CrowdStrike Falcon: First Endpoint Protection to Integrate Firmware Attack Detection Capability

Hacker Hand Inside Computer Hardware

Today’s endpoint security solutions have been designed primarily to look at the local operating system (OS) and the applications that reside on top of it, remaining blind to computing layers below the OS. This week, CrowdStrike® becomes the first endpoint protection solution provider to integrate firmware attack detection capability, shining a bright light into one of the last remaining dark corners of the modern PC: the BIOS.

As security technologies have become more sophisticated, there are fewer places for adversaries to hide. Technologies such as endpoint detection and response (EDR), machine learning and behavioral detection have greatly enhanced the visibility and awareness organizations have, exposing intrusion techniques that were previously hidden and stopping attacks that would have resulted in a breach. As a result of these advanced defenses, attackers are continuously driven to the fringes, forced to hunt for new avenues of infiltration. The BIOS has emerged as a new and unique avenue of attack.

Why protect the BIOS?

The BIOS (basic input/output system) is firmware that resides in the computer platform itself and runs while a computer boots up, before the operating system is started. BIOS represents a tempting target for attackers for a number of reasons.

The BIOS Can Enable Persistence

The BIOS of an endpoint represents a highly privileged execution environment, and any vulnerability or malware in the BIOS can have serious implications, potentially allowing an attacker to gain full control over all system resources. The BIOS exists well below the OS, ensuring that a successful attack will persist beyond reboots, disk wipes and reimaging. To make matters more complicated, BIOS is seldom patched in most organizations, and known vulnerabilities often remain for years after they are disclosed.

Standard Security Tools Are Blind to BIOS Attacks

Most of today’s security tools are not capable of delivering the visibility that organizations need to detect and thwart BIOS attacks. Typical endpoint security tools provide visibility into user mode, and perhaps the kernel as well. However, the BIOS’ position below the operating system means that its contents are not visible to traditional security monitoring tools. In addition, standard security assessment tools such as vulnerability scanners do not provide visibility into BIOS vulnerabilities or configuration.

BIOS and other types of firmware represent a massive exposure, in an area where organizations have very little visibility. This is exactly the type of gap that modern adversaries look to exploit in targeted attacks. The best example of a real-world adversary taking advantage of this visibility gap came to light in September 2018, when it was reported that the adversary group FANCY BEAR had successfully implanted a BIOS rootkit on a number of PCs belonging to government entities. These attacks can be delivered through traditional attack techniques for obtaining initial system access, such as phishing or via more advanced supply chain attacks. The lack of visibility into BIOS makes it very difficult to understand the true extent of this threat.

CrowdStrike Turns the Lights On

With this week’s announcementCrowdStrike becomes the first and only endpoint security provider to integrate firmware attack detection capability, delivering visibility into the state of BIOS across the enterprise, and closing this critical visibility gap. The CrowdStrike Falcon® platform has been enhanced to provide continuous monitoring of the BIOS of an endpoint, to help determine its integrity and identify other issues, such as vulnerable, older BIOS versions. Millions of endpoints protected by CrowdStrike Falcon around the world will now benefit from continuous monitoring for firmware attacks. In addition, through an integration with Dell SafeBIOS, CrowdStrike enables enhanced detection for BIOS/firmware-based threats on Dell systems.

Instant, Complete Visibility Into BIOS

Now, organizations will have a clear picture of the firmware that is running in their enterprise, revealing potentially devastating intrusions such as firmware rootkits. Further, organizations will have the ability to audit security-related BIOS settings, such as protection for SPI flash memory, which can be critical in preventing unauthorized BIOS modification. This capability is delivered via CrowdStrike’s single lightweight agent, which installs with zero reboots required and without burdening the endpoints or intruding upon the user.

CrowdStrike looks forward to extending additional levels of visibility and detection of BIOS threats, in continued partnership with Dell, as well as other manufacturers of computer hardware. Exposing the few remaining areas where attackers may hide is one key to the continued success of our ultimate mission: We stop breaches.

Additional Resources

CrowdStrike Falcon Free Trial

Alex Ionescu

Chief Architect at Crowdstrike, Alex Ionescu is a world-class security architect and expert in low-level system software, kernel development, security training and reverse engineering. He is coauthor of the last two editions of the Windows Internals series, along with Mark Russinovich and David Solomon. His work has led to the fixing of many critical kernel vulnerabilities, as well as to over a few dozen non-security bugs. Ionescu is also the founder of Winsider Seminars & Solutions Inc., a company that specializes in low- level system software, reverse engineering and security trainings for various institutions.


Try CrowdStrike Free for 15 Days Get Started with A Free Trial