Trinity Cyber Stops Bad Guys with Help from F5

“Stopping the bad guys”—that’s how Trinity Cyber describes the mission of the company, which was formed in 2017 by former U.S. National Security Agency (NSA) experts led by Steve Ryan, previously Deputy Director of the NSA’s Threat Operation Center, and Thomas P. Bossert, a former U.S. Homeland Security Advisor to two U.S. presidents. The firm operates a distributed private cloud in the United States, employs about 52 people, and delivers sophisticated cybersecurity to its customers. The company’s customers include the operators of critical infrastructure, elements of the Department of Defense, and others with a high risk of loss, including organizations in the financial, energy, and civilian government sectors.

While the Trinity Cyber team simply calls themselves “the good guys,” there’s nothing simplistic about their innovative technology and service lines that protect customers more proactively than most, with false positive rates approaching zero. It’s no wonder both Gartner and Dark Reading recently selected the company as one to watch.

“A lot of companies rely heavily on blocking traditional indicators of compromise (IOCs),” says Stefan Baranoff, Director of Engineering. “There are two problems there: First, IOCs are derived after an attack has occurred, and usually by monitoring a span port—a copy of the traffic; and second, the characteristics of IOCs are such that an adversary can change them faster than you can signature them. We focus on how bad actors do what they do—the techniques,  behavior, and patterns in the data that give them away—and we go after the techniques directly to stop them in their tracks, in line, before they succeed.”

Trinity Cyber starts with content inspection that is deep enough to expose adversary techniques and fast enough to do something about those techniques. But they don’t just block suspicious content. Baranoff says, “We can actually replace, remove, or modify content within a session—something no one else in the industry does—and that leads to a more enduring level of protection.”

For example, malicious content can be stuck on the end of an otherwise harmless downloaded image. Baranoff says, “It just looks like someone went to a web page. That encrypted data looks like random junk, just like on all the other images on the Internet. Others would block the image or the domain from which the image was delivered, breaking a huge part of the Internet. We remove the data from the end of the image and send it on its way.”

Decryption and full inspection are key—but not easy to accomplish on both inbound and outbound traffic with a single solution.

In 2021, Trinity Cyber chose F5 BIG-IP SSL Orchestrator to perform the necessary decryption on bidirectional traffic for customers who didn’t already have sufficient SSL/STARTTLS decryption in place. They started with one virtual machine for a specific customer, kicking off a transition in the company’s approach to decryption.

It helped that the F5 solution was cost effective and supported virtual machines. “The support for virtual instances is huge,” Baranoff says. “The flexibility enables us to grow resources with customer demand.”

Implementation took just a few days. Since then, Trinity Cyber’s use of BIG-IP SSL Orchestrator has evolved to include more customers, more virtual machines, and more complex use cases. 

One such use case is the Log4j vulnerability, a serious flaw that put millions of devices at risk and continues to be widely exploited by threat actors. In late 2021, CISA issued an emergency directive requiring all federal civilian departments and agencies to assess and immediately patch systems or implement mitigation measures. While many scrambled to monitor and patch systems within the first few hours of disclosure, Trinity Cyber customers were and still are protected from any attempt to exploit the Log4j vulnerability.  

Another of the many complex use cases involves Trinity Cyber’s efforts to stop credential harvesting across several of its customers’ networks. Adversaries attempted to gather valid Office 365 credentials using deceptive hyperlinks, email phishing techniques, and the creation of fictitious domains. The unique prevention capabilities of Trinity Cyber’s technology recognized the common methodologies leveraged by the adversary and prevented any credential collection across its customer base by removing the adversary tradecraft from the customer’s network traffic in a fully automated fashion.

Baranoff says that around 95% of the traffic his company secures is encrypted, and Trinity Cyber sought a technology partner with the capabilities to protect customers who otherwise lacked visibility into that traffic. 

He says, “F5 is one of the few options that doesn’t make us compromise our operation in drastic ways.”

CEO Steve Ryan says, “BIG-IP SSL Orchestrator is integral to the delivery of our service lines, providing visibility into encrypted traffic, enabling Trinity Cyber to identify and remove threats.” 

Baranoff also praises the solution’s ability to follow various protocols, regardless of encryption initiation, and decrypt traffic immediately on the “STARTTLS” command. “I haven’t seen any other solution able to do that,” he says. “That was a huge win with F5.”

The ability to customize BIG-IP SSL Orchestrator was another distinguishing feature. 

Baranoff says, “When working on our own system, we can change the code when we need to make a change. That’s not typically the case with other vendor systems. F5 iRules lets us change the code to customize and get the behavior we want. That lets us better support our customers and their use cases.”

In fact, when asked to summarize the benefits of BIG-IP SSL Orchestrator, flexibility headed his list: “Flexibility, stability, performance, feature-rich visibility, and control. F5 is a huge notch above.”

As a result, Baranoff says, “I save all sorts of time and money with F5.”

Currently, his team is working with F5 Professional Services on declarative automated deployment and lifecycle maintenance. 

“It’s going really well,” he says, calling his F5 team, “incredibly responsive and very invested in helping us make the most of the product.”

He’s also hoping F5 will soon have an answer for the looming global issue of how to decrypt HTTP3. “That would be an awesome win.”

In the meantime, he says, “The product just keeps getting better, and we’re excited to see where the future goes.”

The bad guys will likely be part of that future and Trinity Cyber will be working to fight them, with F5 alongside to help.