Check out John’s hot-take video for his additional thoughts.
In July, a joint advisory on routinely exploited vulnerabilities was issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI). This advisory lists the top CVEs exploited in 2020 and 2021. In 2020, 4 out of 12 of the CVEs were clearly device firmware. In 2021, this increased to 11 out of 16 CVEs, showing a pattern of increasing attacker attention on device firmware.
Top Routinely Exploited CVEs in 2020 (emphasis added)
Top Routinely Exploited CVEs in 2021 (emphasis added)
On the face of it, an increase from 33% of critical vulnerabilities being found in firmware in 2020 to 69% being embedded in firmware in 2021 seems to indicate a significant shift. But is it a trend?
By aligning additional data points — the National Vulnerability Database has reported a 6x increase in firmware-centered VPN vulnerabilities in the last 5 years, firmware vulnerabilities in Accellion, Pulse Secure and Juniper being actively attacked — it seems safe to call it a trend. And it’s one cyber security teams should begin to address.
What can you do about this?
Most of these CVEs were found/reported in 2021 suggesting there was little time to prepare and stage changes. Such critical attacks and updates often coincide with weekends and holidays, leaving fewer people and less time available for robust testing and rollout. These aspects of the issue are out of the control of cyber defense personnel, but the story doesn’t end here.
The current paradigm of Zero Trust Architecture slowly moves organizations to a better state of preparedness by verifying the user, device, and session continuously. Moving from a concept of trusted, internal systems to fully untrusted (but verified) systems is not easy, but the steps follow a theme: identify, verify, fortify.
The infosec meme community has it right on this one. Integrating access control and monitoring systems with given equipment means knowing what devices exist so you can look for patches. The right tools make this possible, but the work is all about having answers to simple inventory questions.
The premise of Zero Trust is well stated in Department of Defense Zero Trust Reference Architecture, “The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”
It may be difficult to figure out how to verify some equipment, but the basic rule does not change. Given an inventory, personnel have a place to start. A strategy to manage the complexity of this inventory and to gain insight into the expected operations of each user, device, and session. Then monitoring can focus on a tractable problem and provide useful alerts on unexpected activity.
With all the focus on vulnerabilities and updates, it may seem odd to put this last, but good configuration baselines and patching processes must inherently stand on the shoulders of the identify and verify steps. Since there’s a lot of pressure on urgent patching due to recently disclosed attacks, the continuous verification capabilities become both an indication of whether you are already a victim as well as a quick check for correct and normal operations after emergency patching.
A Better Future
The trend of increasing vulnerability and attacks on the firmware layer are clearly established. This is why Eclypsium has been collaborating with NIST and others to create practitioners’ guides that include firmware visibility into both enterprise patching and supply chain integrity. This simply involves connecting the existing processes for risk management and security operations with new device-level data. The same goes for Zero Trust. Visibility into device firmware and hardware informs existing processes across the lifecycle of devices, users, and transactions. This way defenders cover more ground at the same time.