The fervor of cryptocoin mining has consumed a large part of the semiconductor industry of late. The demands for high performance silicon to mine these virtual assets with value is one factor in a global shortage of available parts for computers, automobiles, defense, research, and other industries. One consistent element to cryptocoin mining over the last decade is the prevalence of hijacked machines and devices through malware, commonly known as botnets. Previously these armies of machines were co-opted to perform bandwidth attacks against various targets, but they have also been used for their compute resources – mining coins that have value for those that control the botnet. This week Intel and Microsoft are announcing an additional layer of protection against these sorts of attacks.
Commercial machines running Microsoft Windows, and managed through Microsoft Defender for Endpoint, can now be protected against CPU cryptocoin mining through an AI-backed protection mechanism. The security layer requires an Intel processor with Intel’s Hardware Shield (a vPro technology) and Threat Detection Technology enabled, which was introduced in 2018, and uses a combination of tools (such as CPU and GPU) to analyze the code being processed at a low level.
By performing consistent heuristic analysis through the CPU performance monitoring unit at a low level, the system can detect if it is mining without the owner’s consent. This can be detected either through a compromised hypervisor, virtual machine, or in the OS directly hidden as a separate process. If a threat is detected, an Endpoint detection and response solution is implemented to neutralize the mining utility, or quarantine it, and prevent the code from spreading across a network or fleet of managed systems.
Intel lists that over a billion CPUs can enable its Threat Detection Technology, from its 6th Generation processors onwards – Microsoft also highlights that Defender for Endpoint with TDT is supported on these systems. However both companies hide the fact in a footnote that the specific Cryptomining detection implementation is only possible on 10th Generation and newer platforms. It is also worth noting that this requires Intel’s Hardware Shield, which means vPro is also a requirement. So while there are a potential billion CPUs with some level of TDT in the market, this particular solution is only applicable to Windows based vPro machines managed at a corporate level. Still important, but not as big as the one billion number that Intel is promoting. Intel doesn’t list TDT as a feature on its main processor archive, ark.intel.com, either. It should also be noted that Intel TDT with memory scanning does consume integrated graphics resources to monitor the system – while this provides more power for CPU tasks, it undoubtedly raises the power consumption of systems when idle, which for mobile systems will reduce battery life. This is an ultimate tradeoff for security vs battery life.
Microsoft highlights that the ML-based technology used as part of TDT and Endpoint for Defender is a relative tip of the iceberg, providing a vehicle for more comprehensive protection against ransomware or side-channel attacks in future. These require pre-trained ML algorithms which Microsoft is currently working on and will roll-out as part of its Endpoint for Defender solution.
Despite the fact that low-end CPU cryptomining is not worth the effort for casual users, for those that control botnets of thousands of machines, it ends up earning them a few extra bucks using electricity they are not paying for, even in small IoT deployments such as security cameras. However there is a new class of cryptocurrency mining which is less compute reliant, and instead is storage based – the current system implemented by Intel and Microsoft seems to be focused on the current compute based cryptomining offerings. It will be interesting to hear if the new ML-based algorithms can also detect the newer coin types.