New Report Highlights a Supply Chain Gap in Firmware

Subscribe to Eclypsium’s Threat Report

A few months ago, an Eclypsium blog post highlighted how firmware-based exploits were at the top of the CISA Known Exploited Vulnerabilities list. This month at BlackHat, firmware-based attacks were a topic in a half-dozen different sessions, and shortly after,the Eclypsium research team revealed critical and widespread vulnerabilities in Microsoft signed bootloaders, at DEF CON 30.  It’s clear that cybersecurity exploits are advancing, and as a result, defenses,and practices are required to evolve just as  fast. 

But can the real world – with its boots-in-the-trenches cybersecurity strategists and practitioners –  keep up with this pivot towards firmware-based exploits? Particularly in financial services organizations, who are often the first targets under fire? Eclyspium partnered with Vanson Bourne to find out. 

This week we released the results of a worldwide survey of IT and cybersecurity decision makers in the financial services industry. Our goal was to get solid data on actionable questions like:

  • Are you aware of the current firmware threats? If so, do you have the right resources, budget, and tools in place to protect the organization against these threats?
  • Are you aware of any occurrences when your organization has been a victim of a firmware-level attack? 
  • Do security teams have a “firmware blindspot”?
  • Do security teams believe their current investments in EDR, VM, and Endpoint security will protect them against firmware-level attacks?
  • Firmware is in everything, endpoints to servers to network and IoT. Because of this, should firmware security be its own dedicated tool, or should firmware security use cases be shared across VM, endpoint, infrastructure security tools?
  • Do security teams believe their current investment in firmware security will decline, stay the same, or go up?
  • Who “owns” the job of securing and auditing firmware? The CIO group or CISO group? Manufacturers or customers? Security teams or operational teams?
  • How much of your cybersecurity budget is allocated to firmware security?
  • Do you understand your firmware footprint?

The Firmware Security in Financial Services Supply Chains report shares findings across 15-pages, delivering an equal share of surprising insights and “oh no, not still?” facepalms.

Lots of Attacks

Without forensic analysis of attack vectors and TTPs of adversaries, it’s often hard to determine where firmware-level attacks occur. After all, adversaries go there because firmware is neither well observed nor top of mind.

But an astounding 88% of respondents knew that their organization had been victim of a firmware-level attack in the previous two years. 54% had experienced at least two of these attacks and a handful had experienced firmware-level attacks more than twice.

Lots of Gaps

It’s become a given that the current cybersecurity skills gap is one of the core problems in our industry. But a compounding factor is the technical gaps in attack and exploit coverage, of which firmware-level attacks are a prime example. 

  • 76% confess to significant gaps in their awareness of their firmware footprint
  • 100% acknowledge a “firmware blind spot” that creates visibility problems for both prevention and detection processes   

And yet, only 91% are concerned about the gaps in their knowledge and visibility. Why not 100%? Some of this can perhaps be attributed to the belief that securing firmware might be “some other team’s” responsibility, whether that be IT Ops Teams (42%) or Device Manufacturers (18%).      

Lots of Tools

Cybersecurity tool sprawl is a real concern for many organizations. If it’s hard to keep and maintain qualified people, that’s amplified by an explosion of tools that seems to defy constant calls for consolidation and streamlining

Securing the supply chain’s firmware might be a useful example of why this trend exists in the first place. Several years ago it was assumed that the firmware in our endpoints, servers and network devices could be considered as a “known good” quantity, vetted by the manufacturer,  and above suspicion. Now of course firmware injections through bootloaders and UEFI implants are on the rise, and practitioners expect their existing controls to detect these new threats.   

  • 81% believe their organization’s vulnerability management program includes firmware identification and remediation processes 
  • 83% believe their organization’s EDR, XDR or endpoint solutions include firmware identification and remediation processes 

The reality, of course, is that the vast majority of firmware-level vulnerabilities and issues in the supply chain are well below the radar of vulnerability, risk or endpoint solutions and, as this article in Ars Technica points out, actually “invisible to us.”  

Not a Lot of Confidence 

Despite this lack of visibility, cybersecurity practitioners are acutely aware of the shift taking place in digital warfare’s complex landscape. The survey revealed that the majority of them see a need to enhance their threat modeling and remediation processes to better deal with firmware-based attacks.  

  • 61% are not confident they could detect a firmware-level exploit
  • 92% believe adversaries are better at executing firmware-level attacks than defenders are at preventing them

Supply chain attacks are a leading concern for cybersecurity teams in all sectors and verticals. One of the ways to defeat them is to fortify the firmware these attacks so often rely on…. but before that can happen we have to look with objective eyes at What we know, What we don’t know, and What we think we know about firmware. This report – Firmware Security in Financial Services Supply Chains – is a way to get us started.