Intel is bringing ransomware protection to its new 11th Gen Core vPro mobile processors with the goal of strengthening security and visibility at the hardware level without disrupting the user experience.
The Intel vPro platform is an enterprise offering built to include new technologies that businesses and employees need, including security tools and higher performance. Its new vPro processors and platform updates aim to provide application, data, and lower-level security protections that sit below the operating system and defend against ransomware attacks plaguing organizations.
"Ransomware has been the bane of cybersecurity for a long time now — a couple of years at least — and we're seeing a constant evolution," says Cybereason CTO Yonatan Striem-Amit.
Attacks are growing in number and complexity as operators find new ways to evade detection. In the last couple of years, he says, more attackers have adopted the dual-extortion technique in which they demand ransom payment and even if they receive it, publish stolen information. Many ransomware strains have evolved to bypass traditional signature and behavioral-based detection; some new variants hide themselves in virtual machines to avoid antivirus software.
"We have seen the market adapt to this change, with ransomware defense evolving from signature-based prevention, to the use of deception techniques, to behavioral detection for more sophisticated variants," says Forrester analyst Allie Mellen regarding the response of businesses.
Typical ransomware defenses focus on improving security through steps like anti-phishing, backups, and other proactive methods, says Michael Nordquist, senior director of strategic planning and architecture in Intel's Business Client Group. Full-stack protection, above and below the operating system, demands both hardware- and software-based security features.
Intel's Threat Detection Technology (TDT) was invented to take advantage of new CPU-based telemetry that can indicate attacks across the full computing stack, Nordquist says. This is one of the features included in Intel Hardware Shield, a bundle of security capabilities built into the Intel vPro platform to provide security below the operating system level. Intel TDT detects ransomware and other security threats that leave a footprint on Intel's CPU performance monitoring unit (PMU), which sits beneath applications, the operating system, and virtualization layers.
"One of the unique byproducts of Intel TDT's CPU telemetry for ransomware is the ability to identify not only the most common attacks, but to some extent, it can detect many new zero-day variants since the encryption algorithms across ransomware families are similar," he adds.
Ransomware attacks don't target the CPU, Striem-Amit says, but performing threat detection at the CPU level gives businesses a more granular look into everything happening on a device — including more evasive and harder-to-detect forms of ransomware that modern attackers use.
"The CPU offers a unique source of data to observe what's happening on the machine, because it's the heart, the brains of the machine — the computer itself, " he says. Everything executes on the CPU, including the ransomware that is running and encrypting files on a target machine.
When Cybereason's defensive technology runs on a machine with a new Intel Core vPro mobile processor, it can expand its functionality, Striem-Amit says. The CPU can count and report multiple events, and over time, machine learning capabilities can distinguish which are benign and which may be malicious. Encryption, for example, is used in online communication, but a certain volume and manner, combined with signals from the OS, could demand a closer look. This level of visibility can expose ransomware from legitimate data encryption, Intel says.
Intel TDT makes use of machine learning capabilities to detect attacks in real time. However, rather than run compute-intensive machine learning models on the CPU, TDT offloads machine learning algorithms onto the built-in Xe Graphical Processing Unit (GPU), providing threat detection without causing lags in the user experience. Because of this, they can run more complex machine learning models to detect ransomware without slowing down operations.
Cybereason is the first security software provider to confirm plans to integrate this new protection to monitor CPU behavior for ransomware activity. Intel's updated vPro platform, combined with Cybereason's technology, aims to give organizations full-stack visibility to detect and block ransomware attacks.
As Nordquist points out, Intel TDT is most relevant to antivirus and endpoint detection and response providers. "From an ecosystem enablement standpoint, it really depends on the individual capability to identify the relevant OEM or software partner to activate and bring to market," he says. "This is where Intel's traditional role as a neutral provider comes into play."
Other institutions have done research on using hardware for malware detection, including researchers at Columbia University, Binghamton University, and the University of California-Riverside, in addition to Intel, as Mellen points out. It remains to be seen whether the latest update will introduce a significant security boost.
"Past research has yet to show meaningful security improvements using these techniques," she says. "While using hardware for malware detection is entirely possible, it remains to be seen if it has significant impact on device security over existing security software."