All postsComputer processors get the final word when running programmes. Can they judge bad code from good?
Is ransomware detection using hardware possible? We look at Intel’s approach to improving ransomware detection.
All malware has to run on a target to achieve its goal. Whether it’s a remote access Trojan, a wild internet worm or devastating ransomware, malware is most likely software that has to run on a PC of some sort. The anti-virus software industry tries to detect and stop these threats, but news headlines suggest it’s not winning the war.
Part of the problem is that attackers can disguise malware. In the same way you might try to slip past a security guard in thick glasses and a wig, hackers can take their regular code and make it look different. There are many ways to do this, but before it can achieve its ultimate goal, malware has to run, or execute. And at that stage it drops its disguise, at least as far as the hardware it runs on is concerned. As the code runs, its intentions become clear.
Security on a Chip
And this presents an opportunity for defenders – detect malware at the very last moment, just as it reveals itself while executing. The concept of ‘security on a chip’ has been around for a long time and when Intel bought McAfee in 2010 the world waited for anti-virus processors. They didn’t really appear and seven years later McAfee and Intel separated.
But now Intel claims that it has introduced anti-malware to its vPro hardware platform.
By monitoring code as it executes, it hopes to detect malware and inform compatible security software when it does. It claims to do this by using pattern matching, via machine learning, to spot suspicious behaviour. The goal is to have a combination of security software and hardware working together to prevent infections.
Ransomware Detection Using Hardware
Ransomware is a prevalent, damaging and expensive threat that can cripple the largest organisations and completely destroy smaller ones. But it’s just code that you don’t want to run on your computer. It’s not even that unpredictable. In most cases it will encrypt data, delete files and steal information.
This presents another opportunity for detection. Regardless of how a file ‘looks’, if it starts doing the usual bad things you’d expect from ransomware, it’s probably safe to identify it as a threat. Intel’s claim is that its Threat Detection Technology is capable of spotting malicious trends with the help of machine learning.
Origin Story
When detection happens at the hardware level, it doesn’t matter if the malware appears in a Zip file, is downloaded from Dropbox or is a script that hides inside an Office document. The malware doesn’t even need to land on the hard disk. File-less and other threats all need to run on the processor.
In this report we test Intel’s claims that the Threat Detection Technology built into its vPro platform can detect known ransomware and disguised variations.
Featured podcast:
[buzzsprout episode=’10578739′ player=’true’]
