"The fact that we can do all our forensic analysis in one system without leaving a browser is a big deal." - Jeremy Brown, VP of Threat Analysis at Trinity Cyber
Trinity Cyber, Inc. is a US-based company that has invented a new approach to cybersecurity that can deeply inspect full-session internet traffic and modify it in a way that removes or neutralizes malware and exploits. They offer the first technology that can parse, scan and rebuild full-session Internet traffic in both directions to expose and mitigate actual threat content and do so with an average processing latency of less than a millisecond. This precise session inspection and editing capability delivers real-time detection and response, increasing security while significantly reducing the workload of its customers.
Trinity Cyber currently offers two service lines. The TC:Edge service is a private cloud offering operated and maintained by Trinity Cyber’s experts for the customer. TC:Edge delivers automated prevention with an array of useful metadata, traffic analysis, and advanced network hunting. The TC:File platform provides extremely accurate and fast file-based threat discovery.
The company’s ethos centers around “stopping the bad guys” and integral to the company’s day-to-day work in developing automated threat responses is the processing and analysis of network packet captures. We recently interviewed Jeremy Brown, VP of Threat Analysis, and Stefan Baranoff, VP of Engineering, at Trinity Cyber to learn how they employ packet captures (PCAPs) a part of their solutions and how they use CloudShark Enterprise and the CloudShark Threat Assessment tool as a pathway to providing complete network security peace-of-mind to their customers.
QA Cafe (QAC): So, tell us a little bit about Trinity Cyber. What do you work on, and what solutions do you provide?
Stefan Baranoff (SB): For TC:Edge, my team invented a technology that can inspect network traffic so deep that we can expose adversary techniques in a way that has never been done before – and so fast that we have time to do something about it. We can literally examine the fully-parsed and decoded contents of an internet session and expose the types of threats that would ordinarily get past a typical network security appliance. And because that traffic is built out in our stack before it’s delivered, we asked: “Why stop there?” So, we came up with a way to apply a family of security engines to empower our analysts to write complex rule sets that edit the maliciousness out of the network content in real time.
Jeremy Brown (JB): That’s the real power. My team isn’t alerting the customer about something that may have happened (that they now need to address). We’re notifying them of a high-fidelity action we have taken on their behalf. We offer customers this incredible technology that they don’t have to learn to operate – we do it for them. Not only that, but our system produces almost no false positives, so we are not only saving their SOC team time and money on the front end by operating the technology for them, but we are also saving them on the back end of their operations by significantly reducing false positives and alert fatigue.
SB: TC:Edge operates in both directions, so we can stop the bad things from coming in and as importantly, if something is already in, we can shut it down. We offer TC:Edge as an on-premise solution that augments a customer’s security stack through our CloudConnect option that tunnels traffic to and through a TC:Edge instance or via direct or virtual cross-connect in a data center.
JB: With the flexibility of the security engines Stefan’s team developed, we can tailor our automated responses to align with our customer’s business objectives. For instance, some of our customers want a malicious attachment delivered, cleaned of its malware, while others prefer that we not deliver anything and remove the malicious attachment altogether. We also have customers who prefer we replace the malicious attachment with something benign and useful to the SOC team. With our technology, we can deliver automated responses that support the threat prevention goals and outcomes our customers want.
QAC: How do network packet captures factor into your work?
SB: In addition to our own proprietary technology, my team delivers, provides, and manages full packet capture and analysis technology to support Jeremy’s team.
JB: We are constantly hunting for threats on our customer’s network traffic. Among the hunting capabilities we employ, we run open-source rules for Suricata (an Intrusion Detection System) against packet captures to get a broad picture of activity around malicious events. These rules are extremely valuable because we can harness community knowledge to focus our team.
JB: Also, some of our customers want to have all the details when we have prevented something bad. We use PCAPs as our evidence in these cases. Other customers really want to dive into the details themselves, you know: “just give me the PCAP”. In any case, having full PCAP is extremely valuable to our operation.
QAC: How did you do packet analysis before? How did you find CloudShark?
JB: We would collect PCAPs in one place, usually in a file store, or directly attached to JIRA tickets. And the workflow was a bit clunky, often with people downloading their own copies of captures and manually analyzing them with Wireshark and Suricata.
SB: I knew there had to be a better way to do this, and when I found CloudShark Enterprise. I said, “Jeremy, have you seen this? It’s Wireshark in a browser with Suricata built in!”
JB: The fact that we can do all our forensic analysis in one system without leaving a browser is a big deal. It’s very cool to be able to toss a PCAP around without having to install anything. Links are much more convenient than file attachments, and the fact that they can be annotated and marked up saves us a ton of work. It’s also much easier to work with customers. Moreover, there’s no magic to Suricata and other forensic tools on their own - having a great visualization that lets us pivot from an alert to the PCAPs was a critical point for us.
QAC: What does your workflow look like with CloudShark?
SB: We grab the PCAPs we need and send them to our CloudShark Enterprise system. We tag them with things like customer identifiers, MITRE attack tags, plus a pile of metadata (really, we use so many tags). Then we include links in our tickets, and Jeremy’s team can do the analysis right away.
JB: It gets us to the answer faster. My team can open a PCAP in CloudShark, look at the traffic content, click to go to the alert in Threat Assessment, and then filter down to the packets that caused it. Then we all collaborate on the issue without having to repeat our work, make annotations where necessary, then resolve it.
QAC: Is there anything else that made things easier for you using CloudShark?
SB: Honestly, whenever we look at new software, our first thought is, “Okay, how complicated is this? How much will we need to support?” After our first couple of calls, we realized how easy it was to install and set up. We had it up and running in 5 minutes; major kudos to QA Cafe for that.
JB: We’ve also worked closely with QA Cafe getting CloudShark running in a docker. That has really made things easier. It’s been a pleasure to work with all around.
SB: CloudShark is a huge enabler that saves us tons of time. It helps our team of analysts to get stuff done and is an integral part of delivering our service to our customers. We manage a multi-customer, multi-tenant environment to provide the level of service that we do - so that our customers don’t have to worry about it - and CloudShark makes that possible. Our customers can focus on their business, and we can focus on their security.