Intel adds hardware-based ransomware detection to 11th gen CPUs


Intel announced today at CES 2021 that they have added hardware-based ransomware detection to their newly announced 11th generation Core vPro business-class processors.

These hardware-based detections are accomplished using Intel Threat Detection Technology (Intel TDT) and Hardware Shield that run directly on the CPU underneath the operating system and firmware layers.

Intel Hardware Shield is a built-in security feature that out-of-the-box security protections directly to the CPU hardware, such as:

  • Helping to prevent malicious code injection by restricting memory access in the BIOS at runtime.
  • Dynamically launching the OS and hypervisor in an Intel® hardware–secured code environment inaccessible from firmware. This technique also helps verify that the operating system and its virtual environment are running directly on Intel hardware, as opposed to malware that is spoofing the hardware.
  • Providing operating system visibility into the BIOS- and firmware-protection methods used at boot time.

Intel TDT uses hardware telemetry to detect fileless malware, cryptomining, polymorphic malware, and ransomware in real-time based on CPU metrics and behavioral detections. When a threat is discovered, TDT will send signals to security software integrated with the platform to alert it of the threat.

“As threats are detected in real-time, Intel TDT sends a high-fidelity signal that can trigger remediation workflows in the security vendor’s code. Intel TDT issues no specialized efficacy or performance reports; rather, the data is seamlessly incorporated as a part of normal endpoint sensor reporting,” Intel’s TDT product brief explains.

Intel TDT security feature
Source: Intel

Intel TDT also allows security software to offload memory scans to the onboard Intel graphics engine for better performance.

As these features run directly on the CPU and run below any software, including the BIOS and firmware, it prevents malware from hiding from the hardware security features.

Cybereason partners with Intel for hardware-based ransomware protection

As part of today’s announcement, security firm Cybereason announced that they would be integrating their security platform with Intel’s TDT to perform hardware-based ransomware detection.

“This collaboration with Intel to add CPU based threat detection bolsters our long history and industry-leading capabilities in detecting and eradicating ransomware. The combination of best-of-class hardware, software, and security know-how provides defenders with full-stack visibility critical to ending the era of double extortion that is currently costing organizations hundreds of millions each year,” said Lior Div, CEO and Co-Founder, Cybereason.

Using the CPU counters and metrics exposed by TDT, Cyberreason states that they will benefit from the following:

  • CPU Threat Detection—Enables enterprise customers to go beyond signature and file-based techniques by leveraging CPU-based behavioral prevention of ransomware.
  • Full-Stack Visibility—Eliminates blind spots to expose ransomware as it avoids detection in memory or hides in virtual machines while differentiating legitimate data encryption processes for business purposes.
  • Unleash Machine Learning for Better Security—Enterprises can accelerate performance-intensive machine learning security algorithms by offloading to the Intel integrated graphics controller to boost capacity to analyze more data and do more security scans.
  • Accelerate Endpoint Prevention, Detection & Response—Enterprises can bolster the performance of their security agent processing for better user experiences.

According to Cybereason and Intel, this partnership will be the first instance of PC hardware being directly used to detect ransomware.

“Ransomware was a top security threat in 2020, software alone is not enough to protect against ongoing threats. Our new 11th Gen Core vPro mobile platform provides the industry’s first silicon enabled threat detection capability, delivering the much needed hardware based protection against these types of attacks. Together with Cybereason’s multi-layered protection, businesses will have full-stack visibility from CPU telemetry to help prevent ransomware from evading traditional signature-based defenses,” said Stephanie Hallford, Client Computing Group Vice President and General Manager of Business Client Platforms at Intel. 

You May Also Like…