With Russia ratcheting up its cyberattacks against companies in the USA, DHS/CISA has asked enterprise organizations to check and update their firmware. To get ahead of potential challenges, savvy IT leaders are asking when this kind of attack became mainstream, and most importantly, how to prevent firmware attacks.
Firmware attacks are the hot thing
Five years ago, former CIA analyst Edward Snowden released Vault 7, and the cyber security world was shocked to learn what was in the NSA’s cyber attack tool kit. Half of their playbook was using various firmware attacks. Today this code is in the wild, and hacking organizations are using it to target all verticals. Firmware is the next frontier, therefore understanding how to prevent firmware attacks should be your top priority.
So, you thought you remediated Solarwinds?
All IT leaders remember the Solarwinds catastrophe, but most aren’t aware of the long-term impact. The truth is this: many organizations haven’t fully remediated the long-term damage it caused. Using various firmware security tools, the 3 Tree Tech team has proven there were second and third-level downloads into company’s firmware. If you believe you’ve remediated Solarwinds, but haven’t checked your firmware you could be in for a surprise.
What we found in the firmware attack rabbit hole
Because firmware attacks are no longer a nation-state, we diligently searched the security technology ecosystem to find a technology ready to stop this new threat. Here’s the core problem we discovered: every tool in most companies’ stack, including yours (probably) only monitors at, or above, the OS.
DHS/CISA recently hired a partner of ours to write a white paper about Spectre and Meltdown, also covering firmware compliance. That partner has also worked with Lawrence Livermore, the group that created the atomic bomb. They have been researching how to exploit firmware for offensive purposes for 28 years. You won’t find these published, however.
Because of their relationships with our favorite three-letter agencies, they do not publish their findings in either the national database or Carnegie Mellon. Although we don’t have access to that data, our partners do, which means Lawrence Livermore’s experience informs theirs.
How many verticals are at risk from firmware attacks?
If you’re curious how safe your entity is from firmware attacks, the answer is simple. You’re not. All verticals are currently under attack. One strong example comes from IT Leadership at top U.S. bank, they wish to keep their name anonymous for obvious reasons.
Our partners discovered a network-enabled power strip on their system that had been phoning China. They investigated and discovered a hacking organization had been skimming the float for a staggering 10 years. The loss was immense. This bank quickly realized checking firmware involved more than checking a box.
Microsoft has reported 80% of enterprise organizations have already been the victim of a firmware attack. Additionally, Intel has previously reported its chips have been vulnerable since 1995. To prevent firmware attacks, IT pros need to think deeper.
How to prevent firmware attacks
The central challenge making firmware attacks hard to detect is because hackers target software sitting on a chip, not on a drive. In these cases, your IT team can wipe a device, but the code still sits on the firmware undetected and unaffected. To prevent firmware attacks, the key is found below the OS.
One technology I’ve personally been tracking polls all your devices against all OEM and research data available, simultaneously watching device health. The approach even watches your device to determine if it is running hot or restarting, which could indicate your firmware has been compromised. It’s an extremely smart approach.
Compliance auditors can no longer overlook firmware, and we will be publishing more on this topic. For CIOs or CTOs, I’d love to show you what we’re seeing as I do further research. Drop me a line at firstname.lastname@example.org
Kristopher Taylor is VP of Cyber Security at 3 Tree Tech in Portland. He is a platform-agnostic tech researcher that transitions siloed organizations into automated DevOps centric businesses. To get his help, message him right here.
Tech Exec, This Is For You
You need the latest research from nationally recognized tech researchers. Sign up for our free reports, invite-only CIO/CTO events, wine tastings, lunches, and scotch sessions. You may even win hotel/airfare to our next Exec Roundtable event.