Recently, the US Departments of Commerce and Homeland Security released a report detailing critical weaknesses in technology supply chains. The report details a number of issues that require immediate resolution, but separately flags two main risks: the increasing use of open source code and the “single point of failure” represented by device firmware.
Firmware is critical – it’s instruction code that comes with every device and acts as the digital glue tying all parts of technology supply chains together. Gartner Inc. has estimated that each device contains 15-20 firmware components and each server contains 30 or more. As these numbers increase, the potential entry points for opponents will also increase.
The one-to-many infection vector
Once only associated with sophisticated attacks – such as the widely publicized SolarWinds and Colonial Pipeline cyber espionage campaigns – the supply chain has slowly grown to become one of the most exposed to malicious actors. A crowd study found that 45% of organizations experienced at least one supply chain attack in 2021.
The increase in supply chain attacks can be attributed to new agile environments and aggressive development cycles. With current global shortages and supply chain disruptions, OEMs are outsourcing to third parties without having a long history or visibility into the cybersecurity hygiene of contractors . Yet, the most attractive factor is the one-to-many attack multiplier that the supply chain presents. A supply chain attack can disrupt national economies and put lives at risk.
Supply chains come in many forms, but the most instrumental is the information and communication technology supply chain. Each piece of ICT equipment is a combination of chips and components linked by specialized code within a chain of vendors and suppliers. Combine that with the breadth of ICT available today: every organization, large or small, uses cloud computing, the internet, software and a range of hardware to function. If compromised, the firmware allows the attacker to infiltrate an individual system and gain access to a large number of access points, including data, applications, and services, on the device. Touchpoints only accumulate as the number of contributing suppliers increases and their own supply chains are added to the mix.
Crucial Firmware Connection
Firmware is the first, and often the most privileged, code to run on a device, and indicates subsequent actions of the operating system. As the DOC and DHS report note, “Firmware’s privileged position in the computing stack gives stealthy attackers a major advantage.”
Adversaries abuse firmware to gain initial access to an organization, either directly by breaching and infecting devices running vulnerable firmware, or via an implant or backdoor to infiltrate a product before it reaches the end customer . The attack method in this case can be malicious code that is simply downloaded by the user.
That said, threat actors are constantly pivoting to find new weaknesses and becoming more creative in their methods of attack, to be undetectable while causing the most damage. Over the past two years, ransomware gangs have focused on breaching operating systems and firmware embedded in corporate network devices, including VPNs, switches, firewalls, routers and a wide range of traffic concentrators, gateways and delivery controllers. These vectors of infection are both potent and unprotected. Network devices like routers, vpnand file transfer devices are among the most strategically critical devices within an organization, making them particularly valuable in the context of a cyberattack.
Firmware attacks also allow adversaries to recover and continue to access a device after the initial threat is detected, even if the device is completely wiped. During the last iLOBleed attacks, adversaries repeatedly re-infected HPE servers with ransomware after the threat was identified and infected systems were reimaged. This same level of evasion is seen when security tools fail to detect threats – a common downfall given that most tools lack firmware intelligence.
Protect against sneaky infections
To mitigate these risks, companies need to secure firmware in all aspects of their business. Firmware security is an emerging discipline that combines new operating subsystem technologies with best practices for identifying, verifying, and hardening firmware in extended remote enterprises. The essential steps include:
- Identify. Organizations need simple, scalable, yet embeddable tools that provide automated analysis of firmware components in endpoints, servers, network devices, and Internet of Things (IoT) devices of all kinds. Due to the complexity and opacity of supply chains, organizations need to be able to “see the invisible” and create reliable inventory and BOMs that include firmware details from all participating vendors.
- Check. Verification is essential to determine the integrity, provenance, and correct configuration of firmware. It must take place throughout the life cycle of the device, including:
- Pre-delivery: IT security teams should scan all devices and components for known vulnerabilities and misconfigurations as part of the selection process. A reputable vendor must ensure that its products and all underlying components are free from major security vulnerabilities and that devices are built and configured securely.
- Recently acquired: All new device firmware should be scanned for vulnerabilities before being fully introduced into production environments. Suppliers and components may change, or devices may be altered or compromised during shipping or even during manufacturing.
- Continuous monitoring: Chess at headline level vendor code signing process mean that cybersecurity teams can no longer simply “trust their vendors”. Organizations should monitor operational systems for firmware-specific indicators of compromise (IOCs) and assess changes in firmware behavior after device acquisition or after updates.
- Strengthen. Nearly 80% of firmware is never patched until the device reaches its end of life. Many CIOs and operations teams worry that firmware updates will set off a domino chain of failures leading to system downtime and lost productivity. They need reliable processes to locate the appropriate source binaries, ensure their integrity, and, where possible, automate their deployment. Additionally, a critical part of the “hardening” process is being able to detect incoming threats, especially those that directly target a device’s firmware components. Much like in the identification and verification stages, defenders need special firmware-centric tools to “see” indicators of compromise that run under the view of the operating system and traditional defensive applications.
As supply chain breaches continue to ripple through the industry and the vector of choice for ransomware pivots towards firmware, companies will need to embrace firmware security to protect their supply chains. NIST, alongside Eclypsium, Dell, Intel and HP, hopes to illuminate current blind spots and make defense easier with a recent publication practical Guide. It details the means by which practitioners can validate not only the integrity of devices in their complex supply chains, but also the previously invisible firmware that holds those chains together.
Yuri Bulygin is co-founder and CEO of Eclypsy.