Using Run-Time Hardware Telemetry to Detect Firmware Attack Behavior

Feature Image

How Eclypsium’s partnership with Intel® will advance enterprise device protection

As attackers increasingly target layers of the technology stack that are invisible to traditional security solutions, enterprises need better protection from threats to firmware and hardware. Eclypsium, developer of the industry’s first firmware protection platform, is working with Intel to advance firmware attack detection with Intel Threat Detection Technology (TDT), and deliver a new layer of security that helps defend the enterprise from its computing foundation up. Intel announced the collaboration this week, highlighting Eclypsium as the first adopter in the hardware telemetry space.

The Threat to Hardware and Firmware

Attackers are increasingly targeting the largely unprotected hardware and firmware within all types of devices. Hardware-level weaknesses have been rampant in the news, with malware infecting firmware in the wild, and firmware vulnerabilities plaguing the supply chain. Today, most enterprises lack visibility into this unguarded attack surface. Firmware vulnerabilities are common and difficult to manage, and once exploited, allow attackers to subvert traditional security and gain long-lasting persistence within a network.

To detect indicators of compromise, security platforms need visibility into the execution profile of the firmware running from boot to operation. Traditional security solutions, however, lack the optics to see beneath the operating systems layer and detect patterns of firmware and hardware behavior that may be related to an exploit. It was this gaping hole in enterprise security that led Eclypsium to develop our industry-leading firmware protection platform and is inspiring our collaboration with Intel today.


Intel Threat Detection provides advanced telemetry data allowing innovative security companies to identify anomalies at the hardware level in ways they couldn’t do so before,” said James Gordon, Intel general manager for Platform Security.Eclypsium is the first security partner we are working with to extend Intel’s run-time hardware telemetry to help advance and extend detection of firmware attack behavior in enterprise devices.”

How Firmware Protection Works Today

Founded in 2017, Eclypsium protects organizations from the foundation of their computing infrastructure upward, controlling the risk and stopping threats inside firmware of laptops, servers, and networking infrastructure. The Eclypsium Platform scans each system, including its many subcomponents, in order to collect details about what is present and how it is configured. This data is then analyzed to identify risks such as vulnerabilities and outdated firmware and to discover firmware-level threats such as implants and backdoors regardless of how they enter your environment.

Eclypsium checks the system for the presence of any known implants based our industry research and intelligence as well as monitoring the device and analyzing the behavior of its firmware to identify malicious code that has never been seen before. Combining static analysis with behavioral analytics provides a critical edge to Eclypsium customers today, as new or custom-built threats proliferate, and run-time hardware telemetry provides an opportunity to continue to advance this approach.

How Run-Time Hardware Telemetry Advances Attack Detection

Everything that runs on a machine with an Intel processor generates low-level data from the CPU and other components that can be used for detecting threats. At the silicon level, the Intel CPU data platform has many data sources that can be tapped for real-time threat detection, from cache performance measurement to the number of hardware interrupts received by the processor. As part of Intel Threat Detection Technology, advanced telemetry capabilities have now been designed into the hardware, so that companies like Eclypsium can gain access to this data, and be able to identify anomalies at the hardware level that could represent a threat to enterprise security.

In order to determine whether an anomaly in hardware behavior is indicative of an actual attack, it’s necessary for the telemetry data to be captured and analyzed by a security platform. That’s where Eclypsium comes in. The Eclypsium platform detects and analyzes security threats that live below the operating system level and are invisible to other security tools.

By collecting and analysing real-time hardware telemetry data, Eclypsium will be able to build up a more detailed picture of what normal firmware and hardware behavior is for each system, and how that compares to other systems. When anomalies are detected, like an unusually large number of cache misses, that data can be analyzed by Eclypsium in real-time, and combined with a wealth of other systems data to determine whether an actual attack is underway. Security teams can then be alerted and provided with actionable intelligence to counteract the attack.

For example, consider a Rowhammer attack, which takes advantage of DRAM leakage to change stored data or escalate attacker privileges. By their nature, Rowhammer exploits repeatedly access uncached memory, which can be detected by monitoring the rate of cache misses for unusual peaks. Intel’s hardware telemetry provides platforms like Eclypsium with run-time access to this data, which could then be analyzed and combined with information about system configuration, firmware status and other patterns of unusual behavior to determine whether an attack is taking place.

Conclusion

As threats to firmware and hardware security mount, enterprise security teams need greater visibility into the behavior of the myriad of components that make up today’s laptops, servers and network devices. Eclypsium is leading the way with the industry’s first enterprise firmware protection platform, and is committed to continuing to advance the state of firmware security. By building real-time telemetry capabilities into silicon, Intel Threat Detection Technology enables significant advances in detecting run-time firmware attack behavior. Together, Intel and Eclypsium are developing new approaches to protect enterprise systems and make devices more trustworthy and secure. To learn more about the Eclypsium platform, or to schedule a demo, contact info@eclypsium.com.