Triumfant: Malware Detection and Remediation

March 4, 2013
No Comment



Triumfant, Inc. is a privately held company with a focus on detecting and remediating cyber attacks. Triumfant has a  ’Assume Nothing, Scan everything’ approach to cyber detection and prevention.  This approach was developed in response to changes in the threat landscape that greatly increased the frequency and sophistication of targeted attacks that evade the current generation of signature based products.  Trimufant conducts analysis on the population of machines found on the network.  Some benefits to this concept are: ensuring accuracy, elimination of false positives, assessing functional impact, and mitigating organizational risk. Triumfant provides detailed intelligence about each detected attack and constructs remediation to stop the attack and repair all of the damage to the affected machine.

Application Process

Triumfant’s technology detects and evaluates state changes in the context of a specific computing environment. Any change that is statistically unusual (or alternatively that hits a policy criteria that can be defined), is then automatically investigated and characterized to detect an attack. Change detection provides real time analysis without having prior knowledge of an attack. Zero day attacks and rootkits are easily detected unlike using the traditional signature-base process.  After an attack has been verified (depending on policy settings), Triumfant begins a remediation process collected from the analysis. A situational and contextual plan is developed to surgically ingest methods that eradicates the attack. The system is then restored back to an operable state without rebooting or much assistant from a human.

The Agent

An Agent is sent to each machine to perform a scan. According to Triumfant, “The agent scans the machine, performs anomaly correlation requests from the server, performs remediation, and communicates with the server”.  The agent is not concerned with the every day operations of a machine. In fact a scan is performed whether the system is plugged into the network or not. The agent is running in the background like a daemon. Most end users will not detect a scan is in process because of this reason. Below are the concentrated areas being scanned:

  • All registry keys
  • An MD5 hash of every file
  • Processes
  • Services
  • Event Logs
  • Performance counters
  • Security settings
  • Hardware attributes
  • Alternate data streams
  • Memory tables

The Server

The Server utilizes algorithms to help correlate and detect patterns across the machine population. Approaching malware detection from a grander scale will help improve data analysis accuracy and prevent false positives.  The server assimilates all  the state information sent by the agents, creating an Adaptive Reference (AR) Model that represents the normal state of a population of machines at a given time. The AR Model is context that makes change detection viable and effective. The AR model provides the reference that allows detection of unusual state changes.

The AR model also provides the option of configuring it specifically to an organization. Triumfant recognizes two perspectives when offering this service: What is wanted in the model? What is not wanted in the model?

What is wanted provides a macro approach to reconfiguring the AR model. “Triumfant policies become the mechanisms to express and enforce configuration and regulatory policies”.  What is not wanted provides the ability to prevent unauthorized applications and/or known malware from being assimilated into the model as part of the norm. Items illustrated on the whitelist can be affected by the users selection.

Triumfant Capabilities

Real-time Detection

Areas of the machine that are frequently targeted by malware are scanned more often than other areas of the machine. Any change in one of these sensitive areas causes a notification to be sent to the server. An example (of many) is austostart mechanisms. A notification is sent to the server if an indicator is triggered. The suspicious state is compared to other contextual information stored. If the server determines an attack is occurring, the agent will scan at a higher level to gain a full delta snap shot of the machine quickly as possible. The agent will return back to normal operations when this process completes.

Detection on the Daily Scan Cycle

The Detection on the Daily Scan Cycle is a full scan that monitors changes to the state of a machine.The system will investigate the presence of any potentially dangerious anomalous object (it does not matter if the executable is currently dormant). The Daily Check is intended to ensure that all machies are fully analyzed at least once per day, regardless of whether or not a real time detection has occurred  Typically the Daily Check will pick up less time critical incidences such as policy compliance violations or the presence of unauthorized applications.

On-Demand Scans

On-Demand Scans will allow a user to initiate a scan if one or a set of machines are behaving abnormally. Triumfants philosophy is “Assume Nothing, Scan Everything” which means anomaly scans are carried out and not just malicious code.

Editorial Thoughts/Questions

With recent insider attacks against security capabilities like RSA and FireEye I think we all need to be asking hard questions of vendors regarding their own security. I had an opportunity to ask Dave Hooks from Triumfant a few questions and discussed this with him. Here are my questions and his responses:

Q: Clearly Triumfant is a universal malware detection tool that can easily fit into most organizations. But I wonder how your capabilities can be made resistant to insider attack. Seems lik Triumfant allows a user to filter information sent to the AR model. So couldn’t a savvy insider filter out malicious code? Wouldn’t this result in poor remediation?

Dave Hooks: The Triumfant agent includes a variety of mechnaisms to protect its own integrity including digital signatures on all of its files, self repair capabilites, and process redundacny.  The data collected by the agent is maintained in an internal database that is not accessible to users and is encrypted when in transit.  If the agent is successfully attacked, it will fail to send a keep alive message to the server and that fact will be noted by the server.  All security agents that reside on an endpoint are subject attack.  We beileve we have taken reasonable precautions to ensure that the Triumfant agent is resistant to such attacks.

Q: Some cyber attacks are designed to infiltrate a system and lay dominant until a set time is reached or from a remote location. Can Triumfant mitigate this type of  low to slow attack?

Dave Hooks: Yes. The Triumfant solution looks for persistent objects (files, registry keys) that are both unusual in the context in which they are found and high risk because of the nature of the changes they engender. It does not matter if the malware is dormant.  The existence of the malware is enough to trigger detection.  So called “low and slow” attacks are designed to circumvent network sensors and do nothing to hide the malware from detection by an endpoint security product.

Q: Anything else you would like to tell our readers about Triumfant?

Dave Hooks: Every day it seems that you read another story about a breach in a major corporation or government organization.  These organizations all had anti-virus products with the latest signatures.  They were compromised because the attacks were designed to circumvent those signatures.  It should be obvious that signature based security products are no longer enough.  Triumfant is the first vendor to step to the plate with an innovative approach that does not rely on signatures.

By: Marcus Williams

Read More:


Via CTO Vision