Cybercriminals and nation-state hackers get more brazen in their attacks every day. Ransomware is now a routine way for criminals to shake down businesses — and even critical infrastructure providers such as US gas pipeline operator Colonial Pipeline — for cash, and cyber-espionage groups like Russia's SVR spy agency are reaching inside their targets' networks by compromising the software used by their victims.
But cyberattack-fighting technology and methods traditionally have steered clear of provocative or aggressive techniques. It's mostly been a strategy of detection, prevention, and response. With the exception of deception technology, defenders (and security vendors) mostly avoid aggressive or even offensive tactics for fear of it backfiring and the attacker shifting gears — or escalating the attack.
A startup with deep roots in the National Security Agency (NSA) has developed something somewhere in between: Trinity Cyber acts as a sort of benevolent man-in-the-middle managed security service that sits on Layer 2 at the gates of the enterprise network, inspecting and scrubbing incoming and outgoing malicious traffic without alerting the bad guys. The security service also can secretly mess with attackers by letting them believe their exploits are working. Take botnet operators communicating with infected endpoints or bots: "When the beacon goes to the controller to check in with all of the metadata" such as its country code, Trinity Cyber's service can alter that metadata information, notes Steve Ryan, co-founder and CEO of Trinity Cyber. Ryan doesn't hide his enthusiasm for the feature: "That's fun."
Or it can replace the bot operator's commands to an organization's infected machine. "The attacker believes it's talking to a bot, but [the bot isn't] getting a command. At any point when they send a command, we can change it to 'uninstall,'" for example, Ryan says.
"Now you can think about using entire botnet command-and-control against itself, to tell the entire army of bots to 'uninstall'" their malware, he explains.
Ryan, who helped architect the National Security Agency's Threat Operations Center (NTOC) and served as NTOC's deputy director until 2016, brought along a handful of NSA experts to his startup. "The team has its roots in NSA. We learned a lot about how adversaries work and now have invented this fundamentally new approach to stop them," he says.
Trinity Cyber came out of stealth in August 2019 with a $23 million investment round led by Intel Capital, and later named Tom Bossert — former US Homeland Security advisor to the White House in the Trump administration and co-author of the 2007 National Strategy for Homeland Security — as president of the startup.
Its out-of-band service works within a private cloud — operating at Layer 2 — with no connection to the public Internet or a routing address (and no hardware or software installation). The idea is that it's invisible to the bad guys as well as the organizations whose traffic it's inspecting and sanitizing. Ryan explains that his company's technology can silently replace corrupted files and code segments, protocol fields, and command-and-control traffic at network speed. "It prevents attacks and wrestles control away from the hackers," he says.
Bossert says it's time for a new approach to thwarting the wave of escalating and growing attacks on US organizations.
"We can't sell this fast enough. We need to get in front of this growing threat to the American economy," Bossert says.
The company has several other heavy hitters on board. Former NSA deputy director Chris Inglis, who has been nominated by President Joe Biden as national cyber director, serves on Trinity Cyber's advisory board, as does Michael Sikorski, founder of FireEye's FLARE reverse engineering and threat analysis team. Ron Gula, founder of Tenable and a former penetration tester for the National Security Agency, is a member of Trinity's board of directors, and his Gula Tech Adventures (GTA) also has invested in Trinity Cyber.
"I invested in them because I believe every Internet connection should be protected by Trinity Cyber: I mean stuff out of the DoD [Department of Defense] and out of my mom's house," Gula says. "They're filling a gap."
That "gap," according to Gula, is an engineered detection technology that inspects traffic and strips out threats at wire speed. "It's not AI," he explains, but instead an engineered and specialized method of protecting against the top vulnerabilities that attackers are exploiting.
Given that patching software doesn't necessarily happen in time — or at all — for many organizations before the bad guys exploiting security flaws, Gula contends, Trinity Cyber's approach can take the key patches and malware "completely off the table" for organizations that can't or don't patch at will.
The idea with Trinity Cyber is to contain the attack and to prevent data theft or damage to the network. But that doesn't mean Trinity Cyber's break-and-inspect traffic model works for everyone, Gula and other experts say. Nor does it necessarily catch every threat, adds Pete Shoard, vice president and analyst with the security operations team at Gartner, which recently named Trinity Cyber as one of its "Cool Vendors."
"The center of their [Trinity Cyber's] universe is not really the prevention of all threats," Shoard says. "The fact that they enable standard business to continue whilst there's a threat in play means that they're not going to catch every threat. No one does."
Instead, the subscription-based managed security service disarms and reconstructs the traffic, he notes, scrubbing the malicious content and sending the attacker a phony response to dupe them into believing the traffic got through.
Trinity Cyber's approach doesn't fit neatly into any security technology categories, so it's difficult to classify. "I don't see anybody else like them. It's not like they created a market in their wake; they are still struggling for a placement," Shoard says.
That can also make it a tough sell. "It doesn't replace anything, and that's a challenge," he notes. Security budgets typically rely on replacing something that was previously purchased, he adds.
Its customers include organizations in finance, energy, government, healthcare, and higher education, but none were willing to be interviewed, with the exception of one that spoke on request of anonymity. The CISO there says his organization had worried about internal threats to its intellectual property and had hoped to track any exfiltration of that information using Trinity Cyber's service. Unfortunately, the pandemic shut down the building where it had set up its test bed, so it never got to run the full-blown test.
Even so, he was intrigued by the technology. "It takes the defense further outside our borders and closer to the attacker. I thought this was great if more companies [would] do this because it's really expanding the bubble of defense outside your organization," he says. "That makes less things you have to worry about."
Meanwhile, Ryan says his company has had requests from customers to set triggers for exfiltrated data. "What a lot of folks are asking is 'can you put a canary in that document so I can track it to its endpoint?'" he says. "Or in the other direction ... to watch where it goes."
Trinity Cyber's service could provide an additional layer of network security for telecommunications providers, pure Internet service providers, and even some security proxy services, security analysts say.
Gula agrees. "Trinity has an OEM play I think can help," he says, with cloud-based security apps and telecommunications providers and ISPs.
"We still have a virtual perimeter," he notes. "In reality, we need to look at every communication within an organization," including with cloud providers and services.
But whether telecommunications providers would add a service like Trinity Cyber's for their own networks is unclear. Gartner's Shoard says he hasn't seen demand for that so far, although it would be a logical fit for the technology.