Recently, the U.S. departments of Commerce and Homeland Security issued a report detailing critical weaknesses in technology supply chains. The report details a number of issues requiring immediate remediation, but separately calls out two top risks: the increasing use of open-source code, and the “single point of failure” represented by device firmware.
Firmware is core — it’s instructional code that’s shipped with every device, and acts as the digital glue binding all parts of technology supply chains. Gartner Inc. has estimated that every endpoint contains 15 to 20 firmware components, and every server contains 30 or more. As these numbers increase, so too will the potential entry points for adversaries.
The One-to-Many Infection Vector
Once only associated with sophisticated attacks — such as the widely publicized SolarWinds and Colonial Pipeline cyber espionage campaigns — the supply chain has slowly grown to become one of the most overly exposed to malicious actors. A Crowdstrike study found that 45% of organizations experienced at least one supply chain attack in 2021.
The rise in supply chain attacks can be attributed to new agile environments and aggressive development cycles. With the current global shortages and supply chain disruptions, original equipment manufacturers are outsourcing to third parties without having a longstanding history or visibility into the sub-suppliers’ cybersecurity hygiene. Yet the most luring factor is the one-to-many attack multiplier the supply chain presents. A supply chain attack has potential to disrupt national economies and put lives at risk.
Supply chains come in many forms, but the most instrumental is the information and communication technology supply chain. Every piece of ICT equipment is a combination of chips and components bound together by specialized code within a chain of vendors and suppliers. Combine that with the magnitude of ICTs available today: Every organization, large or small, uses cloud computing, the internet, software and an array of hardware to operate. If compromised, firmware allows the attacker to infiltrate an individual system and access a vast number of access points, including data, applications and services, on the device. Touch points only accumulate as the number of contributing vendors increases and their own supply chains are added to the mix.
Firmware’s Crucial Connection
Firmware is the first and often most-privileged code to run on a device, and instructs subsequent operating system actions. As the DOC and DHS report notes, “Firmware’s privileged position in the computing stack gives stealthy attackers a major advantage.”
Adversaries abuse firmware to gain initial access into an organization, either directly breaching and infecting devices running vulnerable firmware, or through an implant or backdoor to infiltrate a product prior to its ever reaching the end customer. The attack method in this instance can be a malicious code that’s simply downloaded by the user.
That said, threat actors are constantly pivoting to find new weaknesses and becoming more creative in their attack methods, to be undetectable while causing the most damage. Over the past two years, ransomware gangs have focused on breaching embedded operating systems and firmware in enterprise network devices, including VPNs, switches, firewalls, routers and a wide range of traffic concentrators, gateways and delivery controllers. These infection vectors are both powerful and unprotected. Network devices like routers, VPNs, and file transfer appliances are some of the most strategically crucial devices within an organization, making them uniquely valuable in the context of a cyberattack.
Firmware attacks also allow adversaries to recover and continue accessing a device after the initial threat is detected, even if the device is completely wiped. In recent iLOBleed attacks, adversaries repeatedly reinfected HPE servers with ransomware after the threat was identified and the infected systems reimaged. This same level of evasion is seen when security tools fail to detect threats – a common downfall given most tools lack firmware intelligence.
Protecting Against Stealthy Infections
To mitigate these risks, organizations must secure firmware throughout all aspects of their business. Firmware security is an emerging discipline that combines new sub-OS technologies with best practices to identify, verify and fortify firmware throughout extended, remote enterprises. Essential steps include:
- Identify. Organizations need simple, scalable yet integratable, tools that provide automated scanning across firmware components in endpoints, servers, network devices and internet of things (IoT) devices of all kinds. Due to the complexity and opacity of supply chains, organizations need the power to “see the unseeable” and create reliable inventory and bills of materials that include firmware details from all contributing vendors.
- Verify. Verification is instrumental for determining the integrity, provenance and correct configuration of firmware. It should take place throughout the device lifecycle, including:
- Pre-delivery: IT security teams should analyze all devices and components for known vulnerabilities and misconfigurations as part of the selection process. A reputable vendor should ensure that their products and all underlying components do not have major security vulnerabilities, and that the devices are built and configured securely.
- Newly acquired: All new device firmware should be scanned for vulnerabilities before they are fully introduced into the production environments. Suppliers and components can change, or devices can be tampered with or compromised in transit or even during manufacturing.
- Continuous monitoring: Headline-level failures of vendor code-signing processes mean cybersecurity teams can’t simply “trust their vendors” anymore. Organizations must monitor operational systems for indicators of compromise (IOCs) unique to firmware, and assess changes in firmware behavior after device acquisition or following updates.
- Fortify. Nearly 80% of firmware is never patched before the device reaches end of life. Many CIOs and operational teams fear firmware updates will unleash a domino-chain of failures that result in system downtime and lost productivity. They need reliable processes to locate the proper, original binaries, assure their integrity and, wherever possible, automate their deployment. Additionally, a critical part of the “fortify” process is being able to detect incoming threats, especially those aimed at a device’s firmware components directly. Just as in the identify and verify stages, defenders need special firmware-centric tools to “see” indicators of compromise that are running below the view of the operating system and traditional defensive applications.
As supply chain breaches continue to reverberate through the industry, and ransomware’s vector-of-choice pivots to firmware, organizations will need to embrace firmware security to protect their supply chains. NIST, alongside Eclypsium, Dell, Intel and HP, hope to illuminate current blindspots and make defense easier through a recently released practice guide. It details ways that practitioners can validate not only the integrity of the devices in their complex supply chains, but the previously invisible firmware holding these chains together as well.
Yuriy Bulygin is co-founder and CEO of Eclypsium.