
CrowdStrike Incorporates Intel CPU Telemetry into Falcon Sensor
CrowdStrike integrated a CPU function developed by Intel into its Falcon platform to detect complicated assault methods that will in any other case not be detected by the working system, the corporate says.
The CPU function, referred to as the Intel Processor Hint (Intel PT), traces an executable whereas it runs, shops the hint on the disk, and afterwards analyzes the hint to breed the precise sequence of directions that was executed. As a result of Intel PT can report code execution on the method, it supplies visibility in numerous areas of program habits evaluation, together with static and dynamic evaluation, efficiency evaluation and diagnostics, exploit detection, software program failure understanding, and autopsy crash dump evaluation. The function has been beforehand utilized by menace detection instruments to boost malware and exploit evaluation.
CrowdStrike says Intel PT delivers in depth telemetry helpful for the detection and prevention of code reuse exploits.
The Falcon sensor’s {Hardware} Enhanced Exploit Detection function makes use of Intel PT telemetry to research the captured hint for a particular set of applications and appears for suspicious operations related to exploit methods, resembling shellcode injection and return-oriented programming. On techniques the place Intel PT is enabled and supported, safety software program working within the kernel “can now test for various suspicious operations, like returns not matching calls, suspicious stack pointer hundreds, extreme use of oblique calls and jumps, and extra,” CrowdStrike notes.
The function has already been used to detect ROP-based exploit chains concentrating on Firefox, CrowdStrike says.
Intel PT has been current on Intel CPUs for the reason that fifth era (“Broadwell”), which implies this function is current on older techniques. The mix of Intel PT with the Falcon sensor can present reminiscence security protections for older techniques missing fashionable built-in safety protections. {Hardware} Enhanced Exploit Detection is accessible with model 6.27 of the Falcon sensor for techniques with Intel CPUs, sixth era or newer, working Home windows 10 RS4 or later.
Learn extra right here from CrowdStrike.