Between the expansion of the attack surface, including the fragmentation of technology solutions, and the industrialization of hacking, government and defense agencies are facing new challenges protecting their data and systems. There are more applications, technologies, integration points, systems in the cloud and vendors to protect and secure, and the landscape promises to only get more complex in 2020.
Enterprising threat actors understand the pressure that Department of Defense security and IT specialists are up against. Today, hacking has become a function of nation states and organized crime with immense resources, bleeding edge skills and collective knowledge. They’re looking to infiltrate deep into defense network IT stacks and systems and then move throughout the environment undetected for long periods of time. These facts comprise a challenge that requires that we change the way we secure the system stack.
Firmware hacks are created by injecting software into the low-level code that governs hardware prior to system boot and during runtime. Once in place, the hacker’s code can modify and subvert the firmware, target OS components, access high-level software and much more. The malicious code can attack one or more layers and even work its way through the stack. Multiple 2019 threat reports indicate that BIOS and firmware attacks are becoming more common.
Typically, there is a vulnerability lifecycle that occurs between when a threat is identified and when a solution is in place. Once detected, that’s when the clock starts ticking for the agency involved. However, for the adversary, the clock has been ticking long before the hack started and often they are leveraging that time to move on to phases II and III of their attacks. Agencies need to be faster and more proactive if they’re to protect their systems from compromise. Here are a few strategies they can employ to beat the hackers at their games.
Understand the entire supply chain. It’s imperative that agencies have a deep understanding of everything that comprises their IT stacks. This includes the systems and their components (compute, networking, memory, storage, controllers [ex BMC], etc.). Most systems today are a collection of ingredients from multiple vendors and suppliers and deployed systems may include integration and upgrades/modifications to include additional third-party vendor components, as well as internally created technology. Administrators need to go to all component vendors’ websites to see what patches or updates have been issued and updated.
Leverage secure boot with hardware root of trust (RoT). The ability to verify the boot sequence and status of your systems and the firmware, OS, hypervisor and software running in the environment is a critical security function for both mission and enterprise systems. A hardware RoT provides an immutable anchor for chaining together the trust of each component of a system. A secure boot provides the means to measure and verify each entity as it boots in order to know that everything that came up is what is expected and no insertions, malware, or misconfigurations have occurred. Secure boot is the foundation for then building out subsequent security controls, building a strong foundation for your security posture.
The good news is that secure boot technology has been out for years and most modern systems either have the capability for secure boot and hardware RoT and it just needs to be enabled and “turned on,” or when purchasing new systems specifying the trusted boot option to ensure the right features are included. There are also standards, best practices and well-documented protocols, such as the National Institute of Standards and Technology (NIST) 800-193 Platform Firmware Resiliency Guidelines document available to help.
Perform inventory audits with focus on the full system stack and software tools. The start of all good security plans begins with visibility and a clear-eyed view of the systems, firmware, software, applications and tools that the agency uses. Analyzing and inventorying these tools is crucial to securing the organization and will help agencies better understand their potential weak points. You can’t secure what you can’t see.
Administrators should also take into account and document the components and building blocks of their systems, applications, services and tools, as well as where these tools are in regards to their maintenance and lifecycles. There are third-party technologies that can help with these processes.
Dig deeper and create defensive layers throughout the stack. As stated above, security needs to be built on a sound foundation and full stack system security must include methods to verify and protect critical components and firmware in the platform. Security teams need to implement tools and best practices that address the firmware layers of the stack where traditional security tools don’t. There are open-source tools like Chipsec and third-party vendors like Eclysium that provide capabilities specifically for addressing hardware and firmware security and auditing. Make integrity monitoring a part of the overall design of new systems from the outset, and pay particular attention to legacy systems, which could contain code that is several years old and can be fraught with vulnerabilities.
Traditional security practices and threat system models are not sufficient in today’s sophisticated hacker environment. Today, agencies must match hackers’ sophistication and savvy with their own aggressive and comprehensive defensive stances. That means securing the entire stack, from start to finish and top to bottom.
Steve Orrin is chief technology officer at Intel Federal.