Intel Inside: SentinelOne Cryptominer Detection

Cryptominers are illegally used for Cryptojacking, the process by which an attacker secretly launches cryptocurrency mining software on a target system. The software consumes processor cycles to process cryptocurrency transactions, thus earning the attacker a commission, usually in the form of the Monero cryptocurrency. Cryptomining attacks increased dramatically in 2018 and emerged as one of the top threats facing organizations. According to reports, Cryptomining attacks have become so popular they are estimated potentially to consume almost half a percent of the world’s electricity consumption.

What Does SentinelOne Offer to Mitigate the Risk?

At SentinelOne, we have identified this emerging threat and decided to investigate and build a solution to detect and mitigate cryptojacking.

In Windows Agent 3.0 and for the first time, SentinelOne is introducing new capabilities to detect and mitigate in-browser cryptominers. As part of the solution, we make use of Intel’s Accelerated Memory Scanning (AMS) library, which enables fast memory scanning offloaded to the Graphics Processing Unit (GPU).

In this new version of the Agent, in-browser cryptominer detection will be focused on detection of Cryptonight-based cryptocurrencies. This family includes popular and profitable cryptocurrencies such as Monero.

This new capability extends an already existing feature of detecting command line-based cryptominers, which now makes the protection from cryptominers much broader.

How Does the Detection Work?

To detect cryptominers, it’s important to understand which attributes distinguish them from other processes.

In preliminary research conducted by SentinelOne, we identified various characteristics that are unique to cryptominers. These characteristics are related to the cryptominer’s execution behavior. Once these characteristics are observed by the SentinelOne Agent, it starts to scan the potential cryptominer’s memory using Intel AMS library in order to find unique patterns in memory. If these patterns are found, then the threat is classified as cryptominer.

If the SentinelOne endpoint policy is set to “Protect” (auto-mitigate), then the Agent will kill the cryptominer. The user on the endpoint may experience the mitigation as a closed iframe or a closed browser tab.

Partnership with Intel

Intel and SentinelOne Integration

SentinelOne has partnered with Intel to integrate Intel’s Accelerated Memory Scanning capability to the agent. By leveraging this capability, SentinelOne now offloads the processing power needed to scan for cryptomining attacks from the CPU to the GPU – dramatically increasing the speed of cryptominer detection without latency or degradation of endpoint performance. This creates a much more efficient way to capture memory-based cyber attacks at the OS level.

Independent benchmark testing from PassMark Software validated that the SentinelOne’s hardware-based approach of using Intel’s silicon to power threat scanning significantly increases detection rates of memory-based attacks such as cryptominers, while providing a 10x improvement in scanning time with no increase in CPU usage.