Security Unlocked 2.16.22
Ep 58 | 2.16.22

Cryptojacking, and Farewell for Now!


Nic Fillingham: Hello. And welcome to "Security Unlocked," a new podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft security, engineering and operations teams. I'm Nic Fillingham.

Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research and data science. 

Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft Security.  

Natalia Godyla: And now, let's unlock the pod. 

Natalia Godyla: Hello, hello, everyone. Welcome to today's episode of "Security Unlocked." Before we dive into what we're covering on today's episode, I hear Nic has some big news for us. So, Nic, what's going on? What's the big news? 

Nic Fillingham: Yes. Hello, Natalia. Hello, listeners. I have got a new job. I am staying at Microsoft. 

Natalia Godyla: Oh, no. 

Nic Fillingham: I'm not leaving Microsoft. But I am moving over to the team that supports the MSRC - the Microsoft Security Response Center. I'm going to help them with working on things like the BlueHat security event, working with security researchers, helping them with their bug bounty programs, hopefully doing some cool things maybe even in the podcasting space. But it means "Security Unlocked" is actually going on pause, on hiatus. This is going to be my last episode maybe forever - maybe not forever, but certainly for a little while, while the team behind the scenes decide what to do next and how to evolve "Security Unlocked." 

Nic Fillingham: So it's sort of bittersweet. I'm excited for this new job and doing some cool stuff with the MSRC team, but it does mean that the podcast is going on hiatus. And, Natalia, a big, massive thank you to you for being my co-host and partner in crime and for the hundreds of thousands of podcast minutes that we've recorded... 

Natalia Godyla: (Laughter). 

Nic Fillingham: ...You know, several hundred of which have probably made it to a final cut. But it's been wonderful. Thanks for all the fish, and make sure to bring your towel - or whatever Douglas Adams says. 

Natalia Godyla: (Laughter) Well, first of all, congratulations, Nic. This is an awesome opportunity. And MSRC is super lucky to have you. And, of course, I will miss you on the show. I think our entire audience will. But, you know, it's been just such a great run, 58 episodes. I think we said it at the beginning of all of the early episodes. We just couldn't believe how much this took off. And now here we are at 58 episodes. 

Natalia Godyla: Since you might be doing your last episode right now, do you want to do the honors of introducing the topic for today? 

Nic Fillingham: I would love to. On today's episode, we talk about defending against cryptojacking with Microsoft Defender for Endpoint and Intel TDT. We are very lucky to have representatives from both the Microsoft Defender for Endpoint team and the Intel TDT team. 

Nic Fillingham: And we sort of go back to first principles. What is cryptocurrency? What is crypto mining? And then, what is cryptojacking? How do these two pieces of technology work together to identify things like cryptojacking? And then, what's happened since this blog was published, which was actually back in April of 2021, for that technology to evolve to the point where it can now detect things like ransomware on the endpoints, and how they're using machine learning to try and detect malicious activity on endpoints through the sort of silicon stack, talking to defender, looking for dodgy stuff? 

Nic Fillingham: It's a great episode. I think folks will really enjoy it. And it's a fitting one for us to go out on our hiatus for, I think. 

Natalia Godyla: I think so, too. And I think, with that, on with the pod? 

Nic Fillingham: (Singing) On with the pod. I've always wanted to sing that. 

Natalia Godyla: (Laughter). 

Natalia Godyla: Hello, everyone. Welcome to another episode. And welcome to our special guests, Amitrajit and Rahul. Now, you're both here joining us today to talk about a very interesting topic. There was a recent blog released that was called "Defending Against Cryptojacking with Microsoft Defender for Endpoint and Intel TDT." As soon as Nic and I read it, we knew we wanted to talk to both of you about the content and about the future of this technology. 

Natalia Godyla: So welcome, welcome. Why don't we start with some brief introductions? So I'll start with you, Amitrajit. Could you tell us about your role at Microsoft and how it relates to this blog? 

Amitrajit Banerjee: Sure. So I've been in Microsoft for, like, close to five years now. But I have had an extensive career with different types of anti-malware products in the past as well. So for the past couple of years, I've been working with the hardware security team. And we are trying to bring out something which is hardware-based security and sensors for Microsoft Defender. And we have been collaborating closely with Rahul's team in Intel - Intel, of course, owns the silicon - and then, you know, kind of, you know, to see how we could get a more deeper introspection technique inside Windows Defender, which is based off hardware. 

Natalia Godyla: Great. Thank you. And, Rahul, would you mind introducing yourself as well? 

Rahul Ghosh: Absolutely. So I'm Rahul Ghosh. And I'm a senior security architect in Intel's Product Assurance and Security group - IPAS in short. And I've been working for more than 15 years as a security architect in multiple areas of trusted computing. I've been designing and leading teams in deploying security products in identity, end-to-end authentication, secure biometrics and now runtime threat detection. I'm currently the lead architect for Intel's threat detection technology and been very much involved with them with the - on this cooperation with Microsoft Defender for Endpoint and TDT to bring next-gen security technologies to our customers. 

Nic Fillingham: Gentlemen, thank you both for your time and being with us on the podcast today. So as Natalia mentioned, sort of the genesis of today's episode is actually from a blog that was published in April of 2021 - which feels like a decade ago, but it's really not that long ago - initially that was focusing on cryptojacking and the relationship between Microsoft Defender for Endpoint and Intel TDT. I understand since that blog has come out, the ability for these two pieces of technology to work together and do other interesting things in the security space has expanded, and we'll get to that later on in the conversation. 

Nic Fillingham: Let's maybe start with some taxonomy definition that we're going to - you know, some of the words we're going to use in today's conversation. Maybe we could start with crypto mining and then perhaps how that relates to this concept of cryptojacking. We have covered it on the podcast in the past, but let's go back to the basics. 

Nic Fillingham: So, Amit, maybe if I could start with you, help us wrap our head around crypto mining. What is that, if we've been living in a cave and don't know what that is? 

Amitrajit Banerjee: All right. All right. So the - crypto mining is essentially a process where several cryptocurrencies use to generate new coins and verify the transactions. Now, what involves here is that a huge decentralized network of computers around the world that verify and secure something they call virtual ledgers that document these cryptocurrency transactions. These transactions are also known as blockchains. 

Amitrajit Banerjee: So what happens in mining is that in return, these computers, who are, you know, recording the ledgers and the computers that are computing the hashes are rewarded with new coins by the ledger keepers. The miners maintain the secure blockchain, and the blockchain awards the coins. These coins provide incentive for the miners to maintain the blockchain. Now, if you have heard about, you know, cryptocurrencies like Ethereum, this is a cryptocurrency that uses something like a blockchain. 

Nic Fillingham: Got it. And so those of us watching the news, listening to the news, reading the news, cryptocurrencies, NFTs - they're all, you know, rising to the top of the headlines. Is crypto mining involved in all of these technologies, or is it sort of just a subset? 

Amitrajit Banerjee: First of all, different networks of cryptocurrencies use different type of techniques. Like, the Bitcoin network is different from the Ethereum network, and so they would use different techniques to mine. When Bitcoin was, you know, invented, it did not include things like NFTs and other things. Whereas the Ethereum platform was designed to kind of expand on the concept of blockchains to come up a bit more - what should I say? - innovative uses of it. 

Amitrajit Banerjee: And NFT, which is a nonfungible token, is kind of the invention there. It's basically the idea that one can create art or something based on the digital network or digital backbone and then can sell that. And that art is unique, just like the coins which we mine, because they're based off of the same backbone of the crypto. 

Amitrajit Banerjee: So that's where kind of the similarity between the NFT and the actual coins - the currency ends and things diversify. We're talking about metaverse here, and people are, these days, using it to buy virtual property inside the metaverse just using the same concept of an NFT. 

Nic Fillingham: Yeah. Thank you for that description and then the distinction between, you know, NFTs and cryptocurrencies. The reason I asked the question is because I'd like to follow this thread here and now talk about cryptojacking. And as you sort of explain cryptojacking, I'd love some sort of additional context here. What does the word jacking mean? What are we jacking? What's being stolen, and is that applicable across all of this new sort of cryptocurrency space, including things like NFTs, or is it specific to just a subset? 

Nic Fillingham: So I guess my question is, help us understand cryptojacking. And then if you could help us understand what is potentially being jacked (laughter) for those of us that are reading about NFTs and different kinds of cryptocurrency being created every day? 

Rahul Ghosh: Yes, actually, it may help to understand a bit about the history of crypto mining and why that can lead to this new concept of cryptojacking. And in general, it's been very well-known that Bitcoin, the first well-known cryptocurrency, came out in 2009, introduced a blockchain that Amit just explained so nicely. And one of the central tenets of the blockchain is that it's an open and public database and every transaction related to the cryptocurrency is going to be logged into that blockchain as blocks. 

Rahul Ghosh: Now, how do you get a block added to the blockchain? And that process is essentially the verification of a mathematical process, a puzzle known as a proof of work. Its essence is a complex set of hash functions that cryptominers will need to use CPU power to compute. And when the particular cryptominer computes and verify the particular hash, that leads to the addition of a block on the blockchain. They get paid in fractions of the cryptocurrency. The miners are thus actually also competing with each other to be the first to verify the blocks and be responsible for that getting added to the chain, and then they get paid. 

Rahul Ghosh: So the more they mine and the faster they mine, the more they're rewarded with cryptocurrencies. That's actually very important concept. You can cryptomine. You can create new currencies while making a little bit of the same currency. And that's why the lucrativeness of the cryptocurrency or crypto mining has come into the forefront. Now it can really add to this. 

Amitrajit Banerjee: Yeah, I'm sure. I mean, thanks, Rahul. Yeah, so as you see that it is really, really expensive to mine. And Bitcoin, when it was introduced in the past, has a specific number of bitcoins that can be mined. That number cannot be changed, which means that, as more and more people mine it, the availability of that resource depletes. And so it takes more and more computing resources, compute-heavy resources, to do that. 

Amitrajit Banerjee: And since there is a resource which I do not have maybe, I would like to, you know, maybe outsource it. And that's where cryptojacking comes in. Like, it is the illegal use of an unsuspecting victim's CPU power and computing resources to mine cryptocurrencies or steal cryptocurrency wallets. So it came into focus, actually, when - I think in 2017-ish with the release of easy-to-deploy JavaScript-based crypto mining code by websites like, I think, Coinhive, if I remember correctly. Mining code could be easily embedded in websites and run in the background of the victim's - inside the victim's computers. And then when the victim would go into those malicious websites, those code would get downloaded and automatically run in the background without their knowledge. 

Amitrajit Banerjee: So it has since then proliferated as a file-based malware as well, deployed through standard methods like, you know, malicious emails or social engineering and the types. And with popular currencies like Monero adapting their proof of work algorithms to be JavaScript-unfriendly, file-based crypto miners written in languages like CC++, Go and the rest are fast becoming more and more popular than web-based mining. 

Amitrajit Banerjee: So once deployed, either via browsers or file-based, the miners keep running in the background, utilizing the CPU and network resources with the victim not having any knowledge of the attack. And that's the crucial part, you know? The victim may notice their systems being slower or maybe running a bit hotter, but they actually don't know what's happening. And they don't know that their CPUs are being used for the benefit of somebody else who's making money out of them. 

Natalia Godyla: You know, it sounds like the oil industry. It's a finite resource. The more it's consumed, the harder it is to get. I would love to learn more about the progression of cryptojacking. At the beginning of crypto and crypto mining, anybody could mine. It was a lot easier. Plenty of people are still looking for the hard drives that they used when they first started mining. Now it's harder for an individual to do it, like you said, because you need so much more power. So organizations are actually mining rather than individuals. Is this part of the reason why cryptojacking is a threat today - this competitive landscape for crypto mining? Am I understanding that correctly? 

Rahul Ghosh: Yeah. So as I mentioned, bitcoin kind of just one of them, right? Of course, it's getting harder and harder to mine bitcoins. The other thing that has happened is a lot of these crypto mining farms that you just talked about there are based - are essentially ASIC-based ones. So there are specific kinds of silicon that they've created that is meant for only one thing - to mine that cryptocurrency. And cryptocurrency - the managers of these currencies that are verified. And they're actually new currencies that have come out - Monero is a great examples - who are trying to make their - I call it the proof-of-work algorithms more ASIC-unfriendly, more JavaScript-unfriendly. 

Rahul Ghosh: So that means that you can't just set up a lot of these farms anymore to mine them, which means that you would need more general purpose computing. They need more CPUs, more servers to work right. And now getting that many of them is very expensive. 

Rahul Ghosh: And so that has actually led to this concept that - if I can't buy them all myself, then let me see if I can just take away somebody else's. So they don't know any better, as I've just mentioned. And I am being able to run in the background on the computing platforms meant for those cryptocurrencies and make money without any investment on my side. So essentially, that concept that - since creating this farm is so expensive, buying this equipment is expensive... 

Natalia Godyla: Right. 

Rahul Ghosh: What I need on this are best decentralized, combined as many CPUs as possible - doesn't have to be my own. As long as it can infect them, it'll be running forever. And so it really took off in 2017 and quadrupled in 2018, and it'll be there for some time to come as long as there are cryptocurrencies who have reasonable value. 

Natalia Godyla: Which brings me to my next question. So how prevalent is cryptojacking? Who and how many people are exposed to this threat? You know, should I be worried? Should our listeners be worried about their personal laptops when it comes to cryptojacking? 

Amitrajit Banerjee: So it's important to understand that the actual concept of mining is not illegal. I can - if I own the resource, which is a computing resource, I can do whatever I want with it. I can mine. And there are legitimate ways of using it. It becomes a problem when I'm using somebody else's resources, and that's why it is very hard to determine whether a resource is being used with consent or without consent. 

Amitrajit Banerjee: So, you know, you might think that - you know, you don't even know that your computer is being used for something, and you have paid for that computer. And then when you wanted to use it for something, you would just consent. And that essentially - how does an anti-malware software determine the legitimacy of that? And that's why it's extremely, extremely hard to pinpoint this on how many people are exposed to it. 

Amitrajit Banerjee: But we have some data. But, you know, a significant amount of people are actually infected with some kind of, you know, software that's doing, you know, this kind of mining on their computer without their knowledge. 

Rahul Ghosh: It's difficult because some of this can be very drive-by. They go to a malicious site, and while they're on it, it's getting used for mining. So it's not always necessary for you to be perpetually infected. You can be partially infected from time to time, especially if there's a popular site they go to a lot of times, only for part of the time, you are mining. Even if you have been through social engineering, made to download something that's hiding in the background, it doesn't have to run all the time. 

Rahul Ghosh: So it makes it difficult to pinpoint numbers. But because of the hidden-ness (ph) of this attack, especially worrisome not only to consumers that - like, home users. But it's threatening the enterprise, where all connected systems can lead to proliferation of a particular attack. And so I mean across the fleet and then you not knowing - the administrator not getting any better just because none of their own resources are noticing they're getting attacked. So the attack possibilities are very real. And what makes it worrisome is being attacked and not even knowing you're attacked. 

Amitrajit Banerjee: Right. You know, I'd like to add to this that, you know, we get so much information about ransomware and, you know, attack techniques based on that. But even though they get the headlines, cryptojacking attacks are still very much there. And I would call them endemic attacks. And in the recent, you know, computing landscape across client servers and devices meant for the Internet of Things, which is the IoT, you get low-risk yet high-sustained rewards associated with them. These are, you know, prime targets for being used as cryptojacking. 

Nic Fillingham: It sounds like the problem statement here is that an endpoint piece of computing hardware could be taken over for crypto mining and that be not at the decision and control of the user - so unbeknownst to the user. And this is in part what cryptojacking is. 

Nic Fillingham: So what are the technologies that exist to help to identify cryptojacking and make sure that that doesn't happen? We're going to talk about TDT - Intel TDT. We're going to talk about Microsoft Defender and then the relationship between the two. 

Nic Fillingham: Before we jump into those specific products, though, I wondered, is there a lead-in here to talk about - well, OK, so what are some of the more general techniques that can be used to identify cryptojacking? I wonder, Rahul, if we could start with you. Maybe start with the silicon layer, and then we could maybe talk about the OS or sort of the higher-level software layer above that. 

Rahul Ghosh: Actually, it would help to first understand why it is difficult, in general, to detect cryptominers and how they can hide and what are the techniques that are being generally used to detect them and where from the defender's side can help lead into this and why silicon-based detection is an important way to eventually figure these things out. 

Rahul Ghosh: The goal of silicon-based detection really is to go beyond all the signals that we just talked about. Anything that is available from the operating environment, let's get beyond that. Go beyond the trodden path. Go beyond any hiding techniques, obfuscation techniques, that is already well-known to the attackers to hide in the operating environment. 

Rahul Ghosh: When we say silicon-based, I'm really referring to the use of data that can derive directly from the CPUs - from within entities, from IP blocks that are built into the CPU - and use that to implement malware protection logic. They will make the SoC or the CPU inherently involved in monitoring for and protecting the malware, as opposed to just about on which the detection logic was running. 

Rahul Ghosh: We can actually go further, more than that. To make the solution even more intrenched in silicon, we can also execute the Detection Logic Accelerator and make it more efficient and optimum by running within the SoC block itself. So for example, on the - integrated on the GPU or any - built in accelerator into the SoC, make the solution fully silicon-bound. Using either of these aspects, whether than monitoring SoC data without accelerating, optimizing it within the SoC, either of these concepts can classify the detection solution that's silicon-based. TDT just happens to use both of them. 

Natalia Godyla: That was a great overview. Now, I'd love to pivot to talk about the specific technologies that both your teams came together to build. Rahul, why don't we keep the conversation going with you for right now? Can you help us better understand how Intel TDT technology functions? 

Rahul Ghosh: Right. So TDT actually stands for Intel Threat Detection Technology. At the core of TDT is the concept of applying machine learning to correlate telemetry data sourced directly from the CPU. Amitrajit has talked about the SoC data that defines silicon-based detection. That's essentially what TDT is doing. It's sourcing telemetry data from within the CPU, from the performance monitoring unit that's built into all the Intel CPUs and applying machine learning to correlate that data and deterministically detect computation activity associated with malwares like crypto mining malwares that we talked about earlier. 

Rahul Ghosh: So malware, that exhibits some kind of sustained but predictive computational sequences, exactly like cryptominers do with a bit of hashing, they tend to leave behind their digital footprint on CPU telemetry, essentially on the SoC. As the instruction sequences associated with those hashing operations execute on the CPU, they're uniquely affecting the behavior of certain telemetry events that are being monitored within the CPU. The performance monitoring unit in Intel CPUs, they have hundreds of telemetry events capable of fine-grained measurement of multiple aspects of processes, executions of hashing an operating computer in a certain way. There are performance-monitoring events that we can select that behave deterministically as the hashing is off executing. 

Rahul Ghosh: And with any form of telemetry, there is a national candidate for using or correlation of this event. And then we can classify telemetry trackers that are meeting on the CPU at that time and detect which specific process in the OS space seems to be executing these computational activities that we have trained the classifiers for. 

Rahul Ghosh: For example, we can train the classifier to detect the proof of all computational-specific cryptocurrencies. Some example are Ethereum, Zcash, even bitcoin, even though bitcoin is not that much mined on general purpose PCs anymore. But it's possible. And being, you know, telemetry-based, TDT can be inherently resistant to OS-based obfuscation techniques that you were referring to earlier because no matter how you are hiding in the operating environment space, you eventually have to execute the code to mine, and that will be executing the CPU, and thus there will be a digital footprint if it can pick up on that. 

Rahul Ghosh: Another thing we have done is - as you can imagine, machine learning is always computationally intensive. And it's done in servers for a good reason. But we have figured out a way to optimize it, take it off the CPU. We don't want the threat detection solution to impede the use of what the user is doing on the platform. So the classification is all offloaded to the online integrated GPU as well to eliminate overhead on the CPU. And this combination of CPU telemetry usage for malware detection and execution and acceleration in the integrated GPU all within the exclusive block is what makes TDT a true silicon-based threat detection solution. 

Nic Fillingham: Thank you, gentlemen. I teased upfront that while the blog was back from April 2021 and was initially talking about cryptojacking, that the technology here or the application of that technology has evolved since then. I wondered if we could jump a little bit ahead now to sort of where we are. It's the beginning of 2022. You know, cryptojacking is obviously, you know, a problem. This is a great solution, though, out there to, you know, as you say, help end users and security practitioners and IT teams find cryptojacking when it is occurring. 

Nic Fillingham: I want to talk about ransomware, but I also want to, you know, ask you sort of more generally, how has this approach - how has the sort of TDT platform or the TDT technology in conjunction with Defender - what other types of threats have you been able to identify and create new sort of detections and techniques beyond simply cryptojacking? Is ransomware one of them? If so, can you talk about that and then any of the other threat types that can now be identified and potentially mitigated with this approach? 

Rahul Ghosh: Yeah. Actually, it start's really with an interesting journey. And threat detecting, as you mentioned, is just one possibility. I think we touched about this a little bit earlier, but with CPU telemetry we have a very unique opportunity here. As I mentioned, if a malware is executing some form of sustained, repetitive computational activity, then it opens itself up for the kind of digital footprint that TDT is looking for. 

Rahul Ghosh: Cryptojacking with - crypto mining with hashing is just one example. Ransomware, as you mentioned, is a very - another natural threat for CPU telemetry risk detection because, of course, it's running encryption at a sustained pace and repetitive pace. There are, of course, certain other types of memory and cache-based attacks, too, that are very good candidates. And we are actively researching right now on what kind of detectors are possible. As and when we mature them, we will be announcing them with Defender at some point. But ransomware right now being the most relevant threat of our times and, of course, the one that's most in the news causing the most harm has been a particular focus for TDT. 

Rahul Ghosh: We have been looking at it for a while now. And we have been able to come up with some good detectors tell us - the CPU delivery to those detectors for ransomware as well. Really, the possibilities of what is - cannot be detected via technology of TDT is endless. You look at what performance monitoring unit has. There's hundreds in that case thousands of telemetry events. That can monitor hundreds and endless varieties of execution, aspects of a particular process. Depending on what the process is doing, we are fairly confident we'll be able to build a model to identify the activity, especially if it's malicious. 

Natalia Godyla: Gosh. I mean, both of your teams have done so much work to date. And in addition to that, you've also generated a ton of telemetry that can further define the progression of the technology and also just better understand the attack environment. So tell us a little bit about that. What have you been learning from those signals? 

Rahul Ghosh: Oh, yes. And as I've mentioned, the journey has been very interesting. And we are very, very thankful to be with Defender on this. It has enabled us to really improve, understand where the holes are and then figure out how to cover those holes. 

Rahul Ghosh: But one observation that we have seen from the beginning is - and that's why the advantage of a technology reactivity is its resilience, really, to obfuscation sufficient techniques in the operating space. 'Cause we're realizing think that no matter what the malware does to hide itself, whether through packing or just fileless (unintelligible), in the end, it is still - it still has to run its payload, which means it has to encrypt, and the sequence of instructions will run on the CPU, and we'll still be able to pick it up. So that has been a positive realization that regardless of obfuscation in the OS space, in the silicon level, we should still be able to pick it up. 

Rahul Ghosh: But on the other side, we have also learned that we still have to deal with a lot of miles. In a general-purpose computing environment, like, let's say, an endpoint PC, there's hundreds of processes running. And it's not going to be simple to just pick up the malware activity by itself because the malware is never running just by itself. It's - there's not just - never going to be the case that you are just running the malware on the system. There's other useful work happening on the platform, and we need to be able to pick out the malware process from among those hundreds of other processes running. So we were to really develop techniques so that we can isolate the telemetry associated with the malware from the rest of the processes and applications running on the platform and as well as filter out the noise that the other processors are influencing the malware's telemetry with. And obviously through tuning and fine - honing those processes. But a lot of advances have been made to the point that we are actually able to deploy a model on the real-world platform and get good results. 

Amitrajit Banerjee: That's right. So one of the things that we have seen is, you know, the real-world workloads are really different from what we get in any software lab. That's where the numbers, which Defender have, really help in that. You know, when we are deploying it over, you know, hundreds of millions of computers in silent mode, we are silently watching the workloads. And, you know, part of it helps, like, because Defender or has other engines which are already mature and well-tuned and can eliminate some of the noise that we get in field. Also, we get the telemetry back from the field, which we can effectively use to train and fine-tune the workloads to specifically identify a malware process from a non-malware process. 

Amitrajit Banerjee: And in the context of, you know, either ransomware or even cryptominers or cryptojackers, it is essential to know that since the instructions to execute are not unique to them and they are used by other applications - for example, you know, Dropbox, before uploading your pictures online, would only compute the hash of the image file. And those operations are pretty much similar to what malware would do to either compute the hash of it, or, you know, maybe your encryption software is encrypting your file or compressing your file, versus the ransomware is also doing this similar kind of activity. And how do you differentiate between these two operations effectively? 

Amitrajit Banerjee: Like Rahul mentioned, you know, it's about the numbers. The more the algorithm sees, you know, such diverse data sets, it gets to learn from those. And it's called something - the supervised learning - where it can, you know, segregate the specific malware activity from the non-malware part. 

Rahul Ghosh: Yeah. Exactly, and so forth. That's one of the key parts - that because we're using supervised learning, we're learning the behavior of the malware as well as we're learning the behavior of benign workloads and with the classifiers to kind of draw the right boundaries around them. Sometimes the boundaries are fine. And the more data we feed into this over - certain models are creating set, the more fine the boundaries so that we can draw around them. 

Rahul Ghosh: So data, of course, is key with them. And as we keep working with Defender, we keep getting - understand which processes kind of overlap more and more into the malware space and be able to figure out how to draw tighter - classify boundaries around those overlaps. 

Nic Fillingham: We're just coming up on sort of our time with the two of you. I wonder if I could leave you with sort of two final questions. The first, if you could just talk - I mean, you already have - but just in terms of what sort of is next in this space and for this technology - you know, maybe without giving away too much for any folks listening that might not be on the Defender side. 

Nic Fillingham: But then the second thing is, is there any action here for IT professionals? Is there any action here for security practitioners to ensure that this technology is turned on and configured correctly and that they're getting the full benefit of it if they have that combination of TDT support in their silicon and then obviously the Defender - a Microsoft Defender service in some capacity? 

Nic Fillingham: So, I think, sort of, what's next? - and then any actual action items here for folks listening to the podcast who want to make sure this technology and this partnership is working well for them. 

Amitrajit Banerjee: So in the future, we would definitely add options to interact with it more. And IT professionals could probably use, you know, group policies and other means when they come out. But as of now, it's kind of silently monitoring in the background. That's what we have. 

Amitrajit Banerjee: To answer the question about, you know, what is next after that - so Microsoft Defender for Endpoint benefits you know from the world-class researchers who continuously detect threats and new ways of evading threats and then find new ways to prevent these attacks. So we work very closely with, you know, the research team, who tell us and guide us, like, what makes sense. And I'm sure Intel does the same, you know. They have their own research doing the same thing. 

Amitrajit Banerjee: And we always partner with our customers and listen to them and how to improve our prevention detection techniques. What makes sense for our customers? What is the most relevant thing they want us to work on? And all of that research gets into there. And that's where the collaboration between Microsoft Defender product research team and Intel's research team is really, really, really critical. Yeah. So, you know, Rahul, maybe you can add more to that. 

Rahul Ghosh: Yeah. And one other thing to note is there's no need to enable anything in the hardware or even the BIOS to get the capability. It's inherent in the CPU. It's always available. And enable when - can be fully software base. So Defender - I mean, not to mention - mentioning that once TDT is integrated into Defender, it can be deployed as a Defender's page - right now silently enabled. In the future, it can be option based. It's all on depending on how Defender wants to deploy. But there's no separate enablement necessary from the OEM or the user to get TDT to work as such. 

Rahul Ghosh: And new attack techniques - our collaboration with Microsoft Defender research - we are working on them actively. Some of the models are being - and the detectors are being matured right now because we don't announce them before they're matured. But as soon as they're ready, announcements will be made. 

Rahul Ghosh: The partnership with Microsoft Defender is - it's been for almost three years now. And we are looking forward to many years of collaboration. It has been very key in releasing the protection. And very soon, ransomware will be out as well, and multiple more after that. And hopefully next year we'll be talking about the next technology that we have deployed together. 

Nic Fillingham: Well, gentlemen, thank you so much for your time. Thank you for explaining these sort of new concepts to us and helping demystify how these two really fascinating pieces of technology work together. Look forward to talking to you both on another episode of "Security Unlocked." Thanks again. 

Rahul Ghosh: Thank you. Thanks for having me. 

Amitrajit Banerjee: Thank you. 

Natalia Godyla: Well, we had a great time unlocking insights into security, from research to artificial intelligence. Keep an eye out for our next episode. 

Nic Fillingham: And don't forget to tweet us at @msftsecurity, or email us at with topics you'd like to hear on a future episode. Until then, stay safe. 

Natalia Godyla: Stay secure.