#Log4j is one of those vulnerabilities that seems ready-made for mass exploitation. Remotely accessible + unauthenticated + widely used + super easy. So where are all the victims? My very first🧵😉
This is like the Fermi paradox, but for #cybersecurity. There *are* victims, and *this is* a serious vulnerability that should be quickly mitigated.
But the seeming ease of exploit + availability of targets appears very disproportionate from known victimization, if judged from press, public and security company reporting. There's a handful of reasons for this. In no particular order:
1. Victims could be keeping their status as quiet as possible. They're out there in large numbers, just keeping it very confidential
2. Victims don't know they've been exploited. Exploitation moved so fast and stealthily that attackers succeeded and pivoted to alternate, unrelated means of access
3. We've under-estimated potential targets' competence, and services using log4j in their environment are locked in containers, chroot jails, or run under constrained accounts
4. We've over-estimated the vulnerability itself, and most attackers find themselves constrained by the access they've gained, due to the nature of the services they've landed in
5. Something else I’ve not mentioned
Reflecting here, we need two things now. First, a better method for estimating the potential threat of a vulnerability; we have to improve our forecasting ability so we can all optimize for the best response. Remote + public facing + easy is a relevant, but clearly insufficient.
Second, a scalable way to collect accurate victimization data representative of the population after the fact; this is the feedback loop to help us refine the forecasting, amongst many other things.
Otherwise, we've all got some explaining to do.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
