CrowdStrike and Intel Partner with MITRE Center for Threat-Informed Defense in PC Hardware-Enabled Defense Project

• CrowdStrike and Intel Corp. were key research sponsors and participants in the latest project from the MITRE Center for Threat-Informed Defense
• The PC Security Stack Mappings — Hardware-Enabled Defense initiative mapped Intel vPro® Security features, including Intel®Threat Detection Technology (Intel® TDT), to MITRE ATT&CK® adversarial behaviors
• With the CrowdStrike Falcon® platform’s Accelerated Memory Scanning leveraging Intel TDT, 93 ATT&CK TTPs were mapped at the hardware level for earlier detection with minimal impact on system performance

The AI-native CrowdStrike Falcon platform is built to detect and protect against even the most advanced attacks. And as new research shows, it can further strengthen defenses when integrated with modern enterprise PC hardware. The Security Stack Mappings — Hardware-Enabled Defense (SSM-HED) project, a new initiative from the MITRE Center for Threat-Informed Defense, shows how an organization’s PC hardware can augment defenses when used with supported security solutions like the Falcon platform.

In this project key research partners, including CrowdStrike and Intel, used the MITRE ATT&CK framework to connect adversary techniques to features in modern PC hardware, which can help security solutions effectively counter these threats. The results show how the silicon-enabled capabilities of Intel vPro Security help defend against specific ATT&CK techniques when combined with OS-level security and advanced security solutions including the CrowdStrike Falcon platform.

CrowdStrike’s participation in this project showcases our efforts to integrate the Falcon platform with PC hardware to strengthen protection across the security stack. These efforts also include hardware-enhanced exploit detection (HEED) and CPU-based memory scanning. The project team found Intel-based hardware integration beneficial in accelerating detection and protection against complex attacks with minimal impact on system performance.

Modern AI PCs Augment Security Tools

The basic premise of this project is modern enterprise PCs — specifically, PCs equipped with Intel® Core™ Ultra vPro processors — are built with hardware-based security features. However, these capabilities often go unused. With tens of millions of these enterprise PCs currently deployed, and more rolling out as older systems are replaced, there is a significant opportunity to leverage underutilized hardware capabilities to further harden security defenses. 

In addition, this initiative provides IT departments with valuable insights to inform PC refresh cycles as part of addressing emerging security threats. The timing is particularly relevant as enterprises consider upgrading to Windows 11, which introduces new baseline hardware security requirements.

The key to unlocking this potential is to map the integrated hardware capabilities to the MITRE ATT&CK framework, the industry-standard knowledge base of adversary tactics and techniques.

Security Stack Mappings — Hardware-Enabled Defense Project 

As part of the SSM Mapping project with Intel vPro Security, four hardware security categories were identified on PCs running Microsoft Windows 11 Enterprise along with either the CrowdStrike Falcon platform or another supported cybersecurity solution. These categories included:

1. Advanced Threat Protection

2. Trusted Computing

3. Encryption and Data Protection

4. Virtualization

This effort resulted in over 230 mappings of integrated mitigations to adversary behaviors. These ATT&CK mappings demonstrate how hardware-based security features can be deployed against specific cyber threats, and how the integration of hardware security with operating system protections and security software can create robust, multi-layered defense strategies.

 The project team cited Intel TDT with CrowdStrike Falcon Accelerated Memory Scanning (AMS) as an example of Hardware—Advanced Threat Protection integration. This combination enables faster detection of cyber threats earlier in the kill chain and in real-time, with minimal impact on system performance. 

AMS has already been proven as a valuable feature in the Falcon platform (read here to learn how it detected BRc4 execution in the wild). The SSM-HED project expanded coverage to protect and detect coverage for over 90 ATT&CK (sub-)techniques as shown in the below images.

CrowdStrike’s Collaboration with the MITRE Engenuity Center for Threat-Informed Defense

The Center for Threat-Informed Defense recently celebrated its fifth anniversary. CrowdStrike has worked closely with the Center as a Research Sponsor since 2021, becoming a Research Partner in 2022. CrowdStrike Data Science Vice President Joel Spurlock is a member of the Center for Threat-Informed Defense Advisory Council, which provides strategic guidance and executive advocacy in support of the Center’s mission.

During our partnership with the Center, CrowdStrike data scientists and researchers have been an integral part of many projects that have furthered the cause of cybersecurity innovation. Notable examples include:

• Insider Threat TTP Knowledge Base (Feb. 2022) used the MITRE ATT&CK enterprise matrix as a baseline for mapping real-world insider threat techniques based on actual case files, including from CrowdStrike’s global incident response and threat intelligence teams.
• Top ATT&CK Techniques project (May 2022) provided a methodology for prioritizing ATT&CK techniques, including a web-based calculator that prioritizes techniques based on user input.
• Cloud Analytics project (Oct. 2022) captured key adversarial tactics, techniques and procedures (TTPs) to improve detection of threat actor behavior in cloud environments.
• TRAM II project (Aug. 2023) improved the speed and accuracy of mapping new threat reports to the MITRE ATT&CK framework through automation.
• Summiting the Pyramid (Sept. 2023) had the goal of enabling cybersecurity defenders to write more robust analytics that are more difficult for adversaries to evade.
• OceanLotus (Dec. 2023) created the first public adversary emulation plan combining macOS and Linux for full-scope purple teaming.
• Sensor Mappings to ATT&CK (March 2024) mapped sensors and other data sources to MITRE ATT&CK framework techniques.
• Insider Threat TTP Knowledge Base, Version 2 (March 2024) enhanced the repository of TTPs used by insider attackers, helping organizations prevent and defend against insider threats.
• Secure AI Project (Nov. 2024) results expanded MITRE ATLAS®, a comprehensive knowledge base of adversary tactics and techniques targeting AI systems.

The SSM-HED project is the latest effort in our ongoing collaboration with the Center. This ongoing partnership reflects CrowdStrike’s continued commitment to research, innovation and thought leadership in the cybersecurity industry. 

You can read more about the SSM-HED project here.

Additional Resources

• Learn more about CrowdStrike’s work designing Charlotte AI, our conversational AI assistant: Deploying the Droids: Optimizing Charlotte AI’s Performance with a Multi-AI Architecture.
• Download the white paper: Applying the Best AI for the Job: Inside Charlotte AI’s Multi-AI Architecture.
• Visit the Charlotte AI product page to learn how Charlotte AI accelerates security operations and helps your entire team become faster, better, and smarter.
• Test CrowdStrike next-generation antivirus for yourself. Start your free trial of CrowdStrike® Falcon Prevent™ today.