Intel says its new 11th generation Core vPro business-class processors will offer CPU telemetry and ML heuristics to detect attack-behavior — bringing hardware-based ransomware detection to the market for the first time as vendors push integrated security offerings ever further down the stack.
The new “Intel Threat Detection Technology” (TDT) detects malware that leaves a footprint on Intel’s CPU performance monitoring unit (PMU), the chip colossus said on Monday. The Intel PMU sits beneath applications, the OS and virtualisation layers on the system and as it detects threats can send a “high-fidelity signal that can trigger remediation workflows in… security vendor’s code”, Intel said. (Cyberreason was an early adopting partner).
“IT departments using EDR software or outsourced MDR operations can collect additional context on Intel TDT-signaled threats to remediate with patches or segment machines using perimeter network defenses” Intel said.
Boston-based Cybereason noted in a release: “The solution represents the first instance where PC hardware plays a direct role in ransomware cyber defense to better protect enterprise endpoints from costly attacks”
A product sheet claims that the “PMU data and ML heuristics that Intel TDT analyzes for detection purposes… can help identify polymorphic malware, file-less scripts, cryptomining, ransomware and other targeted attacks—in real-time and with little if any end-user impact.” The company said endpoint detection offerings Microsoft Defender, SentinelOne Singularity, and Blackberry Optics can all integrate.
EDR solutions are “typically reactive” Intel said, adding that “Intel TDT provides them with a real-time hardware-based signal that makes their detection more proactive”. (Frankly, this is a matter of semantics: it pushes the reaction down the stack, but Intel suggests it may allow users to avoid unnecessary scanning and agent bloat; i.e. be more proactive about being reactive — saying too many false positives remain an issue, as does a drag on endpoint performance caused by increasing EDR vendor reliance on AI-based detection).
“Commonly deployed detection techniques like static signatures, static/behavioral “honey pot” files, and behavioral file I/O all have bypasses exploited by ransomware using delayed arbitrary starts, avoiding hidden folders, using multiple threads for faster execution, and using memory mapped I/O for file encryption” the chip maker noted, adding that cyber criminals now sometimes target ransomware into the VM layer that security vendors can’t see with OS-based scanning software.