Log4j: How to use threat intelligence to identify high-risk vulnerability exposures

Skybox threat intelligence, exposure analysis, and customized risk scoring enable customers to zero in on Log4j cybersecurity risk.

The threat intelligence research division of Skybox Security, Skybox Research Lab, has been tracking Log4Shell since the exploit was publicly released on December 9, 2021. Our proprietary database, the Skybox dictionary, also tracks Log4j-affected vendors, products, and services, as well as fixes.

Cybercriminals were swift to weaponize this critical remote code execution vulnerability, a design flaw in a popular open-source library for Java, with far-reaching, unintended consequences. A CISA official estimated that hundreds of millions of devices are likely affected.

Due to widespread use of this Java library across market-leading vendors, Log4Shell is highly likely to result in ransomware attacks on organizations that lack mature cybersecurity risk models. Some attacks the world may not see for years to come.
Skybox Security Research Lab

Identify Log4j affected products and services quickly with a continuously updated threat intelligence feed

To immediately identify and reduce Log4j exposure, our customers use the Skybox dictionary and network model to identify Log4j vulnerabilities most likely to impact their unique networks and assets. Skybox threat intelligence researchers are closely monitoring this Log4j vulnerability and proactively updating the dictionary.


  • Reduces the ever-increasing number of vulnerabilities customers need to prioritize.
  • Identifies exploitable vulnerabilities and correlates them with the organization’s unique network configurations and security controls to determine the areas of highest exposure.
  • Shows which exposures pose the highest risk with a customized risk score.

Skybox calculates risk scores by factoring four critical variables, including CVSS severity, vulnerability exploitability, asset importance, and asset exposure based on the security controls and configurations across the network.

Skybox threat intelligence speeds time to identify Log4j products

Rather than the traditional, time-consuming, manual approach to collecting individual security advisories, Skybox Research Lab accelerates the timeframe in which customers can identify impacted products. Skybox tracks exploits, affected vendors, products, and remediation options based on our customers’ unique environments. The result is relevant, consolidated, human-curated data that Skybox feeds directly into our Vulnerability and Threat Management Solution.

Skybox Research Lab continuously researches exploits in the wild to inform security operations strategy, deliver risk mitigation, and save you time. The Skybox Threat Intelligence subscription service provides customers with critical data based on their unique attack surface, tech stacks, and security toolkits. Skybox Vulnerability Control combines the Skybox threat intelligence feed with our unique passive vulnerability assessments to identify exposures across hybrid environments.

Skybox dictionary includes the latest exploits and malware taking advantage of Log4j vulnerabilities

Skybox Research Lab tracks and analyzes tens of thousands of vulnerabilities on thousands of products and updates its dictionary continuously. Skybox continuously monitors hundreds of security sources, including the National Vulnerability Database (NVD), vendor security advisories, and CISA Alerts, among many others.

Skybox threat intelligence is curated for customers in the Skybox dictionary. The Skybox dictionary also includes the latest exploits and malware campaigns taking advantage of Log4j vulnerabilities. The Skybox dictionary contains threat intelligence on more than 130,000 vulnerabilities in roughly 14,000 products, including:

  • Server and desktop operating systems
  • Business and desktop applications
  • Networking and security technologies
  • Developer tools
  • Internet and mobile applications
  • Industrial Internet of Things (IIoT) devices
  • Industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices

Cut through the chaos and zero in on what is critical

Within days of the Log4j public advisory, hundreds of individual security advisories published online by hundreds of market-leading vendors – and many more are expected. Within a week of the first public announcement of this Log4j vulnerability, more than 1 million attempted attacks had followed, according to research from our integration partner Check Point1.

For years to come, threat actors will innovate new and creative ways to exploit common tools like Log4j. As a result, preventing breaches requires immediately minimizing your exposure through smart and targeted mitigation.

  1. Check Point, A deep dive into real-life Log4j exploitation, December 17, 2021. https://blog.checkpoint.com/2021/12/14/a-deep-dive-into-a-real-life-log4j-exploitation/