As endpoint security continues to evolve and thwart legacy attack techniques, cyber criminals are always trying to stay one step ahead to avoid detection and gain a persistent foothold in their targets’ infrastructure. Some sophisticated attackers are gaining traction through the malicious tampering of the BIOS firmware.
Security teams usually have no visibility when an attack leverages BIOS tampering. These attacks are difficult to remediate because they maintain their persistence even if an administrator wipes and re-images the infected machine. This combination of stealth and persistence makes these attacks a significant risk for security and infrastructure teams.
VMware Carbon Black and Dell are working together to help security teams detect and remediate attacks that tamper with BIOS firmware. As part of our commitment to mutual customers, we are bringing VMware Carbon Black Cloud ™ Audit and Remediation together with Dell SafeBIOS Off-Host Verification to give businesses increased visibility, control and security on Dell Trusted Devices.
Now, security and IT teams can automate reporting on BIOS verification status and remotely remediate attacks that attempt BIOS tampering. This collaboration further protects Dell commercial PCs, which are already the most secure in the industry.[1]
Because sub-OS attacks are sophisticated, most security teams have never had solutions in place to detect or remediate them properly. Let’s take a brief look at how these attacks unfold and how our solution with Dell can help teams to more effectively recover if their devices ever get hit with a BIOS attack.
Inside a BIOS Attack
To execute a BIOS attack, an adversary would usually have to already have remote access to the system. The attacker would implant malware to operate under the OS.
These changes to the system BIOS allow the malicious code to run during the boot process, giving the attacker control of the machine and access to the data stored on it. This ongoing, undiscovered stealth access to a compromised system could then allow an attacker to move laterally throughout the rest of the enterprise’s infrastructure.
Integration with Dell
Dell SafeBIOS is a series of hardware resilience mechanisms that integrates post-boot verification right into Dell Trusted Devices. Rather than storing BIOS information on the hardware itself, which is susceptible to corruption, SafeBIOS uses an off-host BIOS verification capability that compares an individual BIOS image against the official BIOS measurements stored in the cloud. This gives IT teams the information they need to assure that their devices’ BIOS have not been maliciously altered.
Using Audit & Remediation in the VMware Carbon Black Cloud, security teams can now query their entire fleet of Dell Trusted Devices to report on the SafeBIOS verification status at scale. Queries can also be scheduled to run on a daily, weekly or monthly basis, allowing teams to completely automate reporting on this attack technique.
If any devices return a “failed” status in the console, an administrator can instantly quarantine that device to isolate it from the network and the internet directly from the VMware Carbon Black Cloud. After the problematic device is safely isolated, the administrator can then gain remote access to the device to pull back the corrupted BIOS image for downstream analysis by their threat team.
This solution is one example of our long-term commitment to customers. Over time, we plan to continue developing further integrations between our cloud platform and Dell Trusted Devices to further extend the capabilities of our endpoint protection platform beyond the operating system.
[1] Based on Dell internal analysis, January 2020
Demo: Dell SafeBIOS Verification