Artificial Intelligence (AI)
Discuss current events in AI and technological innovations with Intel® employees
651 Discussions

Intel AI PCs Deliver an Industry Validated Defense vs Real World Attacks

todd_cramer
Employee
2 0 1,314

Joint 2-Part Blog Series

Todd Cramer, Director Security Ecosystem Business Development, Intel

Ajit Joshi, Sr. Director, Platform Security, Intel

Saurabh Swaroop, Sr. Security Researcher, Intel

Lalit Siroya, Director Security Assurance & Research, Intel

 

Visibility is the prime directive for cybersecurity.  But how will that change in the era of the AI PC? 

Security Operations (SecOps) teams deploy powerful agents across endpoint PC fleets to inspect every process for signs of malware. Security software vendors have mapped their capabilities to the MITRE ATT&CK framework to show where they provide solutions. Managed Security Providers help enterprises triage daily alerts in XDR, SIEM, and co-pilot security tools. Pretty sophisticated, but the applicability of hardware security, in the PCs you already own, to real-world attacks has remained a mystery… until now.

In the first part of this blog series, we will discuss the impact of a new MITRE Center for Informed Defense (CTID) industry project: PC Security Stack Mappings - Hardware Enabled DefenseThis project mapped Intel vPro® security features to 150 cumulative and unique threat tactics, (sub)-techniques and procedures (TTPs) where PC hardware delivers out-of-the-box protections with optimized security software (Figure 1) 1. The results prove that the choice of PC hardware has a significant impact on the ability of security software and OS features to help protect corporate assets against advanced cyber adversaries. Let’s look at how this comes together:

                                              

image-2.png

 

 

Mary_Makowski_Intel_1-1734651645716.png

Figure 1- MITRE CTID Project

MITRE ATT&CK® is a free, open global knowledge base of adversarial tactics and techniques based on real-world observations.  It is the gold standard taxonomy used by companies worldwide to better understand the why and how of adversarial behavior during an attack. This has evolved into an ecosystem of security solutions that use functional MITRE dashboards to present real-time views into the security risk and posture for an enterprise. Finally, it has become an indispensable tool for procurement to help evaluate security solution coverage- guiding SecOps to deploy a true threat informed defense.

Over the span of many months, MITRE CTID collaborated with over thirty experts from Intel, Microsoft, CrowdStrike, and ATTACK IQ to map and rank the significance of hardware optimized security software features against MITRE ATTACK framework tactics and (sub)-techniques. The project used a modern AI PC build with the full set of Intel vPro security protections enabled on a typical enterprise class security software stack.

Mary_Makowski_Intel_2-1734651645763.png

 Figure 2- Mapping Hardware & Software Stack

  • Dell Intel vPro AI PC- For mapping and emulation test validation, MITRE used a Dell Latitude with an Intel Core Ultra Processor. Dell activates Intel security capabilities, enriching its own unique built-in below-the-OS defenses, when it manufacturers an Intel vPro device.
  • Intel vPro Security- Delivers 30 silicon features that protect three attack surfaces: below the OS (firmware verificationand secure boot), App and Data Protections (virtualization & encryption), and Advanced Threat Protections (Intel® Threat Detection Technology for EDRs & AVs)
  • Microsoft Secured-core PCs- These new Intel vPro Security mappings to MITRE ATT&CK help to deliver a more secure Windows 11 for the enterprise. When Intel vPro capabilities are present and configured by OEMs, the Windows OS reports out that PC build is Secured-core PC compliant, helping enable Windows 11’s protections (e.g., including advanced protection of firmware and dynamic root of trust measurement).3 MITRE mapped over 90 hardware assisted mitigations to TTPs (Windows 11 + Microsoft Defender).
  • Endpoint Detection and Response- MITRE mapped two solutions to give a representation of a primary security platform typically run by an enterprise.
    • Microsoft Defender- Integral feature of the Windows operating system. It leverages Intel® Threat Detection Technology (Intel® TDT), including CPU-assisted AI-based ransomware & cryptojacking detection, and Accelerated Memory Scanning that offloads tasks to the integrated Intel iGPU. (Microsoft TTP counts are cumulative- see Secured-core PC bullet above)
    • CrowdStrike Falcon- Deployed as a kernel level agent, Falcon has implemented Intel TDT and Intel CPU telemetry capabilities to uncover attacks executing in memory (e.g., Falcon’s Advanced Memory Scanning to detect file-less malware and Hardware Enhanced Exploit Detection that uncovers ROP exploit attacks). MITRE mapped over 85 hardware assisted mitigations to TTPs.
  • Threat Emulation via ATTACK IQ- To validate mappings and prove functional security controls do stop attack tactics as designed; MITRE selected a sub-set of scenarios for testing. MITRE emulated around 20 TTPs and details can be found on their project web site.

 

Sample REvil Ransomware Attack Chain Scenario

Below we illustrate how hardware-optimized security software capabilities in Windows 11 and Microsoft Defender can help disrupt a Ransomware attack chain.

Mary_Makowski_Intel_3-1734651645836.png

Figure 3- Microsoft Security Scenario

Impact

This illustrates how Windows Virtualization Based Security that uses Intel® Virtualization Technology for Directed I/O (Intel® VT-d) + Intel® Virtualization Technology (Intel® VT-x) are leveraged by Windows Hello Enhanced Sign-in to help isolate and protect the user’s biometrics from the rest of Windows. A hardware secured SSO helps secure the platform and core services from common malware entry tactics such as phishing emails. If the attacker is successful in dropping a malicious file, injecting into a process, and starting evasion techniques, Microsoft Defender can leverage Intel’s hardware accelerated memory scanning to potentially help detect execution tactics. Finally, if the attack campaign is successful to start ransomware encryption, Microsoft Defender stands poised to leverage Intel Threat Detection Technology AI, CPU telemetry, and iGPU offload as a fail-safe to help detect Ransomware encryption activity early and effectively. See demo for more.

 

Sample Cobalt Strike Attack Chain Scenario

Let's look at a second scenario for a Cobalt Strike file-less attack to memory and how CrowdStrike Falcon helps provide mitigations leveraging hardware. Fileless malware attacks have become popular with adversaries. Almost 75% of all attack types abuse valid system processes, like executing in memory, where they can evade traditional EDR defenses.4

Mary_Makowski_Intel_4-1734651645895.png

Figure 4- CrowdStrike Scenario

Impact

This is a prime illustration where the hardware in your PC helps to provide the incremental compute power to scan memory without disrupting the user’s computing experience. For CrowdStrike, this delivers up to 7x the capacity to scan deeper and uncover over 80 TTPs. See CrowdStrike demo video for more.5

 

Operationalizing the Mappings

We invite you to explore the MITRE blog  that contains links to the mappings methodology, JSON mappings meta data, and ATT&CK Navigator tools. Each mapping TTP contains links to detailed technical papers that go deep on each vendor’s feature. We also encourage you to read related blogs from MITRE project participants, Microsoft, CrowdStrike, and ATTACK IQ.

Click to expand the Heat Map below for a first view of the hardware enabled defense coverage or click here to generate all 150 techniques & sub-techniques from the MITRE site.

Mary_Makowski_Intel_5-1734651645914.png

Figure 5- Heat Map

Key Outcomes

There are a number of use cases where the mappings provide immediate SecOps value:

Relevance vs Today’s High-Profile Attacks- Intel AI PCs help security solution to help build a significant defense against some of the impactful TTPs used by malware like ransomware variants (e.g. Revil & Ryuk) and file-less malware (e.g. Cobalt Strike & Sliver C2 framework). For SecOps, you’re reducing the volume of successful attacks overall, leveraging the investments you already made in Intel vPro PC fleets and your security software.

PC Fleet Refresh- With each generation of new Intel processors, we release new hardware enabled security capabilities. Intel and Microsoft will continue to update the mappings to MITRE ATT&CK so you can make an assessment as to the real-world impacts of those features. For the first time, this equips SecOps teams with the data they need to justify an accelerated PC refresh based on attacks they see in the wild. They now have a detailed view to understand how the new generation of AI PCs help protect against sophisticated threat tactics. As an outcome of this project, MITRE documented a new user story and role called Enterprise Fleet Manager (EFM) responsible for a company’s PC fleet for procurement and maintenance. They are chartered to apply a comprehensive approach with the CISO to factor in hardware-based security.

Security Posture and Risk- SecOps teams can overlay the hardware mitigations alongside software-only mitigations in tools such as SIEM dashboards, to get a complete picture where the enterprise has defense in depth capabilities that stand ready to protect against attack campaigns. This also assists with risk assessment to understand how open vulnerabilities in software or hardware may introduce a hole in an attack chain that an attacker can exploit.

Security Software- Intel encourages the integration of this data into SIEM attack dashboards/alerts, penetration test/attack emulation software, and zero trust device health scoring models. For example, users on older generation PCs could get a lower zero trust policy score which triggers additional step up second factor authentications as they remotely attempt to access corporate or SaaS cloud apps. Intel has also launched, Intel® Device Discovery, a service that enables device management software to query a fleet for its hardware enabled security capabilities. When combined with these new MITRE ATT&CK TTPs, this will spur a plethora of new usages for security ecosystem innovation.  Finally, note security software alone may have other capabilities that detect or thwart attacks.

 

The AI PC- New Visibility to Build a Threat Informed Defense

Combatting today’s threats requires defense-in-depth — a robust security stack where hardware and software are tightly optimized to bolster overall security posture. Having insights into both software and hardware-based security measures can help enterprises unlock the full potential and ROI available from a modern Intel AI PC fleet deployment. The outcomes of this industry project have advanced the state of the art in cybersecurity. Intel would like to thank Microsoft, CrowdStrike, ATTACK IQ, and most of all MITRE Center for Informed Defense for their focus on a hardware enabled defense.

 

Be sure to read Part 2 of this blog series, which focuses on Secure AI. We will dive deeper into the silicon-enabled security designed to help protect AI models, data, and GenAI user interactions as those workloads run across Intel platforms. Intel mapped over 30 TTPs to the new MITRE ATLAS framework, demonstrating the impact of silicon-enabled security for the AI PC.

 

1 150 count represents cumulative Intel vPro unique techniques/sub techniques that span Microsoft Windows 11, Microsoft Defender, and CrowdStrike Falcon as of January 4, 2025.

2 Dell Trusted Devices support off host Intel ME firmware verification

3 Secured-core PC protections Microsoft Secured-core PC Website 2024

4 2023 CrowdStrike Global Threat Report

5 2022 CrowdStrike AMS Blog

 

*All versions of the Intel vPro® platform require an eligible Intel processor, a supported operating system, Intel LAN and/or WLAN silicon, firmware enhancements, and other hardware and   software necessary to deliver the manageability use cases, security features, system performance and stability that define the platform. See intel.com/performance-vpro for details.

*AI features may require software purchase, subscription or enablement by a software or platform provider, or may have specific configuration or compatibility requirements.  Data latency, cost, and privacy advantages refer to non-cloud-based AI apps.  Learn more at intel.com/AIPC.

*Performance varies by use, configuration and other factors. Learn more at intel.com/performanceindex.

No product or component can be absolutely secure. 

Your costs and results may vary. 

Intel technologies may require enabled hardware, software or service activation.

© Intel Corporation.  Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries.  Other names and brands may be claimed as the property of others. 

About the Author
Todd leads security ecosystem business development for the Commercial Client Division of Intel. He is an expert in AI for security, hardware security technologies and edge to cloud practices for securing applications and devices. For the past 15 years, he has directed go-to-market engagements for Intel’s Threat Detection Technology, IOT Secure Device Onboard, API Management, Security Gateway, Identity, PCI Tokenization, and Big Data software and service offerings. His 25+ years in the enterprise security sector have included leadership work for Ping Identity, IBM, Cendant and other corporations. Todd has a degree in marketing, an MBA, and is based in Colorado.