A powerful hardware-based threat detection technology is being integrated into a Microsoft enterprise security product to help protect businesses from cryptojacking malware.
The move, that Intel Threat Detection Technology integrates with Microsoft Defender for Endpoint, was announced. Oftentimes, there’s no follow-through by security teams because crypto mining can be difficult to detect in the enterprise. Purandar Das, CEO and co-founder of Sotero, a data protection company in Burlington, Mass, explained:
“Slow or sluggish machines are the norm in many enterprises due to bloated software and also due to the many threat detections and automated upgrades that are performed on them.”
The problem with failing to foil crypto miners is that the cryptocurrency mined at these organizations is then used to fund other nefarious activities by criminal gangs or state-sponsored actors, Schrader maintained. As Microsoft and Intel are doing, executing security tasks in a hardware module has significant performance advantages indeed. Das also added:
“The process of identification based on resource utilization and even resource monitoring is much faster than with software-based approaches,” he said. Equally importantly, it eliminates the need for deploying software that can be buggy and potentially come with vulnerabilities.”
What’s more, Intel TDT gives system defenders insight into what’s happening at the CPU layer. Intel TDT applies machine learning to low-level hardware telemetry sourced directly from the CPU performance monitoring unit (PMU) to detect the malware code execution “fingerprint” at runtime with minimal overhead, wrote Selvaraj. Additional performance gains can be achieved by offloading some machine learning to Intel’s integrated graphics processing unit (GPU).
The TDT technology is based on telemetry signals coming directly from the PMU, the unit that records low-level information about performance and microarchitectural execution characteristics of instructions processed by the CPU.
Coin miners make heavy use of repeated mathematical operations and this activity is recorded by the PMU, which triggers a signal when a certain usage threshold is reached. The signal is processed by a layer of machine learning. Since the signal comes exclusively from the utilization of the CPU, caused by execution characteristics of malware, it is unaffected by common anti-malware evasion techniques such as binary obfuscation or memory-only payloads.
Any improvements in tossing coin miners off enterprise systems will be welcomed by security teams since cryptojacking can be so hard to detect.
The Big problem is that skilful coin miners can be very difficult to detect, added Kron.
“While cryptojacking software can cause system lockups or reboots when being pushed hard, many organizations do not look at these events as indicators of compromise, nor do they monitor the CPU usage of workstations within the organization, making it easier for the malware to hide its activities.”
What is more, as cryptocurrency values continue to rise, cryptojacking becomes more attractive to cybercriminals, leading to more attacks. However, the bigger issue with cryptojacking is that the malware is often not alone on the devices.