New Intel CPU-level threat detection capabilities target ransomware

Security vendors can now leverage new telemetry and machine learning processing capabilities built into Intel’s 11th Gen mobile processors to better detect and block sophisticated ransomware programs that attempt to evade traditional detection techniques. The features are built into Intel Core CPUs designed for businesses that include the vPro feature set.

Aside from IT management capabilities, the vPro platform provides various hardware-enhanced security features under the name Hardware Shield. These include things like trusted execution, virtualization, memory encryption, runtime BIOS resilience and threat detection technology (Intel TDT).

How Intel TDT works

Intel TDT uses telemetry data from the CPU’s performance monitoring unit (PMU) combined with accelerated machine learning heuristics to detect potential threats. Some types of malicious programs impact the performance of the CPU because of the type of tasks they execute. Ransomware programs clearly fall in this category because of their heavy file encryption routines and so do cryptominers—malicious programs that hijack the computer’s CPU or GPU to mine cryptocurrency.

The performance impact is reflected in the PMU telemetry data and machine learning models can use it to identify potentially suspicious or abnormal behavior that could indicate the presence of malware. Security products that run inside the OS can use the signals from Intel TDT to trigger further scanning and remediation workflows. Essentially, this enables behavior-based malware detection at the CPU-level.

“Typical defenses focus on bolstering security through things like anti-phishing, backups, or other proactive methods—these are great practices but attacks eventually can make it through,” Michael Nordquist, senior director of strategic planning and architecture in the Business Client Group at Intel, tells CSO. “In these cases, Intel TDT is able to detect the most prevalent ransomware strains right from the start of their file encryption and can immediately signal AV/EDR software to remediate the attack. This can be invaluable to not only limit the damage on the infected endpoint, but this can prevent lateral damage to other endpoints or vectoring into network or Cloud/SaaS based apps.”

How ransomware can hide from traditional detection

Detecting ransomware programs has never been easy, and attackers have always found ways to evade security products. The sophisticated groups that use manual hacking and perform months-long reconnaissance and lateral movement inside corporate networks will know very well what malware detection software their victims are using and can test in advance to make sure their payload will not be detected. This is part of the reason why ransomware campaigns are so effective and devastating to organizations.

Aside from signature-based detection, security products attempt to detect ransomware-like behavior by monitoring for unusual patterns in file activity. For example, the reading and writing of a large number of files in certain directories or with certain file types in rapid succession can indicate suspicious activity. Significant differences in the contents of overwritten files is another example since an encrypted file will look totally different than the original file. Attempts to delete Volume Shadow Copy Service (VSS) backups can also be indicative of ransomware. All these signals together can be used to detect ransomware, but attackers can still try to hide, for example, by slowing down file encryption and executing it in batches.

Some ransomware groups have gone even further. For example, the creators of Ragnar Locker and Maze have started abusing virtualization technology to hide their malicious process in memory. To achieve this, they deployed Oracle VirtualBox on victims’ computers, set up lightweight Windows virtual machines and gave them access to the entire hard disk of the host OS, then executed their ransomware inside the virtual machine where most antivirus programs can’t see or don’t look.

“The use of VMs is most often done to hide the memory, so that the [security] software cannot scan the ransomware memory, but the ransomware program still has to interact with the file system the has to run the same kind of instructions that perform the encryption,” Yonatan Striem-Amit, the CTO of security vendor Cybereason, tells CSO. (Cybereason has already integrated Intel TDT’s new ransomware detection capabiltiies.) “Both the behavior signals, as well as the Intel performance counters are able to see through that veil and handle it, regardless of whether or not we’re able to read the process memory. The process memory is a less critical indicator at this point, and therefore the efficacy of hiding by using VM technologies becomes much less effective.”

Intel TDT offloads machine learning to the GPU

Most modern CPUs come with an embedded GPU that can read the computer’s physical RAM through a feature called direct memory access (DMA). This helps GPUs perform their processing tasks faster and share RAM with the host OS. Intel TDT takes advantage of this feature to accelerate the compute-intensive machine learning models it uses for detection by executing them on the integrated Intel Iris Xe graphics unit, therefore freeing the CPU for other tasks.

“Now, with the combination of existing signals from the operating system and application behavior, the CPU-level performance indicators and the power of building and being able to run more complex machine learning models in-line, gives you the ability to define ransomware with higher than ever before possible accuracy,” Striem-Amit says. “This is an evolution of the technology that allows us to marry OS-level visibility with CPU-level performance counters to really understand if there is ransomware activity.”

Intel TDT has existed since 2018 and some of its capabilities have already been adopted by other security solutions like Microsoft Defender, SentinelOne Singularity, and Blackberry Optics. The improvements added in Gen 11 Intel vPro-enabled CPUs were designed with ransomware detection in mind, given the widespread nature of this threat and the serious impact it has had on businesses worldwide in recent years.