Microsoft Defender for Endpoint CPU (Intel) based Threat Detection of Ransomware

Ransomware is a big concern for security decision makers. Here's the three facts published in 2022 by ACSC ( Australian Cyber Security Center ) indicating the increase in activities:

• Ransomware cyber crime reports increased by 15 per cent
• Nearly 500 ransomware cyber-crime reports received
• Average of more than one ransomware cyber-crime report received every day

The new hardware assisted ransomware detection capabilities of Microsoft Defender for Endpoint and how Intel Threat Detection Technology augments Defender to detect these sophisticated attack

The Intel TDT and Defender for Endpoint technology is based on telemetry signals coming directly from Intel hardware that records low-level information on the execution patterns of instructions being processed by the Central Processing Unit (CPU) at a micro-architectural level. Ransomware relies heavily on the CPU for encrypting user and business data. The Intel TDT integration with Microsoft Defender for Endpoint leverages signals from these sources to detect ransomware activity.

How does this technology work? Intel TDT applies machine learning techniques to low-level hardware telemetry sourced directly from the CPU performance monitoring unit (PMU). This helps to detect the malware code execution “fingerprint” at runtime with minimal overhead. The detector then sends signals to Microsoft Defender for Endpoint, at which point Defender for Endpoint applies its own threat intelligence and machine learning to assess the signal. Microsoft Defender for Endpoint can then raise a signal and can block or remediate the threat automatically.

In recent hardware, Intel TDT has added several performance improvements and optimisations, such as offloading the machine learning inference to Intel’s integrated graphics processing unit (GPU) to enable continuous monitoring.

The combination of Intel Threat Detection Technology and Microsoft Defender for Endpoint can provide additional protections against one of the largest threat types today: ransomware. With new ways to detect ransomware activities at the hardware layer, this pair of technologies can help users keep ahead of threat actors who are continuing to enhance ransomware tactics and techniques. The partnership between Intel and Microsoft can help provide stronger full-stack security from hardware to software and enhance our detection in Microsoft Defender for Endpoint

You don't need to do anything extra to enable/disable this feature, the integration is happening as long as you have a compatible CPU in place.

Keen to learn more ? the following video goes through details: