The analyst from FireEye whose team discovered the SolarWinds attack and the co-founder of Tenable will join the advisory board of Trinity Cyber – contributing expertise to the company that counts former homeland security adviser Tom Bossert among its top executives.
News of the high-profile new additions – Michael Sikorski, the head of FireEye's FLARE reverse engineering and threat analysis team and Ron Gula – comes with an announcement of and undisclosed amount of funding from the latter's venture capital firm, Gula Tech Adventures.
"Don't take Tom Bossert's word on Trinity Cyber. He was just the former homeland security advisor. He runs the company, so maybe he's self-interested," said Bossert, Trinity Cyber's president and former official with both the Trump and George W. Bush administrations. "Maybe it's just the policy guy who doesn't understand the tech. But you can't ignore Ron Gula and Mike Sikorski."
Trinity Cyber describes its solution as a classic man-in-the middle-attack, reconfigured for defense. It advertises a low-latency ability to scan and modify traffic going in and out of the network, detect exploits in files without requiring signatures, alter compromised files being downloaded or data as it's exfiltrated, even mimic a system beaconing that malware had been installed after blocking it from being downloaded.
This kind of capability, said Sikorski, would be particularly profound in cases similar to the SolarWinds attack, where hackers were able to confound traditional indicators of compromise. He identified several points in the cycle of infection where Trinity Cyber would be able to detect the intruder: the HTTP command and control service hiding in intrusion telemetry, the Cobolt Strike communications, DNS CNAME patterned traffic, and communications to and from web shells. But, he said, it's the product's ability to be able to respond to attacks while detecting them that drew him to the company.
"Something we've always wanted to have is the ability to mess with the intruders, live, as they're attacking," Sikorski said. "If someone is scanning you for a vulnerability, Trinity can come back and say, 'Oh, actually, we're patched. So now, instead of rushing around to patch every single system, there's a technology that will tell the attacker it's good, even if it's not."
The active defense capability can keep an attacker busy while defenders investigate the scope of the intrusion, he continued. That can reduce a major friction point during the incident response process, where victims tend to prefer not allowing an attacker to receive authentic files.
"For incident responders, it's really hard to tell a client, 'please don't turn these things off until I figure out what's going on,' when you see what's being stolen off the network. You need to get the client comfortable with things getting robbed from them," Sikorski said.
In that sense, Trinity Cyber can buy time to figure out what the attacker is doing before tipping your hand. As Sikorski put it, "if an attacker pulls back a corrupted zip file, they're going to assume they made the mistake."
Maryland-based Trinity Cyber was founded in 2016. Its most recent round of funding netted $23 million in 2019 and was led by Intel Capital. Bossert came on board around the same time, his first private-sector stint after serving as homeland security advisor for the Trump administration, during the NotPetya and WannaCry attacks. Bossert remains enthusiastic about the product.
"This is the technology that Einstein should have been," said Bossert, referring to the sensors used to protect federal networks.