Microsoft's inaugural Security Signals report for March 2021 shows that 80% of enterprises have experienced one firmware attack during the past two years, but less than a third of security budgets are dedicated to protecting firmware.
Firmware attacks are tricky to deal with. State-sponsored hacking group APT28, or Fancy Bear, was caught in 2018 using a Unified Extensible Firmware Interface (UEFI) rootkit to target Windows PCs. There have also been attacks that rely on hardware drivers, such as RobbinHood, Uburos, Derusbi, Sauron and GrayFish, as well as ThunderSpy, a theoretical attack aimed at Thunderbolt ports.
Microsoft launched a new range of "Secured-Core" Windows 10 PCs last year to counter malware that tampers with the code in motherboards that boots a PC. It's also released a UEFI scanner in Microsoft Defender ATP to scan inside the firmware filesystem for the presence of malware.
SEE: Network security policy (TechRepublic Premium)
But enterprises aren't treating the firmware attacks seriously enough, according to a study that Microsoft commissioned Hypothesis Group to conduct.
"The study showed that current investment is going to security updates, vulnerability scanning, and advanced threat protection solutions," Microsoft notes.
"Yet despite this, many organizations are concerned about malware accessing their system as well as the difficulty in detecting threats, suggesting that firmware is more difficult to monitor and control. Firmware vulnerabilities are also exacerbated by a lack of awareness and a lack of automation."
It's worth noting that Microsoft is promoting its "emerging class of secured-core hardware", such as the Arm-based Surface Pro X, which start at $1,500, with the SQ2 processor, or HP's Dragonfly laptops that retail for no less than $2,000.
But the company does have a point. Firmware lives below the operating system and is where credentials and encryption keys are stored in memory, where it's not visible to antivirus software.
"Many devices in the market today don't offer visibility into that layer to ensure that attackers haven't compromised a device prior to the boot process or at runtime bellow the kernel. And attackers have noticed," Microsoft says.
The question is whether security teams are looking enough at future threats. Microsoft thinks they're not. The Security Signals survey found that 36% of businesses invest in hardware-based memory encryption and 46% are buying in hardware-based kernel protections.
Microsoft's study found that security teams are focussing on "protect and detect" models of security, pointing out that only 39% of security teams' time is spent on prevention.
The lack of proactive defense investment in kernel attack vectors is an example of this outdated model, according to Microsoft.
Most of the 1,000 enterprise security decision makers interviewed (82%) said they don't have enough resources to address high-impact security work because they're too busy dealing with patching, hardware upgrades, and mitigating internal and external vulnerabilities.