Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

06:30 PM
Connect Directly

Intel's New vPro Processors Aim to Help Defend Against Ransomware

The newest Intel Core vPro mobile platform gives PC hardware a direct role in detecting ransomware attacks.

Intel is bringing ransomware protection to its new 11th Gen Core vPro mobile processors with the goal of strengthening security and visibility at the hardware level without disrupting the user experience.

Related Content:

How to Avoid Getting Killed by Ransomware

How Data Breaches Affect the Enterprise

New From The Edge: Cartoon: Shakin' It Up at the Office

The Intel vPro platform is an enterprise offering built to include new technologies that businesses and employees need, including security tools and higher performance. Its new vPro processors and platform updates aim to provide application, data, and lower-level security protections that sit below the operating system and defend against ransomware attacks plaguing organizations.

"Ransomware has been the bane of cybersecurity for a long time now — a couple of years at least — and we're seeing a constant evolution," says Cybereason CTO Yonatan Striem-Amit.

Attacks are growing in number and complexity as operators find new ways to evade detection. In the last couple of years, he says, more attackers have adopted the dual-extortion technique in which they demand ransom payment and even if they receive it, publish stolen information. Many ransomware strains have evolved to bypass traditional signature and behavioral-based detection; some new variants hide themselves in virtual machines to avoid antivirus software.

"We have seen the market adapt to this change, with ransomware defense evolving from signature-based prevention, to the use of deception techniques, to behavioral detection for more sophisticated variants," says Forrester analyst Allie Mellen regarding the response of businesses.

Typical ransomware defenses focus on improving security through steps like anti-phishing, backups, and other proactive methods, says Michael Nordquist, senior director of strategic planning and architecture in Intel's Business Client Group. Full-stack protection, above and below the operating system, demands both hardware- and software-based security features.

Intel's Threat Detection Technology (TDT) was invented to take advantage of new CPU-based telemetry that can indicate attacks across the full computing stack, Nordquist says. This is one of the features included in Intel Hardware Shield, a bundle of security capabilities built into the Intel vPro platform to provide security below the operating system level. Intel TDT detects ransomware and other security threats that leave a footprint on Intel's CPU performance monitoring unit (PMU), which sits beneath applications, the operating system, and virtualization layers.

"One of the unique byproducts of Intel TDT's CPU telemetry for ransomware is the ability to identify not only the most common attacks, but to some extent, it can detect many new zero-day variants since the encryption algorithms across ransomware families are similar," he adds.

Ransomware attacks don't target the CPU, Striem-Amit says, but performing threat detection at the CPU level gives businesses a more granular look into everything happening on a device — including more evasive and harder-to-detect forms of ransomware that modern attackers use. 

"The CPU offers a unique source of data to observe what's happening on the machine, because it's the heart, the brains of the machine — the computer itself, " he says. Everything executes on the CPU, including the ransomware that is running and encrypting files on a target machine.

When Cybereason's defensive technology runs on a machine with a new Intel Core vPro mobile processor, it can expand its functionality, Striem-Amit says. The CPU can count and report multiple events, and over time, machine learning capabilities can distinguish which are benign and which may be malicious. Encryption, for example, is used in online communication, but a certain volume and manner, combined with signals from the OS, could demand a closer look. This level of visibility can expose ransomware from legitimate data encryption, Intel says. 

Intel TDT makes use of machine learning capabilities to detect attacks in real time. However, rather than run compute-intensive machine learning models on the CPU, TDT offloads machine learning algorithms onto the built-in Xe Graphical Processing Unit (GPU), providing threat detection without causing lags in the user experience. Because of this, they can run more complex machine learning models to detect ransomware without slowing down operations.

Cybereason is the first security software provider to confirm plans to integrate this new protection to monitor CPU behavior for ransomware activity. Intel's updated vPro platform, combined with Cybereason's technology, aims to give organizations full-stack visibility to detect and block ransomware attacks.

As Nordquist points out, Intel TDT is most relevant to antivirus and endpoint detection and response providers. "From an ecosystem enablement standpoint, it really depends on the individual capability to identify the relevant OEM or software partner to activate and bring to market," he says. "This is where Intel's traditional role as a neutral provider comes into play."

Other institutions have done research on using hardware for malware detection, including researchers at Columbia University, Binghamton University, and the University of California-Riverside, in addition to Intel, as Mellen points out. It remains to be seen whether the latest update will introduce a significant security boost. 

"Past research has yet to show meaningful security improvements using these techniques," she says. "While using hardware for malware detection is entirely possible, it remains to be seen if it has significant impact on device security over existing security software."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...