Introduction:
The Cybersecurity and Infrastructure Security Agency (CISA) has raised concerns about the security of Unified Extensible Firmware Interface (UEFI) update mechanisms. In an exclusive interview, CISA emphasizes the need for a secure-by-design approach to enhance the overall security posture of UEFI. This article aims to summarize the content, highlight the lessons learned, and provide insights that businesses can use to address similar challenges. Additionally, we will identify potential SABSA attributes and business enablement objectives relevant to the story.
UEFI as an Attack Surface:
UEFI plays a crucial role in a system’s booting-up routine and is composed of several components such as security and platform initializers, drivers, bootloaders, and a power management interface. However, its popularity as an attack surface stems from the fact that malicious code loaded into UEFI can achieve high persistence levels, making it invisible to traditional incident response tactics. Incident response and OS-level defenses often struggle to detect and eliminate threats within UEFI, which necessitates a comprehensive security approach.
Lessons Learned:
1. Secure-by-design: Organizations should take responsibility for the security of their software, including update pathways. Adopting a secure-by-design approach ensures that the software is inherently hardened against potential vulnerabilities.
2. Standardization: The industry needs to establish standard practices for securing UEFI to neutralize threats effectively. Businesses should expect systems that are secure by design and securely updateable.
The BlackLotus Bootkit and UEFI Updates:
BlackLotus is one of the malware that bypasses Microsoft’s UEFI Secure Boot implementation. Microsoft released patches in January 2022 and May 2023 to mitigate the issue, but the National Security Agency (NSA) indicated that these patches are insufficient. BlackLotus exploits the failure in secure update distribution, allowing threat actors to execute the malware by rolling back files to vulnerable versions.
Secure Update Mechanisms:
To address the issues caused by BlackLotus and similar malware, organizations should focus on improving the security of their update mechanisms. Implementing a secure public key infrastructure (PKI) approach and an automated update system would go a long way in mitigating the risks.
Implications for Businesses:
1. PKI Management: Businesses can benefit from adopting a PKI management approach that utilizes a small number of secret keys for signing files. This approach enables easy revocation in case of vulnerabilities and reduces collateral damage.
2. Hardening Systems: Infrastructure owners should take additional manual steps to harden their systems, such as tightening user executable policies and monitoring the integrity of the boot partition. However, manual security fixes should not be the norm, and businesses should strive for automated comprehensive solutions.
Strategies for Improving UEFI Update Cybersecurity:
CISA provides specific recommendations to enhance UEFI update cybersecurity. These strategies can help businesses improve their own security practices:
1. Audit and Management: System owners should audit, manage, and update UEFI components just like any other software. Maintaining software bills of materials is essential for accountability and vulnerability management.
2. Event Logging and Response: Operational teams should be able to collect, analyze, and respond to UEFI-related activities through event logs. UEFI-native watchdog and reporting capabilities should be leveraged to relay information to the OS or endpoint detection and response tools.
3. Secure Development Best Practices: UEFI component developers should adopt secure development environments and follow software development best practices to minimize vulnerabilities.
4. Universal Update Capabilities: The UEFI vendor community should universally adopt uninterrupted and reliable update capabilities. This ensures that UEFI component updates do not burden operational communities and end-users.
SABSA Attributes and Business Enablement Objectives:
The SABSA framework provides a comprehensive approach to addressing security architecture. In this context, the following SABSA attributes and business enablement objectives are relevant:
1. Attributes:
– Availability: Ensuring uninterrupted and reliable update capabilities for UEFI components.
– Integrity: Monitoring the integrity of UEFI components through event logs and response mechanisms.
– Confidentiality: Implementing secure development practices to protect sensitive information during UEFI component development.
2. Business Enablement Objectives:
– Risk management: Building systems that are secure by design to minimize the risk of persistent malware.
– Compliance: Following best practices and industry standards to demonstrate compliance with security requirements.
Conclusion:
The CISA’s call to action highlights the need for the computer industry to adopt a secure-by-design approach and revamp the security of UEFI update mechanisms. The lessons learned from the BlackLotus bootkit emphasize the importance of secure update distribution and PKI management. Businesses can mitigate similar challenges by adopting secure development practices, implementing robust update capabilities, and ensuring accountability through audits and management. By aligning with SABSA attributes and business enablement objectives, organizations can strengthen their UEFI security posture and minimize the risk of persistent malware.
