The Case for Triumfant as a Detection Tool for the Advanced Persistent Threat
February 9, 2010 1 Comment
Over the past two weeks I have jumped into the conversation about the Advanced Persistent Threat (APT) and how Triumfant represents an effective tool for detection of such threats. Before I continue, let me level set.
- APT is characterized by a sophisticated adversary that is engaging in long term pursuit of sensitive data or intellectual property. APT is not about malware – APT is not a specific attack or an attack vector.
- Because of the nature of APT, there is not a tool or set of tools that can protect an organization from APT.
We are on record as stating that while we would never characterize Triumfant as a protection for, or solution to, APT, we do represent a very effective tool for detecting APT attacks (or the Advanced Persistent Adversary as some would prefer). As I also said previously, most security people that deal with APT will tell you that anomaly detection or change detection has long been viewed as the right tool for detecting APT type attacks, but there was not an effective implementation available. We of course now think there is.
Triumfant is fundamentally different from any tool on the market. First, we represent the most comprehensive sensor grid on the endpoint available today. We monitor every piece of data or attribute about each machine that we can access. This includes all of the registry keys, an MD5 hash of every file, performance data and physical data. Second, we use our patented analytics to correlate and group all of that data to create a multi-dimensional model of the endpoint population that provides a unique context for later analysis.
Now the fun begins. We continuously monitor the over 200,000 attributes on each and every machine for changes, because it is change that triggers analysis for Triumfant. All of the other tools on the market still rely on prior knowledge of the attack or the attack vector, and we have established that APT is not about a specific (or even a well defined population) attack or attack vector. And this is precisely why the traditional endpoint security tools fail against APT – their very foundation is based on knowing about an attack to detect it. But the edge Triumfant enjoys is a complete disconnection from the need for prior knowledge.
The elemental nature of using change detection to trigger analysis is what gives it so much power. Most attacks – APT or pedestrian – share a common thread: they make changes to the machine. And as Dave Hooks, our CTO and the creator of our analytic model will tell you: “If it wiggles, we will see it”. Triumfant sees every change, analyzes it in the context of our model, and determines if the change is benign or potentially malicious. It is this context that has allowed us to effectively eliminate the false positives previously inherent with change detection.
In the case of malicious activity, the analytics bear down to ensure that all of the changes that are part of a given attack are found and appropriately grouped. This may include the use of additional probes to the affected machine to perform dependency walks on files or any number of other correlation algorithms. The result is presented as an unnamed (no signatures so no name) anomalous application and all of the effects of that application on the machine: the registries modified, files added, deleted or corrupted, physical changes such as opened ports, new processes, and corrupted system calls. The analytics capture and correlate all of the changes to the machine for the APT attack, and use that data to build a situational remediation for that attack. You get all of the data behind the attack and the fix to restore the machine to its pre-attack condition.
The data about the attack can be saved and shared with incident response and forensics teams for further analysis. Their analysis can then be used to make the appropriate modifications to organizational defenses to protect against a reoccurrence of that attack. But of course by now the advanced persistent adversary has already moved on to a new attack, and the game plays on.
So back to my original assertion. Are we a solution for APT? No. Does our combination of comprehensive endpoint sensor grid, deep context, and the use of change detection to trigger analysis make us an effective tool for detecting APT attacks? We certainly think so.