Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

06:30 PM
Connect Directly

Intel's New vPro Processors Aim to Help Defend Against Ransomware

The newest Intel Core vPro mobile platform gives PC hardware a direct role in detecting ransomware attacks.

Intel is bringing ransomware protection to its new 11th Gen Core vPro mobile processors with the goal of strengthening security and visibility at the hardware level without disrupting the user experience.

Related Content:

How to Avoid Getting Killed by Ransomware

How Data Breaches Affect the Enterprise

New From The Edge: Cartoon: Shakin' It Up at the Office

The Intel vPro platform is an enterprise offering built to include new technologies that businesses and employees need, including security tools and higher performance. Its new vPro processors and platform updates aim to provide application, data, and lower-level security protections that sit below the operating system and defend against ransomware attacks plaguing organizations.

"Ransomware has been the bane of cybersecurity for a long time now — a couple of years at least — and we're seeing a constant evolution," says Cybereason CTO Yonatan Striem-Amit.

Attacks are growing in number and complexity as operators find new ways to evade detection. In the last couple of years, he says, more attackers have adopted the dual-extortion technique in which they demand ransom payment and even if they receive it, publish stolen information. Many ransomware strains have evolved to bypass traditional signature and behavioral-based detection; some new variants hide themselves in virtual machines to avoid antivirus software.

"We have seen the market adapt to this change, with ransomware defense evolving from signature-based prevention, to the use of deception techniques, to behavioral detection for more sophisticated variants," says Forrester analyst Allie Mellen regarding the response of businesses.

Typical ransomware defenses focus on improving security through steps like anti-phishing, backups, and other proactive methods, says Michael Nordquist, senior director of strategic planning and architecture in Intel's Business Client Group. Full-stack protection, above and below the operating system, demands both hardware- and software-based security features.

Intel's Threat Detection Technology (TDT) was invented to take advantage of new CPU-based telemetry that can indicate attacks across the full computing stack, Nordquist says. This is one of the features included in Intel Hardware Shield, a bundle of security capabilities built into the Intel vPro platform to provide security below the operating system level. Intel TDT detects ransomware and other security threats that leave a footprint on Intel's CPU performance monitoring unit (PMU), which sits beneath applications, the operating system, and virtualization layers.

"One of the unique byproducts of Intel TDT's CPU telemetry for ransomware is the ability to identify not only the most common attacks, but to some extent, it can detect many new zero-day variants since the encryption algorithms across ransomware families are similar," he adds.

Ransomware attacks don't target the CPU, Striem-Amit says, but performing threat detection at the CPU level gives businesses a more granular look into everything happening on a device — including more evasive and harder-to-detect forms of ransomware that modern attackers use. 

"The CPU offers a unique source of data to observe what's happening on the machine, because it's the heart, the brains of the machine — the computer itself, " he says. Everything executes on the CPU, including the ransomware that is running and encrypting files on a target machine.

When Cybereason's defensive technology runs on a machine with a new Intel Core vPro mobile processor, it can expand its functionality, Striem-Amit says. The CPU can count and report multiple events, and over time, machine learning capabilities can distinguish which are benign and which may be malicious. Encryption, for example, is used in online communication, but a certain volume and manner, combined with signals from the OS, could demand a closer look. This level of visibility can expose ransomware from legitimate data encryption, Intel says. 

Intel TDT makes use of machine learning capabilities to detect attacks in real time. However, rather than run compute-intensive machine learning models on the CPU, TDT offloads machine learning algorithms onto the built-in Xe Graphical Processing Unit (GPU), providing threat detection without causing lags in the user experience. Because of this, they can run more complex machine learning models to detect ransomware without slowing down operations.

Cybereason is the first security software provider to confirm plans to integrate this new protection to monitor CPU behavior for ransomware activity. Intel's updated vPro platform, combined with Cybereason's technology, aims to give organizations full-stack visibility to detect and block ransomware attacks.

As Nordquist points out, Intel TDT is most relevant to antivirus and endpoint detection and response providers. "From an ecosystem enablement standpoint, it really depends on the individual capability to identify the relevant OEM or software partner to activate and bring to market," he says. "This is where Intel's traditional role as a neutral provider comes into play."

Other institutions have done research on using hardware for malware detection, including researchers at Columbia University, Binghamton University, and the University of California-Riverside, in addition to Intel, as Mellen points out. It remains to be seen whether the latest update will introduce a significant security boost. 

"Past research has yet to show meaningful security improvements using these techniques," she says. "While using hardware for malware detection is entirely possible, it remains to be seen if it has significant impact on device security over existing security software."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2021-06-22
In dropFile of WiFiInstaller, there is a way to delete files accessible to CertInstaller due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Andr...
PUBLISHED: 2021-06-22
In onCreate of WiFiInstaller.java, there is a possible way to install a malicious Hotspot 2.0 configuration due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions...
PUBLISHED: 2021-06-22
In onCreate of EmergencyCallbackModeExitDialog.java, there is a possible exit of emergency callback mode due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: A...
PUBLISHED: 2021-06-22
In archiveStoredConversation of MmsService.java, there is a possible way to archive message conversation without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploit...