Rather Than Reporting Cyberattacks, Stopping Them


Trinity Cyber

Fortnightly Magazine - May 2022

Building trust into internet access is more important than ever in the cybersecurity realm for the energy and utilities industry. Now, cyber and utilities experts have teamed up to stop adversaries before they enter your network.

Herein, PUF looks into a unique partnership with firms Trinity Cyber and UTS. UTS says it partnered with Trinity Cyber due to its cybersecurity technology that inspects, modifies, and neutralizes malicious content and threats before they reach the utility's network.

To dive into what this all means, PUF sat down with the experts, former Vice Chair at National Grid Bob Catell, also UTS Chairman, and former PG&E COO Nick Stavropoulos, also UTS Vice Chairman. Plus, former Deputy Director of Threat Operations at NSA Steve Ryan, also Trinity Cyber CEO, and Homeland Security Advisor to two U.S. Presidents Tom Bossert, also Trinity Cyber President. Listen in.

PUF's Steve Mitnick: Talk about your work.

Steve Ryan: The quick analogy is this — you've seen commercials on identity protection companies. You see them on TV. They say, protect your identify.

Steve Ryan: Ukrainian sites were posting anti-Russian propaganda documents in a zip file. The Russians got inside the zip files and installed malware. Our team downloaded the zip file and that malicious LNK file is no longer there. It’s taken care of before it gets to the network – not because it’s an LNK file, but because we could “see” it inside the zip file.

What they mean by the word protection, is they'll let you know if somebody's stealing your identity. But if you entrusted me to protect your valuables and the best I could do is tell you when they were stolen, you wouldn't accept that. That is the primary model in the cybersecurity space. 

The community of security operators are getting buried in alert fatigue from all these alerts and alarms. Many have false positives, and each one requires some action. There have been some inroads with artificial intelligence, and machine learning to make those actions occur quicker, but they are still actions taken after an event.

What we are doing is so fast and highly accurate that we are able to stop, fully stage every internet session. Then examine it down to the DNA, looking for the presence of adversary techniques. Then we do something about it. We're online, in flight, reconstructing the session and sending it on its way — all without slowing anything down. When we give an alert, it's for something we did something about.

The industry is focused on this model that somebody has to be a victim and then indicators are derived. The victimology shows the threat came from this IP address or that domain and everybody blocks them. All the adversary has to do is change one of those things.

Tom Bossert: We’ve succeeded in our ability to parse and examine data in context, but in a large-scale, highly engineered way. To do that at an automated level required us to come up with a processing capability that has a processing latency in the sub-millisecond category. That’s the technological breakthrough.

We don't do that. Our approach is based on looking at methodologies the adversaries use, independent of those factors. You're not blocking something that could easily be changed tomorrow or in a minute, you're presenting a different kind of action that has a more enduring impact.

Nick Stavropoulos: When I was at PG&E, the cybersecurity team reported to me and my group. We had our command center, 24/7, and big issues for those teams were the significant amounts of false positives.

In other words, our people had to spend an inordinate amount of time and expense chasing down things that were not issues. From an operator's perspective, that's important because our false positive rate is extremely low. You don't have to do anything because our solution already has done what needed to be done to defang the attack. 

The other issue our team was always worried about was latency across the network with any layers of protection we put in. Those are a couple of user issues I would put on the table.

Bob Catell: Trinity Cyber’s technology gets the bad guys before they ever get into the system, and it disarms them without their knowledge. That’s the reason we got involved, as we knew of no other cyber technology that accomplishes this.

Bob Catell: As CEO of a major utility, I always looked for the best available technology to manage our company. When I retired as U.S. chairman at National Grid, I organized the Advanced Energy Research and Technology Center at Stony Brook University.

The mission of the Energy Center is to develop new technologies to improve the operation of the utility system and focus on clean energy. 

In order to introduce new technologies to the utility sector, I put a team of former senior utility executives together and formed Utility Technology Solutions.

I was introduced to the Trinity Cyber team by a close friend with a background in national security. Steve Ryan, the founder and CEO of Trinity Cyber was Deputy Director of the Threat Operations Center at the NSA, while president Tom Bossert is former Homeland Security Advisor to Presidents Bush and Trump.

Nick Stavropoulos: When I was at PG&E, the cybersecurity team’s big issues were significant amounts of false positives. Our people had to spend an inordinate amount of time and expense chasing down things that were not issues. From an operator’s perspective, that’s important because our false positive rate is extremely low.

After reviewing the approach to cybersecurity developed by Steve, Tom, and the team, we decided to partner and help them introduce their solution to the utilities industry. That's the area we come from. We were fortunate to hire the former chief security officer of PG&E to join us and former Secretary of Defense Bob Gates is a senior advisor. 

Trinity Cyber's technology gets the bad guys before they ever get into the system, and it disarms them without their knowledge. That's the reason we got involved, as we knew of no other cyber technology that accomplishes this.

PUF: Private broadband allows you to disconnect in effect, the utility from the internet and the telecommunication system. How can you evaluate billions of messages coming in?

Tom Bossert: Here's what we did. Two or three companies, big ones, well-funded ones, technologically smart groups have tried to do a more contextually aware interrogation of data at speed. 

They ended up failing because they tried to apply rules to packets of data in flight and out of sequence often. It had inherent limitations that have not been overcome because the best you could do was apply an algorithmic guess to the indicators whizzing by. 

We've succeeded in our ability to parse and examine data in context, but in a large-scale, highly engineered way. We then look for techniques and not just the indicators of compromise, but the presence of badness, of things that obfuscate or hide the malware. 

We take some action to either drop that session or modify that traffic in a way that gives the customer the benefit of a nuanced control. They don't have to make the decision of block or allow, based off a guess. They can make the decision of a nuanced modification based on an accurate inspection.

To do that at an automated level required us to come up with a processing capability that has a processing latency in the sub-millisecond category. That's the technological breakthrough.

PUF: Are you telling utilities executive they can get back in service quicker after a hurricane?

Bob Catell: Utilities are used to responding to hurricanes after they happen and to focus on restoration. It sounds crazy, but this technology is going to prevent the hurricane from hitting the utility. It stops it before it hits. It's not reactive. It's preventive and allows the utility to focus on real threats rather than chase false alarms.

Nick Stavropoulos: I've got passion about this resiliency issue, and forward-looking companies are saying to themselves with climate change, for example, we can't be reactive. We have to harden our infrastructure, and you see that with utilities in Florida.

If you go to Hong Kong, they've designed the system to withstand tsunamis. They don't go down like our networks do. I look at our solution as part of a whole security stack, to help with this resiliency issue.

ICS/OT CyberSecurity Executive Summary - Dragos

It's not a localized hurricane that's going to affect one major city. If you hit this network, it's going to affect everybody everywhere.

Steve Ryan: When you stare down a hurricane coming, you prepare, knowing you cannot prevent a hurricane. Cyberattacks are man-made. There's a human being with a tool and a set of techniques on the other side, and you can prevent those.

You have to face these things, knowing you can prevent them. If you have the ability to examine content through this contextual lens so you can find the techniques that adversaries use, and then do something about them then and there, you can prevent.

PUF: If they're algorithms, don't they have to be dynamic? They have to learn. You have to update them every couple of weeks. Because now, team X in Russia is adjusting.

Steve Ryan: There are parts you have to update, but those are the things that team X in Russia changes, like what IP address they're coming from or the domain they just registered, or they take the malicious document, and make one change. Now it's a different document.

Everybody says be on the lookout for this document, or any document from a certain domain. But if I said, independent of what kind of document it is, there's always something bad in it, and I know that because I know that's the technique the bad guy uses to hide that bad thing but you can't see that until you get into that contextual lens and deep inspection. That's the nut we were able to crack. We can get to that level of observation fast enough and accurate enough to make a difference.

The important piece of this is when you get to that level of contextual detection, it's bulletproof. Our false positive rate is like a decimal point with twelve zeros after it.

When we say the thing that was inside this network session is bad and we did something about it, we're right. Because of this contextual view, we're not guessing.

Our false positive rate is so low, we don't advertise it. We've taken a more stringent calculation called a false detection rate. The difference in the math is this false positive rate is calculated by the number of times you were wrong, divided by the total number of things you process.

When others calculate, that's how they calculate false positives. In that model, some of the best NextGen firewalls are sitting in between twenty and thirty percent false positive rate. 

We use false detection rate, which is the number of times you were wrong, divided by the number of times you were looking for that specific thing against which you were wrong. With that calculation, our false detection rate is 0.03 percent. Nobody else comes close to that.

PUF: It's like the machine is doing a quick analysis and saying, let's hold this one for a little bit, or this kind of falls in a group.

Tom Bossert: If the market conceives of the functional benefits of what they currently think of as an intrusion prevention system, a secure web gateway, and a sandbox, we combine the useful benefits of all three.

But it's at a time and place in the topography of the internet or of the network that makes us a more useful control with some preventive quality. The reason it's important to describe it differently is, I get worried about analogies to hurricanes and prevention.

It tends to turn off some of the readers in this field. It's the operators who need a better set of tools to give them a better visibility into their network traffic. That's the key we offer.

With that visibility, instead of positioning at the network edge, making a determination that's blunt, blocking something or allowing it, we've developed the ability to do something more nuanced, and here's why that's important. 

The technology being customarily deployed guesses at whether it's good or bad, and then has the option either to block or allow. With only binary blunt force options, the defender is often going to choose to allow and alert because they can't afford to be wrong and block that traffic.

It disrupts business continuity to the degree that end users will disable the product. They end up with, by comparison on average, a thirty percent false positive rate. When Steve Ryan said Trinity Cyber is providing a 0.03 percent false detection rate, we would be providing a 0.000000021 percent false positive rate. We're shaving orders of magnitude off of that industry standard.

Take one example. When our system detects an image file and discovers the presence of appended data at the end of that image — a common adversary technique — we know that appended data violates the rules of how you would construct such an image, and there is no good reason for that data to be there.

In other words, the image will render without that superfluous data, and we don't have to determine within a split microsecond over its goodness or badness. We simply know it's a technique used by bad guys, and there's something that need not be present.

Instead of being limited to a block or allow option, our capability has the option to remove that appended data. We can take the data off after the end of the "iend" chunk at the end of that image. We render the image back together and send it on its way in either direction.

Later, our team looks and determines what bad thing we removed. Often, it's a malicious payload on the inbound traffic. Sometimes it is on outbound traffic, it is data stolen from the target encrypted and sent out to a Dropbox or cloud service, so as to avoid network detection.

PUF: What would you show people like me who know nothing about how this works?

Tom Bossert: In a live demonstration, we can demonstrate the types of things we can do against anything in web traffic, but we operate against many multiple protocols and layers and modify the bad guy's command and control traffic, so we can't show that live. 

We can take one of our corporate machines, go to the open internet, download dangerous stuff, and as it traverses our security stack, by letting the customer look at our screen, show the power of our detection approach, show what it looks like by the time it hits that download folder on our machine, is benign.

A lot of networks already had bad guys in them, and they communicate to their corrupted boxes from their command servers. We see that traffic and modify it, so the bad guys don't know we've changed their command and the corrupted machines are identified to the customer.

Steve Ryan: Often, what we do in live demonstrations is lean into some of what's on the news. The Russians hitting the Ukrainian government and systems a couple weeks ago was a big deal.

Ukrainian sites were posting anti-Russian propaganda documents in a zip file. Anybody could go to these sites and download propaganda, and there were forty-eight documents.

The Russians knew this. So, they compromised the server on which these zip files were stored. They got inside one of the zip files and installed a malicious, shortened link file, that when you clicked on it would download malware onto your system.

Our team figured out where these dissident sites were and in a live demonstration, we downloaded the zip file. When we downloaded the zip file and looked at it on our system, that malicious LNK file is no longer there. It's taken care of before it gets to the network — and not because it's an LNK file, but rather because we determined it was malicious and could "see" it inside the zip file.

PUF: What's the vision say two, three years out, that your companies have?

Bob Catell: At the UTS level, we would like to see this technology installed in a significant number of utilities, so we're playing our part in protecting the nation's critical electric and gas infrastructure. That is the area we're focusing on. Trinity Cyber has a broader perspective, as its technology will work in many sectors.

Tom Bossert: I was in charge of our country's cybersecurity twice. This is far bigger than Trinity Cyber. I'd like to see all American industry increase its rate of adoption of new and better tools.

Global Energy Transition 2022 Reuters Conference New York

I'd like to see them deploy in a manner that considers the people and processes that helps them secure their industries and bottom lines. Often, their lifeline industries are providing power, food, and water. I want to improve the overall security of this country in this category of cyber risk.

After we've done that, the end vision is to have those tools, processes, and new capabilities integrate in such a fashion that they allow us to achieve, what I'll call unified effort and outcome-oriented protection.

We've got this environment where everybody's battling the Russians on their own with their own dime. We've got an opportunity with our tool and other new tools on the market to provide the benefit to the greater good. We can create a collected defense that doesn't require the U.S. federal government inside all our networks in a way we don't politically find palatable.

Nick Stavropoulos: When it comes to safety, your work is never done. When it comes to cybersecurity, it's like you're never going to be done because your adversaries are constantly morphing and reacting. The attitude at the senior levels of the organization can give space and permission for the CIOs, the CSOs to say, we're never done. That's a sea change in approach.