Intel and Microsoft machine learning tackles cryptojacking

  • April 28, 2021
  • Steve Rogerson

Intel and Microsoft are working together to use machine-learning technology to combat cryptojacking.

Microsoft Defender for Endpoint has integrated Intel’s silicon-based threat detection to advance endpoint detection and response against cryptojacking malware.

Starting this week, Microsoft Defender for Endpoint has expanded its use of Intel TDT threat detection technology beyond accelerated memory scanning capabilities to activate CPU-based cryptomining machine-earning (ML) detection. This move further accelerates endpoint detection and response for millions of users without compromising experience.

“This is a true inflection point for the security industry as well as our SMB, mid-market and enterprise customers that have rapidly adopted Windows 10 with built-in endpoint protections,” said Michael Nordquist, senior director at Intel. “Customers who choose Intel vPro with the exclusive Intel Hardware Shield now gain full-stack visibility to detect threats out of the box with no need for IT configuration. The scale of this CPU-based threat detection rollout across customer systems is unmatched and helps close gaps in corporate defences.”

TDT, part of Intel Hardware Shield’s suite of capabilities on Intel vPro and also available on Intel Core platforms, equips endpoint detection and response (EDR) with CPU heuristics for memory scanning, cryptojacking and ransomware detection. With nearly a billion Intel TDT-capable PCs in the market, these CPU-based malware behaviour-monitoring capabilities go beyond signature and file-based techniques.

“Intel is unlocking capabilities in its system on a chip that fundamentally change the rules of the game,” said Frank Dickson, vice president at IDC. “The silicon-level telemetry and functionality enable the hardware compute platform to play an active role in threat defence against above-the-OS attacks. Clearly the goal is to empower Intel-based systems of today and tomorrow to be fundamentally more secure and have lower malware infection rates than AMD, Apple and other Arm-based processor systems.”

In April 2020, nearly 5400 cryptocurrencies with a total market capitalisation of $201bn were traded. Since then, the market value has increased as cryptocurrency is making its way into the mainstream. The financial rewards of cryptocurrency create new threats and risks. As their value rises, cyber criminals shift their focus from ransomware to cryptojacking.

Cryptojacking is malicious cryptomining where cybercriminals install malware into business and personal computers, laptops and mobile devices. This malware uses the computer’s power and resources to mine for cryptocurrencies or steal cryptocurrency wallets that can slow computers dramatically and keep them from operating normally. Some cryptojacking scripts have worming capabilities that allow them to infect other devices and servers on a network.

Intel TDT helps endpoint security harness CPU telemetry and hardware acceleration to help identify threats and detect anomalous activity. It uses a combination of CPU telemetry and machine-learning heuristics to detect specific behaviour. The CPU performance monitoring unit sits below the applications, operating system and virtualised layers to provide a greater view into active threats across the stack. TDT bolsters EDR and improves visibility where it has historically been a challenge, including the increasing trend of malware attempts to cloak itself in a virtual machine.

“This partnership is one example of our ongoing investment and deep collaboration with technology partners across the industry,” said Karthik Selvaraj, principal security research manager at Microsoft. “We work closely with chip makers to explore and adopt new hardware-based defences that deliver robust and resilient protection against cyber threats. As organisations look to simplify their security investments, built-in platform-based security technologies, such as the integration of Intel TDT with Microsoft Defender for Endpoint, combine best of breed.”

As threats are detected, TDT sends a high-fidelity signal that triggers remediation workflows of EDR to help protect the infected PC and prevent lateral movement across the corporate fleet. The telemetry and ML heuristics are seamlessly incorporated as part of the endpoint and multiple concurrent detectors can run in parallel.

This threat detection doesn’t create a performance hit requiring IT leaders to make a trade-off between better security or a good user experience. TDT can offload performance-intensive security workloads to the integrated graphics controller and return performance back to the CPU, allowing for increased scanning and reduced impacts to the computing experience.

The threat detection capabilities are native to Intel Core and vPro platforms and operate seamlessly with EDR without the need for installation or deployment IT configuration. When combined with remote monitoring and maintenance, rigorous cyber-security defences of Intel Hardware Shield, and no-contact deployment of the 11th generation Intel Core vPro mobile processor, users can be assured they have comprehensive hardware-based security for business.