Thursday, March 3, 2022

Defending against ransomware with Microsoft Defender for Endpoint and Intel TDT: A Case Study

Ransomware, which has long been a top concern for security decision makers, continues to increase in both volume and sophistication. As outlined in the 2021 Microsoft Digital Defense Report, the publicly reported profits from ransomware and extortion attacks gives these attackers a much higher budget to work with, new ways to build attack techniques, and methods to create more realistic lures. Ransomware kits and affiliate networks enable even low-skill attackers to participate in this high-profit, low-cost attack type.


Given the increasing prevalence and sophistication of ransomware attacks, we are announcing that we have collaborated with Intel to extend the integration of Intel® Threat Detection Technology (Intel® TDT) into Microsoft Defender for Endpoint to enhance detection and protection specifically against ransomware. This builds on our previous work with Intel TDT and Microsoft Defender for Endpoint to help detect and protect against cryptojacking. Intel TDT is a detection approach that can augment traditional file-based or behavior-based detection. This technology integration focuses on the CPU execution patterns that are characteristic of ransomware attacks. Intel TDT is available in a broad range of Intel hardware over multiple generations and will be available for consumers through Microsoft Defender Antivirus. We plan to turn on this new capability in Microsoft Defender for Endpoint later this year. 

For more information on this integration, see this video.


Intel Threat Detection Technology integrated with Microsoft Defender for Endpoint

The Intel TDT and Defender for Endpoint technology is based on telemetry signals coming directly from Intel hardware that records low-level information on the execution patterns of instructions being processed by the Central Processing Unit (CPU) at a microarchitectural level. Ransomware relies heavily on the CPU for encrypting user and business data. The Intel TDT integration with Microsoft Defender for Endpoint leverages signals from these sources to detect ransomware activity.


How does this technology work? Intel TDT applies machine learning techniques to low-level hardware telemetry sourced directly from the CPU performance monitoring unit (PMU). This helps to detect the malware code execution “fingerprint” at runtime with minimal overhead. The detector then sends signals to Microsoft Defender for Endpoint, at which point Defender for Endpoint applies its own threat intelligence and machine learning to assess the signal. Microsoft Defender for Endpoint can then raise a signal and can block or remediate the threat automatically.


In recent hardware, Intel TDT has added several performance improvements and optimizations, such as offloading the machine learning inference to Intel’s integrated graphics processing unit (GPU) to enable continuous monitoring.

Case study:  WastedLocker ransomware

To view the Microsoft Defender for Endpoint and Intel TDT ransomware technology in action, we’ve tested with a recent and well-known ransomware family called "WastedLocker". The WastedLocker ransomware appeared in 2020 and is still active and evolving. Its name is derived from the filename that it creates— an abbreviation of the host name and the term ‘wasted’.


Based on our observation, the WastedLocker group utilizes Cobalt Strike delivered via SocGholish/FakeUpdate JavaScript backdoor as their initial attack vector through a drive-by download. The ZIP file contains malicious JavaScript that masquerades as a browser update. When the malicious JavaScript runs, the attack attempts to explore the environment using common living-off-the-land commands such as whoami or net user. Ultimately the attacker creates a backdoor connection between attacker environments and the infrastructure under attack, where it can then deploy the WastedLocker ransomware to the remote machines.


WastedLocker attacks are targeted at specific organizations. Each attack creates a custom-configured build that is unique to a specific environment under attack. This makes it hard to detect and block such attacks via traditional file-, signature-, and behavior-based detections. Additionally, WastedLocker is continually tuned to evade security solutions. 


We have tested the latest WastedLocker binaries on a PC with Microsoft Defender for Endpoint and Intel TDT ransomware integration deployed. When WastedLocker ransomware runs, we can clearly see CPU usage increase as one result of encryption activities:



Figure 1: CPU usage while under attack from WastedLocker.


However, the technology needs to separate legitimate activity from malicious activity, both of which may increase CPU usage. Intel TDT monitors this activity, leveraging the PMU combined with machine learning to determine the threat profile. Signals are then sent to Microsoft Defender for Endpoint, which combines these signals with its own rich set of Microsoft security intelligence to identify the malicious process. Finally, Microsoft Defender for Endpoint can surface a detection notification and can automatically block and remediate the threat.



Figure 2: Threat blocked within Microsoft Defender for Endpoint.


The combination of Intel Threat Detection Technology and Microsoft Defender for Endpoint can provide additional protections against one of the largest threat types today: ransomware. With new ways to detect ransomware activities at the hardware layer, this pair of technologies can help users keep ahead of threat actors who are continuing to enhance ransomware tactics and techniques. The partnership between Intel and Microsoft can help provide stronger full-stack security from hardware to software and enhance our detections in Microsoft Defender for Endpoint.


This is yet another way we are creating integrations between hardware and software with our ecosystem partners to create choice for customers based on their specific needs. Our defense in depth approach involves addressing a variety of different problems in different layers of the system. We believe hardware can be used to tackle multiple types of problems in security and the combination of these technologies over time will help to better secure customers. Intel TDT integration provides hardware support for the problem of ransomware detection while other hardware technologies such as Dynamic Root of Trust for Measurement (DRTM) and Microsoft Pluton address other security needs like booting an operating system securely even against firmware threats and storing sensitive data safely even against physical attacks.


Learn more

For additional details, please see the Intel Security blog and Intel TDT. Additionally, you can view this video, watch this demo, or listen to this Security Unlocked podcast.


Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today.


To learn more about Microsoft Security solutions visit our website. Bookmark the Microsoft Defender for Endpoint blog to keep up with our expert coverage on security matters. 

In collaboration with Amitrajit Banerjee, Andrea Lelli, Suriyaraj Natarajan, Shankar Rajagopalan, and Intel

Posted at