Stacked Defense from the Hardware Up
Written by Tiffany Bergeron.
Advanced security features in hardware can be partnered with operating system (OS) and software security features to optimize mitigations against cyber threats. However, these hardware-based capabilities are typically not well known to security practitioners. With modern chips deployed to tens of millions of enterprise systems there is a tremendous opportunity create defense-in-depth to counter adversarial threats to systems and data.
To meet this need, the Center for Threat-Informed Defense (Center) created Security Stack Mappings (SSM) - Intel vPro in partnership with Center participants AttackIQ, CrowdStrike, Intel Corporation, and Microsoft Corporation. The SSM-Intel vPro project connects adversarial behaviors as described in MITRE ATT&CK® to integrated hardware, OS, and security software capabilities of standard enterprise-class systems. With this, threat-informed defenders apply these additive capabilities to mitigate real-world adversary behaviors.
The resources for the SSM-Intel vPro project — including the mappings, ATT&CK Navigator layers, and the mapping methodology — are all available in Mappings Explorer. Mappings Explorer enables cyber defenders to easily access and explore the Center’s mapped security capabilities, bridging the gap between a threat-informed approach to cybersecurity and the traditional perspective of security controls.
What Does the Hardware Do for Defense?
The SSM-Intel vPro project illustrates the security capabilities of recent generation system hardware when stacked with OS and security software. Defensive capabilities available within enterprise hardware used in conjunction with OS security and with security software solutions can defend against specific ATT&CK adversary techniques.
Project Scope
Setting the project scope involved determining which OS and security software capabilities were enabled or enhanced by the underlying hardware. The integrated security capabilities included in scope were derived from the following product areas:
- Intel Core Ultra vPro Enterprise
- Microsoft Windows 11 with Microsoft Defender
- CrowdStrike Falcon
For each product area, the security capabilities considered in scope for this project are:
- integrated hardware capabilities with OS or software implementation
- included as part of the product’s native security offering
- technical in nature (versus administrative or physical)
- technically documented with publicly available security information, indicating protection from, detection of, or response to adversary behaviors as described in ATT&CK.
Capabilities included in project scope are integrated hardware capabilities with OS or security software implementation. The mappings show how software uses features of the hardware, and OS and software capabilities that are not hardware-enabled were not mapped as those are outside of this project’s solution set.
Mapping Methodology
We applied a tailored Security Stack Mapping Methodology to connect the combined hardware-level and OS, or combined hardware-level and security software protection, detection, and response capabilities. The methodology utilizes the information in the ATT&CK knowledge base and its underlying data model to understand, assess, and record the real-world threats that security controls can potentially mitigate.
The methodology follows these steps:
- Identify security capabilities in scope. Identify the Intel hardware capabilities used by CrowdStrike Falcon and Windows 11 Enterprise with Microsoft Defender to be mapped.
- Review security capability documentation. For in-scope integrated capabilities, identify and evaluate the mitigating security features provided for adversarial threats.
- Identify mappable ATT&CK Techniques & Sub-techniques. Identify the ATT&CKv15.1 techniques and sub-techniques mappable to the integrated capability.
- Score the effectiveness of the capability for the adversary behavior. Assess the effectiveness of the type of capability provided for the identified ATT&CK techniques and sub-techniques.
- Protect: capability limits or contains the impact of a (sub-)technique.
- Detect: capability identifies the potential occurrence of a (sub-)technique.
- Respond: capability provides actions to take for detected (sub-)technique.
5. Create a mapping of integrated capabilities to ATT&CK (sub-)technique. Creating a mapping of the integrated capabilities based on the information gathered from the previous steps.
By documenting and sharing our scoping decisions and methodology, we aim to accelerate community collaboration. Due to the nature of mapping security controls to ATT&CK, we anticipate differences in perspective on overall approach and possibly even the mapping of specific controls to specific techniques. We welcome your feedback and perspectives.
Mapping Summary
The SSM-Intel vPro project mapped Microsoft Windows 11 Enterprise with Microsoft Defender and CrowdStrike Falcon hardware-enabled capabilities under the security categories of Hardware — Advanced Threat Protection, Hardware — Trusted Computing, Hardware — Encryption and Data Protection, and Hardware — Virtualization, resulting in over 230 mappings of integrated mitigations to adversary behaviors. The mappings depict the practical application of the hardware for specific adversarial threats, and how hardware-enabled security can be used in conjunction with OS security solutions and with security software to provide defense-in-depth solutions. The table below provides an overview of the security features in hardware leveraged by OS and security software features mapped under this project.
Integrated Mapping Examples
An example of Hardware — Advanced Threat Protection integration is Intel Threat Detection Technology (TDT) with CrowdStrike Falcon Accelerated Memory Scanning (AMS). AMS enhances visibility of in-memory patterns and threats, such as attempts to cover up malicious activity or code execution masquerading as legitimate processes. This combination enables faster detection of cyber threats earlier in the kill chain and in real-time, with minimal impact on system performance. With this integration we identified protect and detect coverage for over 90 ATT&CK (sub-)techniques, depicted below.
Intel Platform Trust Technology (PTT) and Microsoft Windows Hello Enhanced Sign-in Security (ESS) yield a Hardware — Trusted Computing integrated mapping. The Trusted Platform Module (TPM) offered by Intel Platform Trust Technology (PTT) stores authentication data including public/private key pairs. Windows Hello ESS protects against the risk of credentials being stored in files by eliminating the need for passwords in many authentication scenarios. This integration resulted in mappings for protect and detect coverage for over 20 ATT&CK (sub-)techniques, as depicted below.
Get Involved
We welcome your feedback and contributions to continue to advance the SSM-Intel vPro Mapping project. There are several ways that you can get involved with this and other mapping projects to help advance threat-informed defense:
- Review the mappings, use them, and tell us what you think. We welcome your review and feedback on the SSM-Intel vPro mappings, our methodology, and resources.
- Analyze and map your security capabilities. We encourage use of our methodology to map security capabilities of additional products and we welcome mapping contributions.
- Help us prioritize additional platforms to map. Let us know what platforms you would like to see mapped to ATT&CK. Your input will help us prioritize how we expand our mappings.
- Share your ideas. Share your ideas or suggestions for additional tools and resources for helping the community to understand and make threat-informed decisions.
You are also welcome to submit issues for any technical questions/concerns or contact the Center directly for more general inquiries.
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2024 MITRE Engenuity. Approved for Public Release. Document number CT0137.