Intel and Cybereason have partnered to build anti-ransomware
defenses into the chipmaker’s newly announced 11th generation Core
vPro[1]
business-class processors.
The hardware-based security enhancements are baked into Intel’s
vPro platform via its Hardware Shield[2]
and Threat Detection Technology[3] (TDT), enabling
profiling and detection of ransomware and other threats that have
an impact on the CPU performance.
“The joint solution represents the first instance where PC
hardware plays a direct role in ransomware defenses to better
protect enterprise endpoints from costly attacks,” Cybereason
said[4].
Exclusive to vPro, Intel Hardware Shield provides protections
against firmware-level attacks targeting the BIOS[5], thereby ensuring that
the operating system (OS) runs on legitimate hardware as well as
minimizing the risk of malicious code injection by locking down
memory in the BIOS when the software is running to help prevent
planted malware from compromising the OS.
Intel TDT, on the other hand, leverages a combination of CPU
telemetry data and machine learning-based heuristics to identify
anomalous attack behavior — including polymorphic malware,
file-less scripts, crypto mining, and ransomware infections — in
real-time.
“The Intel [CPU performance monitoring unit] sits beneath
applications, the OS, and virtualization layers on the system and
delivers a more accurate representation of active threats,
system-wide,” Intel said[6]. “As threats are
detected in real-time, Intel TDT sends a high-fidelity signal that
can trigger remediation workflows in the security vendor’s
code.”
The development comes as ransomware attacks exploded in number
last year, fueled in part by the COVID-19 pandemic[7], with average payout
increasing from about $84,000 in 2019 to about $233,000 last
year.
The ransomware infections have also led to a spike in “double
extortion,” where cybercriminals steal sensitive data before
deploying the ransomware and hold it hostage in hopes that the
victims will pay up rather than risk having their information made
public — thus completely undermining the practice of recovering
from data backups and avoid paying ransoms.
What’s more, malware operators are increasingly extending their
focus beyond the operating system of the device to lower layers to
potentially deploy bootkits and take complete control of an
infected system.
Last month, researchers detailed a new “TrickBoot[8]” feature in TrickBot
that can allow attackers to inject malicious code in the UEFI/BIOS
firmware of a device to achieve persistence, avoid detection and
carry out destructive or espionage-focused campaigns.
Viewed in that light, the collaboration between Intel and
Cybereason is a step in the right direction, making it easier to
detect and eradicate malware from the chip-level all the way to the
endpoint.
“Cybereason’s multi-layered protection, in collaboration with
Intel Threat Detection Technology, will enable full-stack
visibility to swiftly detect and block ransomware attacks before
the data can be encrypted or exfiltrated,” the companies said.