Defending, Detecting, and Responding to Hardware and Firmware Attacks

Firmware attacks, mostly those that allow unauthenticated BIOS/UEFI changes, disable kernel and OS security features. These unauthenticated attacks have been proven trivially easy with physical access, and difficult but achievable remotely or though software-only channels. Recent data breaches have revealed in-the-wild firmware-based persistence and reinfection payloads. The firmware landscape has the same fragmentation problem as Android devices, but suffers from more opaque security update announcement methods and authenticated automated update processes. Combine these issues with a culture landscape that still likens secure boot to an extinction level event, and it is obvious our enterprises are in danger.

This presentation takes a different approach to hardware and firmware security by exploring how our enterprise defenders can recognize vulnerable systems, detect, and respond to compromise. Defense begins with visibility, that means baselining kernel drivers, kernels, boot loaders, ACPI table content, SMBIOS metadata, Option ROMs, UEFI drivers, and other boot related platform code; it then continues into logging run time OS API-generated hardware events. This data and pipeline can fuel existing correlation and indicators of compromise (IOC) collections to identify known good and eventually known bad. Creating production deployable and repeatable recipes for these somewhat esoteric features is essential. We will present a summary of immediate tools and actions for “deep systems defense," an analysis of where our defenders remain blind to compromise, and recommendations on where our industry can focus tailored effort to generate massive impact.