Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:44 PM
Connect Directly

A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm

Trinity Cyber takes a new spin on some traditional network-security techniques, but can its approach catch on widely?

Cybercriminals and nation-state hackers get more brazen in their attacks every day. Ransomware is now a routine way for criminals to shake down businesses — and even critical infrastructure providers such as US gas pipeline operator Colonial Pipeline — for cash, and cyber-espionage groups like Russia's SVR spy agency are reaching inside their targets' networks by compromising the software used by their victims.

Related Content:

The Private Sector Needs a Cybersecurity Transformation

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10 Security Awareness Training Mistakes to Avoid

But cyberattack-fighting technology and methods traditionally have steered clear of provocative or aggressive techniques. It's mostly been a strategy of detection, prevention, and response. With the exception of deception technology, defenders (and security vendors) mostly avoid aggressive or even offensive tactics for fear of it backfiring and the attacker shifting gears — or escalating the attack.

A startup with deep roots in the National Security Agency (NSA) has developed something somewhere in between: Trinity Cyber acts as a sort of benevolent man-in-the-middle managed security service that sits on Layer 2 at the gates of the enterprise network, inspecting and scrubbing incoming and outgoing malicious traffic without alerting the bad guys. The security service also can secretly mess with attackers by letting them believe their exploits are working. Take botnet operators communicating with infected endpoints or bots: "When the beacon goes to the controller to check in with all of the metadata" such as its country code, Trinity Cyber's service can alter that metadata information, notes Steve Ryan, co-founder and CEO of Trinity Cyber. Ryan doesn't hide his enthusiasm for the feature: "That's fun."

Or it can replace the bot operator's commands to an organization's infected machine. "The attacker believes it's talking to a bot, but [the bot isn't] getting a command. At any point when they send a command, we can change it to 'uninstall,'" for example, Ryan says.

Steve Ryan, co-founder and CEO, Trinity Cyber.
Credit: Trinity Cyber
Steve Ryan, co-founder and CEO, Trinity Cyber. Credit: Trinity Cyber

"Now you can think about using entire botnet command-and-control against itself, to tell the entire army of bots to 'uninstall'" their malware, he explains.

Ryan, who helped architect the National Security Agency's Threat Operations Center (NTOC) and served as NTOC's deputy director until 2016, brought along a handful of NSA experts to his startup. "The team has its roots in NSA. We learned a lot about how adversaries work and now have invented this fundamentally new approach to stop them," he says.

Trinity Cyber came out of stealth in August 2019 with a $23 million investment round led by Intel Capital, and later named Tom Bossert — former US Homeland Security advisor to the White House in the Trump administration and co-author of the 2007 National Strategy for Homeland Security — as president of the startup.

Its out-of-band service works within a private cloud — operating at Layer 2 — with no connection to the public Internet or a routing address (and no hardware or software installation). The idea is that it's invisible to the bad guys as well as the organizations whose traffic it's inspecting and sanitizing. Ryan explains that his company's technology can silently replace corrupted files and code segments, protocol fields, and command-and-control traffic at network speed. "It prevents attacks and wrestles control away from the hackers," he says.

Bossert says it's time for a new approach to thwarting the wave of escalating and growing attacks on US organizations.

"We can't sell this fast enough. We need to get in front of this growing threat to the American economy," Bossert says.

The company has several other heavy hitters on board. Former NSA deputy director Chris Inglis, who has been nominated by President Joe Biden as national cyber director, serves on Trinity Cyber's advisory board, as does Michael Sikorski, founder of FireEye's FLARE reverse engineering and threat analysis team. Ron Gula, founder of Tenable and a former penetration tester for the National Security Agency, is a member of Trinity's board of directors, and his Gula Tech Adventures (GTA) also has invested in Trinity Cyber.

"I invested in them because I believe every Internet connection should be protected by Trinity Cyber: I mean stuff out of the DoD [Department of Defense] and out of my mom's house," Gula says. "They're filling a gap."

That "gap," according to Gula, is an engineered detection technology that inspects traffic and strips out threats at wire speed. "It's not AI," he explains, but instead an engineered and specialized method of protecting against the top vulnerabilities that attackers are exploiting.

Given that patching software doesn't necessarily happen in time — or at all — for many organizations before the bad guys exploiting security flaws, Gula contends, Trinity Cyber's approach can take the key patches and malware "completely off the table" for organizations that can't or don't patch at will.

The idea with Trinity Cyber is to contain the attack and to prevent data theft or damage to the network. But that doesn't mean Trinity Cyber's break-and-inspect traffic model works for everyone, Gula and other experts say. Nor does it necessarily catch every threat, adds Pete Shoard, vice president and analyst with the security operations team at Gartner, which recently named Trinity Cyber as one of its "Cool Vendors."

"The center of their [Trinity Cyber's] universe is not really the prevention of all threats," Shoard says. "The fact that they enable standard business to continue whilst there's a threat in play means that they're not going to catch every threat. No one does."

Instead, the subscription-based managed security service disarms and reconstructs the traffic, he notes, scrubbing the malicious content and sending the attacker a phony response to dupe them into believing the traffic got through.

Trinity Cyber's approach doesn't fit neatly into any security technology categories, so it's difficult to classify. "I don't see anybody else like them. It's not like they created a market in their wake; they are still struggling for a placement," Shoard says.

That can also make it a tough sell. "It doesn't replace anything, and that's a challenge," he notes. Security budgets typically rely on replacing something that was previously purchased, he adds.

Its customers include organizations in finance, energy, government, healthcare, and higher education, but none were willing to be interviewed, with the exception of one that spoke on request of anonymity. The CISO there says his organization had worried about internal threats to its intellectual property and had hoped to track any exfiltration of that information using Trinity Cyber's service. Unfortunately, the pandemic shut down the building where it had set up its test bed, so it never got to run the full-blown test.

Even so, he was intrigued by the technology. "It takes the defense further outside our borders and closer to the attacker. I thought this was great if more companies [would] do this because it's really expanding the bubble of defense outside your organization," he says. "That makes less things you have to worry about."

Meanwhile, Ryan says his company has had requests from customers to set triggers for exfiltrated data. "What a lot of folks are asking is 'can you put a canary in that document so I can track it to its endpoint?'" he says. "Or in the other direction ... to watch where it goes."

OEM Play?
Trinity Cyber's service could provide an additional layer of network security for telecommunications providers, pure Internet service providers, and even some security proxy services, security analysts say.

Gula agrees. "Trinity has an OEM play I think can help," he says, with cloud-based security apps and telecommunications providers and ISPs.

"We still have a virtual perimeter," he notes. "In reality, we need to look at every communication within an organization," including with cloud providers and services.

But whether telecommunications providers would add a service like Trinity Cyber's for their own networks is unclear. Gartner's Shoard says he hasn't seen demand for that so far, although it would be a logical fit for the technology.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
5/12/2021 | 10:33:27 PM
I seen your lips moving, but the story I read is; Their best idea is to squat on layer 2 so that they can intercept incoming and outgoing transmissions and even modify them enroute. They can even replace malicious files before they reach their target blah blah blah. You lost me at NSA. Sounds like they are going to setup on layer 2 where they can see every packet transfered. Yours mine, the bad guys. They can also modify data enroute. They can frame you, manipulate news, communications, thee whole 9. I will be contacting my state representatives, although something tells me theyajor fans of the deal.
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-21
A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient input validation by the ...
PUBLISHED: 2021-10-21
A vulnerability in the web-based management interface of Cisco Tetration could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack on an affected system. This vulnerability exists because the web-based management interface does not sufficiently validate user...
PUBLISHED: 2021-10-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery (CSRF) vulnerability, following an Information Disclosure vulnerability in the referrer headers which discloses a user's CSRF token. The affected versions ar...
PUBLISHED: 2021-10-21
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
PUBLISHED: 2021-10-21
Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this ad...