- CrowdStrike and Intel Corp. were key research sponsors and participants in the latest project from the MITRE Center for Threat-Informed Defense
- The PC Security Stack Mappings — Hardware-Enabled Defense initiative mapped Intel vPro® Security features, including Intel®Threat Detection Technology (Intel® TDT), to MITRE ATT&CK® adversarial behaviors
- With the CrowdStrike Falcon® platform’s Accelerated Memory Scanning leveraging Intel TDT, 93 ATT&CK TTPs were mapped at the hardware level for earlier detection with minimal impact on system performance
The AI-native CrowdStrike Falcon platform is built to detect and protect against even the most advanced attacks. And as new research shows, it can further strengthen defenses when integrated with modern enterprise PC hardware. The Security Stack Mappings — Hardware-Enabled Defense (SSM-HED) project, a new initiative from the MITRE Center for Threat-Informed Defense, shows how an organization’s PC hardware can augment defenses when used with supported security solutions like the Falcon platform.
In this project key research partners, including CrowdStrike and Intel, used the MITRE ATT&CK framework to connect adversary techniques to features in modern PC hardware, which can help security solutions effectively counter these threats. The results show how the silicon-enabled capabilities of Intel vPro Security help defend against specific ATT&CK techniques when combined with OS-level security and advanced security solutions including the CrowdStrike Falcon platform.
CrowdStrike’s participation in this project showcases our efforts to integrate the Falcon platform with PC hardware to strengthen protection across the security stack. These efforts also include hardware-enhanced exploit detection (HEED) and CPU-based memory scanning. The project team found Intel-based hardware integration beneficial in accelerating detection and protection against complex attacks with minimal impact on system performance.
Modern AI PCs Augment Security Tools
The basic premise of this project is modern enterprise PCs — specifically, PCs equipped with Intel® Core™ Ultra vPro processors — are built with hardware-based security features. However, these capabilities often go unused. With tens of millions of these enterprise PCs currently deployed, and more rolling out as older systems are replaced, there is a significant opportunity to leverage underutilized hardware capabilities to further harden security defenses.
In addition, this initiative provides IT departments with valuable insights to inform PC refresh cycles as part of addressing emerging security threats. The timing is particularly relevant as enterprises consider upgrading to Windows 11, which introduces new baseline hardware security requirements.
The key to unlocking this potential is to map the integrated hardware capabilities to the MITRE ATT&CK framework, the industry-standard knowledge base of adversary tactics and techniques.
Security Stack Mappings — Hardware-Enabled Defense Project
As part of the SSM Mapping project with Intel vPro Security, four hardware security categories were identified on PCs running Microsoft Windows 11 Enterprise along with either the CrowdStrike Falcon platform or another supported cybersecurity solution. These categories included:
-
Advanced Threat Protection
-
Trusted Computing
-
Encryption and Data Protection
-
Virtualization
This effort resulted in over 230 mappings of integrated mitigations to adversary behaviors. These ATT&CK mappings demonstrate how hardware-based security features can be deployed against specific cyber threats, and how the integration of hardware security with operating system protections and security software can create robust, multi-layered defense strategies.
The project team cited Intel TDT with CrowdStrike Falcon Accelerated Memory Scanning (AMS) as an example of Hardware—Advanced Threat Protection integration. This combination enables faster detection of cyber threats earlier in the kill chain and in real-time, with minimal impact on system performance.
AMS has already been proven as a valuable feature in the Falcon platform (read here to learn how it detected BRc4 execution in the wild). The SSM-HED project expanded coverage to protect and detect coverage for over 90 ATT&CK (sub-)techniques as shown in the below images.
Leave a Reply