CES 2021: Intel adds ransomware detection capabilities at the silicon level

Intel 11th Gen Intel Core vPro CPUs with support for the Hardware Shield and TDT features will be able to detect ransomware attacks at the hardware level, many layers below antivirus software.
Written by Catalin Cimpanu, Contributor

Intel Server GPU

Image: Intel

At the 2021 Consumer Electronics Show today, Intel announced it is adding ransomware detection capabilities to its new 11th Gen Core vPro processors through improvements to its Hardware Shield and Threat Detection Technology (TDT).

A partnership with Boston-based Cybereason was also announced, with the security firm expected to add support for these new features to its security software in the first half of 2021.

Both companies said that this would mark the first-ever case where "PC hardware plays a direct role" in detecting ransomware attacks.

How it will all work

Under the hood, all of this is possible via two Intel features, namely Hardware Shield and Intel Threat Detection Technology (TDT). Both are features part of of Intel vPro, a collection of enterprise-centered technologies that intel ships with some of its processors.

Hardware Shield, a technology that locks down the UEFI/BIOS and TDT, a technology that uses CPU telemetry to detect possibly malicious code.

Both of these technologies work on the CPU directly, many layers under software-based threats, such as malware, but also antivirus solutions. The idea behind Intel's new features is to share some of its data with security software and allow it to spot malware that may be hiding in places where antivirus apps can't reach.

"Intel TDT uses a combination of CPU telemetry and ML heuristics to detect attack-behavior," Intel said in a press release today. "It detects ransomware and other threats that leave a footprint on Intel CPU performance monitoring unit (PMU)."

"The Intel PMU sits beneath applications, the OS, and virtualization layers on the system and delivers a more accurate representation of active threats, system-wide," it added. "As threats are detected in real-time, Intel TDT sends a high-fidelity signal that can trigger remediation workflows in the security vendor's code."

According to Intel and Cybereason, this new technology should allow companies to detect ransomware attacks when ransomware strains try to avoid detection by hiding inside virtual machines, since Hardware Shield and TDT run many layers below it.

Image: Intel

Available with 11th Gen Core vPro processors

"Ransomware was a top security threat in 2020, software alone is not enough to protect against ongoing threats," said Stephanie Hallford, Client Computing Group Vice President and General Manager of Business Client Platforms at Intel.

"Our new 11th Gen Core vPro mobile platform provides the industry's first silicon enabled threat detection capability, delivering the much needed hardware based protection against these types of attacks," the Intel exec added.

"Together with Cybereason's multi-layered protection , businesses will have full-stack visibility from CPU telemetry to help prevent ransomware from evading traditional signature-based defenses."

To use the new feature, systems administrators only have to use security software that supports it. No changes are required to CPUs because while most vPro features are optional, Intel has recently made Hardware Shield mandatory for all new CPUs starting with its 10th Gen release.

While Cybereason will be the first to support detecting ransomware using hardware indicators, other security vendors will most likely tap into it in the feature.

Today's news comes after Intel has been investing heavily in security in recent years. In June 2020, Intel also announced it was adding its new Control-flow Enforcement Technology (CET) to CPUs, a feature it said could help protect systems against malware that uses Return Oriented Programming (ROP), Jump Oriented Programming (JOP), and Call Oriented Programming (COP) techniques to infect devices and hijack apps.

Editorial standards