CrowdStrike tackles BIOS attacks with new Falcon features
CrowdStrike added firmware attack detection capabilities to its Falcon platform and also expanded its partnership with Dell to help organizations tackle BIOS threats.
CrowdStrike is beefing up its Falcon endpoint security platform to provide organizations with the visibility needed to defend against the growing threat of BIOS attacks.
With the integration of the firmware attack detection capability, CrowdStrike Falcon will now monitor the BIOS of an endpoint to help determine its integrity and identify vulnerable, older BIOS versions, the company said on Wednesday.
Most of today's endpoint products look at the operating system and the applications that reside on top of it, but ignore the firmware level underneath the OS, said Alex Ionescu, vice president of endpoint detection and response strategy at CrowdStrike, based in Sunnyvale, Calif.
"They might look at the kernel of the operating system, but they don't go and dig that deep," Ionescu said. "[We are releasing] a new feature that provides visibility into firmware of various systems out there. What we're seeing increasingly [is that] these attackers are finding ways to bypass today's solutions by going to the firmware level, where there's no visibility or very little visibility. We wanted to build something to see what's going on behind the scenes."
Ionescu said attackers are realizing enterprises don't have enough visibility into this area. The BIOS is, therefore, emerging as a new avenue of attack, he added.
"The BIOS of an endpoint represents a highly privileged execution environment, and any vulnerability or malware in the BIOS can have serious implications, potentially allowing an attacker to gain full control over all system resources," Ionescu wrote in a blog post. "The BIOS exists well below the OS, ensuring that a successful attack will persist beyond reboots, disk wipes and reimaging. To make matters more complicated, BIOS is seldom patched in most organizations, and known vulnerabilities often remain for years after they are disclosed."
CrowdStrike Falcon collects details on BIOS images and configuration, and it delivers firmware visibility via the cloud-native Falcon Platform console.
Additionally, through an integration with Dell's SafeBIOS verification tool, CrowdStrike will now offer enhanced detection for BIOS and firmware-based threats on Dell systems.
What we're seeing increasingly [is that] these attackers are finding ways to bypass today's solutions by going to the firmware level, where there's no visibility or very little visibility.
Alex IonescuVice president of EDR strategy at CrowdStrike
While CrowdStrike is currently focusing on the BIOS environment, Ionescu said, the company plans on looking into other types of firmware, as well.
"We partnered with Dell so that we will not just have the visibility, but actually understand if what we're seeing is the correct set of firmware images and configuration settings that we'd expect to find, to make sure that no one has tampered with those parts of the system, that there hasn't been a supply chain attacker in the mix and to provide customers with the ability to know that these are the reference measurements of their firmware components that the vendor expects to essentially have," he said.
Earlier this week, Dell said it is fortifying its SafeBIOS offering with the addition of a new utility for off-host BIOS verification. Off-host BIOS verification provides additional security, according to Dell, as on-host-only approaches are prone to local attacks.
This capability is integrated with VMware Workspace One, Secureworks and CrowdStrike, and it's also available as a stand-alone download, according to Dell.
Tackling BIOS attacks
In the past few years, security researchers and advanced persistent threat actors have demonstrated attacks on the BIOS, said Kayne McGladrey, IEEE member and director of security and IT at Seattle-based Pensar Development.
These rare attacks can provide a persistent and hidden bridgehead into an enterprise network, McGladrey said.
"Alternatively, these exotic attacks could also read the memory in a computer, allowing threat actors to steal encryption keys, files or user passwords," he said in an email interview. "However, these are targeted attacks, as the BIOS of computers are fragmented across multiple motherboard manufacturers. Because of this level of fragmentation and the high level of technical sophistication required for a viable BIOS attack, the threat actor needs to know more about a target's environment than an average threat actor of convenience."
Organizations can effectively protect against threats to the BIOS by continuously training end users how to recognize spear phishing, he said. The advantage of this approach is it helps to protect against additional threats, such as ransomware and other malicious software, as a BIOS threat requires the end user to download and execute one or more files, he explained.
"A secondary technical control is to provide endpoint protection to detect and prevent execution of suspicious files, although it's likely that any BIOS malware will bypass signature-based detection and require instead behavior-based detection," he said. "Finally, organizations should consider deploying computers with UEFI instead of a BIOS, as UEFI provides Secure Boot, which makes it incrementally harder to compromise this core component of computers."
