an unrecognized server here, you can click on search which will show you a map with all the servers that have accessed the unknown LDAP server so that you know exactly which servers in your environment have been affected. See the guide on Server Types for more information.

Receiving Alerts On New Attacks

While the above method is great to see if you have already been attacked, it is even better to know if this happens in real-time. Here is a simple method to do this using the existing tools in Faddom:

  1. Use the Advanced Search to search by for ports 389 and 636

  2. In the Excluded servers/s field, enter the LDAP servers in your network. This will most likely comprise your domain controllers

  3. Click on Search

  4. You will hopefully have an empty map here. Click on Save Query and save this as an application map

  5. You will need to set up a method of receiving the alerts. Follow our guide on Notifications and Events. If there are any new attacks on your servers, you should now receive email alerts from Faddom in near-real time.

Example

Recently, a serious vulnerability was found in the popular Log4J library which allows an attacker to execute code on a server. The vulnerability, CVE-2021-44228, also known as Log4Shell does not affect Faddom, but does affect countless products and can be a serious security risk. To see details on the vulnerability, you can check the NIST website here: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

One of the advantages of having full network visibility with Faddom is that you can identify this type of attack quickly and easily by using the above method.

Related Articles
Release Notes Highlights - v2023.4
How to Discover CVEs in Faddom
Connecting Faddom to LDAP On Linux
Minor Release Notes - v2024.1
Faddom for Security Teams
Did this answer your question?