Add CISA rec mitigation measures

README.md

@@ -20,7 +20,8 @@ or imply their endorsement, recommendation, or favoring by CISA.
 ## Official CISA Guidance & Resources ##
 
 - [CISA Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
-- [ALERT (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/alerts/aa21-356a)
+- [CISA ED 22-02: Apache Log4j Recommended Mitigation Measures](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures)
+- [CISA ALERT (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/alerts/aa21-356a)
 - [Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability](https://www.cisa.gov/emergency-directive-22-02)
 - [Statement from CISA Director Easterly on “Log4j” Vulnerability](https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability).
 
@@ -35,17 +36,16 @@ National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd.
 
 ## Mitigation Guidance ##
 
-CISA urges organizations operating products marked as "Fixed" to immediately
+When updates are available, agencies must update software using Log4j to the newest version, which is the most effective and manageable long-term option. Where updating is not possible, the following mitigating measures can be considered as a temporary solution and apply to the entire solution stack.
-implement listed patches/mitigations [here](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance).
 
-CISA urges organizations operating products marked as "Not Fixed" to immediately
+- Disable Log4j library. Disabling software using the Log4j library is an effective measure, favoring controlled downtime over adversary-caused issues. This option could cause operational impacts and limit visibility into other issues.
-implement alternate controls, including:
+- Disable JNDI lookups or disable remote codebases. This option, while effective, may involve developer work and could impact functionality.
+- Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically lower risk from attack. Consider temporarily disconnecting the stack from agency networks. 
+- Isolate the system. Create a “vulnerable network” VLAN and segment the solution stack from the rest of the enterprise network.
+- Deploy a properly configured Web Application Firewall (WAF) in front of the solution stack. Deploying a WAF is an important, but incomplete, solution. While threat actors will be able to bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a smaller set of alerts.
+- Apply micropatch. There are several micropatches available. They are not a part of the official update but may limit agency risk.
 
-- Install a WAF with rules that automatically update.
+For more information regarding CISA recommended mitigation measures please visit [here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures).
-- Set `log4j2.formatMsgNoLookups` to true by adding `-Dlog4j2.formatMsgNoLookups=True`
-  to the Java Virtual Machine command for starting your application.
-- Ensure that any alerts from a vulnerable device are immediately actioned.
-- Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report).
 
 ## Software List ##