Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
05:44 PM
Connect Directly

A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm

Trinity Cyber takes a new spin on some traditional network-security techniques, but can its approach catch on widely?

Cybercriminals and nation-state hackers get more brazen in their attacks every day. Ransomware is now a routine way for criminals to shake down businesses — and even critical infrastructure providers such as US gas pipeline operator Colonial Pipeline — for cash, and cyber-espionage groups like Russia's SVR spy agency are reaching inside their targets' networks by compromising the software used by their victims.

Related Content:

The Private Sector Needs a Cybersecurity Transformation

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10 Security Awareness Training Mistakes to Avoid

But cyberattack-fighting technology and methods traditionally have steered clear of provocative or aggressive techniques. It's mostly been a strategy of detection, prevention, and response. With the exception of deception technology, defenders (and security vendors) mostly avoid aggressive or even offensive tactics for fear of it backfiring and the attacker shifting gears — or escalating the attack.

A startup with deep roots in the National Security Agency (NSA) has developed something somewhere in between: Trinity Cyber acts as a sort of benevolent man-in-the-middle managed security service that sits on Layer 2 at the gates of the enterprise network, inspecting and scrubbing incoming and outgoing malicious traffic without alerting the bad guys. The security service also can secretly mess with attackers by letting them believe their exploits are working. Take botnet operators communicating with infected endpoints or bots: "When the beacon goes to the controller to check in with all of the metadata" such as its country code, Trinity Cyber's service can alter that metadata information, notes Steve Ryan, co-founder and CEO of Trinity Cyber. Ryan doesn't hide his enthusiasm for the feature: "That's fun."

Or it can replace the bot operator's commands to an organization's infected machine. "The attacker believes it's talking to a bot, but [the bot isn't] getting a command. At any point when they send a command, we can change it to 'uninstall,'" for example, Ryan says.

Steve Ryan, co-founder and CEO, Trinity Cyber.
Credit: Trinity Cyber
Steve Ryan, co-founder and CEO, Trinity Cyber. Credit: Trinity Cyber

"Now you can think about using entire botnet command-and-control against itself, to tell the entire army of bots to 'uninstall'" their malware, he explains.

Ryan, who helped architect the National Security Agency's Threat Operations Center (NTOC) and served as NTOC's deputy director until 2016, brought along a handful of NSA experts to his startup. "The team has its roots in NSA. We learned a lot about how adversaries work and now have invented this fundamentally new approach to stop them," he says.

Trinity Cyber came out of stealth in August 2019 with a $23 million investment round led by Intel Capital, and later named Tom Bossert — former US Homeland Security advisor to the White House in the Trump administration and co-author of the 2007 National Strategy for Homeland Security — as president of the startup.

Its out-of-band service works within a private cloud — operating at Layer 2 — with no connection to the public Internet or a routing address (and no hardware or software installation). The idea is that it's invisible to the bad guys as well as the organizations whose traffic it's inspecting and sanitizing. Ryan explains that his company's technology can silently replace corrupted files and code segments, protocol fields, and command-and-control traffic at network speed. "It prevents attacks and wrestles control away from the hackers," he says.

Bossert says it's time for a new approach to thwarting the wave of escalating and growing attacks on US organizations.

"We can't sell this fast enough. We need to get in front of this growing threat to the American economy," Bossert says.

The company has several other heavy hitters on board. Former NSA deputy director Chris Inglis, who has been nominated by President Joe Biden as national cyber director, serves on Trinity Cyber's advisory board, as does Michael Sikorski, founder of FireEye's FLARE reverse engineering and threat analysis team. Ron Gula, founder of Tenable and a former penetration tester for the National Security Agency, is a member of Trinity's board of directors, and his Gula Tech Adventures (GTA) also has invested in Trinity Cyber.

"I invested in them because I believe every Internet connection should be protected by Trinity Cyber: I mean stuff out of the DoD [Department of Defense] and out of my mom's house," Gula says. "They're filling a gap."

That "gap," according to Gula, is an engineered detection technology that inspects traffic and strips out threats at wire speed. "It's not AI," he explains, but instead an engineered and specialized method of protecting against the top vulnerabilities that attackers are exploiting.

Given that patching software doesn't necessarily happen in time — or at all — for many organizations before the bad guys exploiting security flaws, Gula contends, Trinity Cyber's approach can take the key patches and malware "completely off the table" for organizations that can't or don't patch at will.

The idea with Trinity Cyber is to contain the attack and to prevent data theft or damage to the network. But that doesn't mean Trinity Cyber's break-and-inspect traffic model works for everyone, Gula and other experts say. Nor does it necessarily catch every threat, adds Pete Shoard, vice president and analyst with the security operations team at Gartner, which recently named Trinity Cyber as one of its "Cool Vendors."

"The center of their [Trinity Cyber's] universe is not really the prevention of all threats," Shoard says. "The fact that they enable standard business to continue whilst there's a threat in play means that they're not going to catch every threat. No one does."

Instead, the subscription-based managed security service disarms and reconstructs the traffic, he notes, scrubbing the malicious content and sending the attacker a phony response to dupe them into believing the traffic got through.

Trinity Cyber's approach doesn't fit neatly into any security technology categories, so it's difficult to classify. "I don't see anybody else like them. It's not like they created a market in their wake; they are still struggling for a placement," Shoard says.

That can also make it a tough sell. "It doesn't replace anything, and that's a challenge," he notes. Security budgets typically rely on replacing something that was previously purchased, he adds.

Its customers include organizations in finance, energy, government, healthcare, and higher education, but none were willing to be interviewed, with the exception of one that spoke on request of anonymity. The CISO there says his organization had worried about internal threats to its intellectual property and had hoped to track any exfiltration of that information using Trinity Cyber's service. Unfortunately, the pandemic shut down the building where it had set up its test bed, so it never got to run the full-blown test.

Even so, he was intrigued by the technology. "It takes the defense further outside our borders and closer to the attacker. I thought this was great if more companies [would] do this because it's really expanding the bubble of defense outside your organization," he says. "That makes less things you have to worry about."

Meanwhile, Ryan says his company has had requests from customers to set triggers for exfiltrated data. "What a lot of folks are asking is 'can you put a canary in that document so I can track it to its endpoint?'" he says. "Or in the other direction ... to watch where it goes."

OEM Play?
Trinity Cyber's service could provide an additional layer of network security for telecommunications providers, pure Internet service providers, and even some security proxy services, security analysts say.

Gula agrees. "Trinity has an OEM play I think can help," he says, with cloud-based security apps and telecommunications providers and ISPs.

"We still have a virtual perimeter," he notes. "In reality, we need to look at every communication within an organization," including with cloud providers and services.

But whether telecommunications providers would add a service like Trinity Cyber's for their own networks is unclear. Gartner's Shoard says he hasn't seen demand for that so far, although it would be a logical fit for the technology.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/12/2021 | 10:33:27 PM
I seen your lips moving, but the story I read is; Their best idea is to squat on layer 2 so that they can intercept incoming and outgoing transmissions and even modify them enroute. They can even replace malicious files before they reach their target blah blah blah. You lost me at NSA. Sounds like they are going to setup on layer 2 where they can see every packet transfered. Yours mine, the bad guys. They can also modify data enroute. They can frame you, manipulate news, communications, thee whole 9. I will be contacting my state representatives, although something tells me theyajor fans of the deal.
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file