In this episode of Threat Vector, guest-host Michael Sikorski speaks with Thomas P. Bossert, President of Trinity Cyber and former Homeland Security Advisor. They explore the path from policy and national security strategy to building operational cyber defense that “interferes with attackers mid-operation.” Tom shares insights on how companies can shift from chasing ephemeral indicators to engaging with threat actors in encrypted traffic using active threat interference. We dive deep into the disconnect between policy rhetoric and real-world tech, why defensive action matters now, and how commercial cyber deterrence can work. Cyber leaders can expect a practical discussion on reshaping defense for today’s threat landscape.
Protect yourself from the evolving threat landscape – more episodes of Threat Vector are a click away
Transcript
[ Music ]
Thomas P. Bossert: >> We have an obligation to continue training those that are coming up behind us, but then we have to maintain that chain, and that chain of expertise is really only needed when somebody fires that starter's pistol and there's an event. There's a crisis or some exigency that requires. It's what you do for a living. Whenever there's some massive breach and they're calling somebody. Who are they calling? And they're calling you, and they're not calling you because you're a nice guy. They're calling you because you got the reputation, the experience, and the connections. If you can't solve it for the people who can?
[ Music ]
Michael Sikorsky: >> Welcome to Threat Vector, the Palo Alto Network's podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into latest industry trends. This episode is a little different. I'm Michael Sikorsky, the CTO of Unit 42 of Palo Alto Networks. And I'm stepping in as guest host today. If you know me you know I'm obsessed with reverse engineering, malware, and staying five to 10 steps ahead of attackers. I've also had the good fortune to work alongside and learn from today's guest, someone who's not only shaped national cybersecurity policy but is now building technologies that change how we fight cyberthreats in the real world. I'm joined by my friend Tom Bossert, President of Trinity Cyber. Distinguished Fellow with Atlantic Council, and former US Homeland Security Advisor. Tom's been a policy powerhouse and that leads one of the most innovative cybersecurity companies out there focusing on proactive threat interference. Think of it like messing with the attackers mid operation in the way that changes the game entirely. Full transparency. I've been on the advisory board of Trinity for four and a half years now, which is crazy. That's been that long, Tom. And one thing that I excited me about the company from the start was just this concept of messing with attackers. I worked incident response for going on 20 years now, and it's the idea of messing with them as they're trying to attack us is just such a pleasant thing because it seems like when you come and do incident response, it's already too late, right? They've already got in. They've already found their way in, hacked in, and then that's it. They're gone with the goods and you're negotiating ransomware, I mean.
Thomas P. Bossert: >> It's more fun than anyone should be allowed to have.
Michael Sikorsky: >> What makes this fun for you?
Thomas P. Bossert: >> Well, the idea of messing with the adversary. You get through all the gut-wrenching ups and downs and start up and then figuring out how to get yourself into this complicated and complex noisy market. And at the end of the day when you're really feeling like maybe I'm losing hope or faith, what are we doing? What's the focus? You go back and you mess with the bad guy. You talk to the tech team. You get into what they do every day. And they're having more fun than they should be allowed to have. In any other place, you'd have to be in the government to do something that's directly intended to interfere with the adversaries operational outcome, but we found a way to do it in a commercial way that's legal, effective, and it's just fun.
Michael Sikorsky: >> There's been a lot of talk lately about the concepts of more authentic security, more interference, more technologies that are kind of getting back at the attacker. I mean you've heard a lot of rhetoric like that in the last few months even. Do you have any sort of - where do you think that's going and what is going to be the impact of that? Do you think for the next four years, longer, do you think there's going to be a lasting effect to that kind of talk? Is there going to be more of action taken in the private space with that kind of thing?
Thomas P. Bossert: >> Yes, I think you have a really technical listening base here to this podcast, so we'll just kind of jump into it. But one of my biggest fears is the massive disconnect between those policymakers that say that and what you know to be the case and how the tech works and what it really means. So, what does offensive mean? What does defensive mean? You get into these debates. Listen, at this level it's easy to say - at what level, people can't see me. At the 30,000 foot level, I'm all for not just cyber induced but any kind of policy lever inducing a change in the incentive structure. So listen, there are bad actors out there. Do things to them to punish them to impose consequences off work. You don't have to limit yourself to just offensive cyber. I think one of the things that troubles me in the United States and Western countries on the offensive debate is we say I'm mad. I want to get back at these guys for taking advantage of us. Check, check, me too. So, let's start hacking them. Well, what do you mean? Well, what do you want to hack? You want to hack in general? Do you want to shut down a business?
Michael Sikorsky: >> You kind of have to define what that is.
Thomas P. Bossert: >> Once you get into that debate, and this is what I used to do for [inaudible 00:05:03], once you get into the debate of figuring out what's the target and how much is it going to cost, what effect are you going to achieve, are you actually going to change the behavior of that country by hacking into more of its private businesses? Do they care about their private businesses? Is there a fundamental misunderstanding about how we can -
Michael Sikorsky: >> It's harder to be tit for tat because China is hacking every single business that we have. Everything we're doing. Would they even care if we did the same?
Thomas P. Bossert: >> If we did the same to them. And the late Ash Carter said, "I'm soaked in gasoline, and you want to get me into a match throwing contest?" And I thought that's pretty good. So, there's a lot of parallels to the tariff debate that we're having right now. But yes, in targeted useful way, I don't shy away from offensive cyber operations if they have a meaning and a purpose. But for me, tell me how to frame it better, but what I just described about what Trinity's doing is I'll direct this to the current president. It's reciprocal. It's reciprocal. The idea here is that we're not going to do anything to impose any consequence on you unless you first start it. And for us, we're only interfering with that - it's going to judo where you take the energy of the attacker back on himself. To me we have to get better at doing that. That's a starting point because offensive operations take a long time. They are executed at a different place with singular authorities, and often it would be much easier, more effective to use a different lever or different type of national power to change the calculus of the adversary. You want to hack all the Chinese businesses to get China to behave differently? I don't know. I don't think that's the best way. It's any way, but it's got to be a mix of all the other ways that you've got going for you. And the US has a lot of power. We don't have to just sit around and just hack people back. At some point, we reserve the right to use bigger force.
Michael Sikorsky: >> Yes, that's interesting. I'm wondering where if things could get more privatized? I mean a lot of, at least I think of it as like you got to go work for an agency or something like that to really do the offensive stuff, and that's what people have always talked about. I wonder if this would open the door for that not to be the case longer term. And then where do you draw the line? Who's watching the companies who would be doing that?
Thomas P. Bossert: >> Just as an answer to that but one of the simplest ones is honestly, it's like the rule of artillery in the military. You know what you're allowed to do if somebody starts shooting at you? Shoot back. If you don't shoot first, but you shoot back. And there's a misnomer in the cyber world, that shoot back unimpededly kind of a pause thing where you get hacked and then you get together and you call a bunch of experts, and you say, "Okay. Now we're going to hack back too." Like sort of pain type application. We're going to apply pain to them for doing that. Like it's a spite thing, but that's not what I'm suggesting. What we're trying to do here is to create fiction, the kind of pain like I describe earlier that throws off their operations. It stops them from unimpeditely imposing costs on us. It's not about getting into a fight where I'm mad and I want to have my emotion vindicated. It's about trying to achieve a better operational outcome.
Michael Sikorsky: >> Yes. That's cool. So, obviously we've now talked about policy side and now you're in this fast moving startup in the cyber world. Can you tell me about that transition? What made you go from the guy in the White House advising the president on what to do to now fast forward years later helping to run this startup?
Thomas P. Bossert: >> It's a theme. It's stopping the bad guy. It really is. And the thing about policy and strategy world is - and this is just my mentality but if you don't eventually get tired of that and long to get back into some operational role where you can make a difference, well you're not part of the solution. And in fact, if you really become comfortable in that world, you're probably going to become part of the problem if all you do is spend your entire life making policy and strategy and don't have an expieriential appreciation for the operators and their problems, you're probably making bad policy. So yes, I don't want to say I couldn't wait. It was an honor to have every position I've had in government service, but I've always liked the operational ones. And when I got the call, the team at Trinity had cracked the technological nut that they were seeking to crack, and the implications of it are really profound. We'll go into a little bit.
Michael Sikorsky: >> Is this sort of like manipulating traffic at lion speed if I were to keep it short?
Thomas P. Bossert: >> Yes. It's like - we have to use terrible metaphors in our field, battle [inaudible 00:09:42]. So, a little bit of what I talk about now it's like an electric fence. There's a consequence to touching it. And it changes the behavior of the people that consider touching it. So, it's beyond just effective in its primary purpose, boundary defense. It has kind of a hard to explain legacy. That sting that continues to last after you've touched the fence. But there's something, I think, a little bit more to it than that. For me the spark was I got to get back into stopping the bad guy. And my own two sense, the trends is going in the wrong way, and this is not a knock at any individual contributor in our field, but you really have to be blind if you're not looking at the data and developing some concern about our future. Everything is going into a worst direction in terms of outcomes, and yet, we continue to generally speaking apply the same solutions. And we'll talk about that a little bit more.
Michael Sikorsky: >> But I think that's just about the cybersecurity industry as a whole.
Thomas P. Bossert: I think we've done a pretty decent job of detecting attacks. Like there's a lot of products, a lot of technologies that can detect attacks from that we ended up creating was all of these alerts. That everything is going off. Some products better than others at sending out the alerts. But then you have all of these alerts. Now what do you do? Now you've got to take care of that, and that's why technology starts to pop up to try and solve that problem. And we've, as a cyber industry, have created technology to try and make sense of that officially. Some of it is correlation using AI and stuff like that,
Michael Sikorsky: and then I think other is a thing like what you're building as well.
Thomas P. Bossert: >> Yes. Yes, some of the incident response ecosystem is out of control, and the numbers just don't make sense. We'll talk about policy here. We'll talk about different ways this manifests, but people want to comply standards. Well, there's not enough compliance personnel in the world. There's more POAMs than there are hours left in their work week. You understand what I'm saying? But there's a lot of well-intended concepts that aren't actually producing a change in either adversary behavior or in their success rate. And so, we have to change it around. It's not so much that we've created an active thing. It's what we've turned the problem upside down. So, what you just described is the result of not only detection but detection on the target side of the equation. How many inputs are there? Millions, billions, hundreds of millions. It's staggering, and the alerts that we're producing are coming from every enterprise target, every endpoint target, everything that the adversaries are attempting to breach. There are not that many adversaries on the other end of this equation. Maybe we can debate this. Maybe 4000 hackers that have in the world the skillset necessary to develop the trade craft. Many more then use their payloads, script keys.
Michael Sikorsky: >> Yes, the actual ones who find the zero days and pull off the really elaborate supply chain attacks and stuff like that. It's a small number.
Thomas P. Bossert: >> I'll call them the bad guy version of you. How many sophisticated -
Michael Sikorsky: >> Well, there's a lot more good guys than there are bad guys.
Thomas P. Bossert: >> And so, if those bad guys -
Michael Sikorsky: >> But also this level of sophistication you need, it's a small pool really quick.
Thomas P. Bossert: >> It is. So, there's a number of things here, but if you just talk about it from a market commercial technical perspective, but I think it's so genius about you create a team at Trinity. These guys say, "What if we turn the problem upside down?" How often does that small universe of bad guys change their tactics and techniques? They might change their payload a hundred times, of course they change their urls and their documents that we've seen and hashes and all that, but those obviously are easy. How often do they actually change their fundamentals in what they are and who they are? And you know the answer to that is way less often. The scale to the problem becomes manageable when you do that. So, if you can open up the network traffic and inspect it to a level of depths and content where you are confidently finding their techniques, not their indicators of compromise, but the actual presence of their technique, which is what we do, you can start to make it a more manageable outcome. That's what I mean by more -
Michael Sikorsky: >> I used to draw this graph when I would teach about malware and creating signatures for it and the idea of if you just change one byte, you've changed the hash. If you just change one string then that's - and if you change the file name then that's a different, the file name doesn't last very long if you just very simply change the file name. But as you move along this graph that I would draw, you'd move over towards you're getting closer to the human on the other end. And the more you get closer to that human on the other end, then it's harder for them to change who they are and how they operate and how they get in and what they do. The little IOC's that are simple to change with the flip of a bit, that's not what you want to go after. You want to move as far to the developer as you can. And that's like how they install. What are they doing? How are they delivering their exploits, all that kind of stuff? And if you turn into that far side on the right, you can't see the right, but the right side of my hand, that means you're closer to the developer and those technologies that are operating closer to the attacker are going to perform better than the ones that are further away.
Thomas P. Bossert: >> And if you start on the other one, your left hand there, think of the more ephemeral settings that they change all the time, and you going after them all the time and that game of Whac-A-Mole that we play, it's a self-fulfilling prophecy. We've ended up encouraging them to create more ephemeral IOCs because we're going after those IOCs, and so, it becomes not only not effective but it becomes a cost center for all of us. So, there's a [inaudible 00:15:40] of that. The SIEM costs are going up, all that stuff. So, yes, on the other side of it there's a guy called David Bianco. You probably know him. He came out with a way of describing.
Michael Sikorsky: >> The Pyramid of Pain.
Thomas P. Bossert: >> The Pyramid of Pain. So, what you have to do is go after their techniques, and if you can do that, you can have an effect. And for what it's worth, bad guys have budgets too. And if you start to cause them significantly - I'm not talking about getting into offensive cyber, we can talk about policy here, but you set to cause them disruption that makes them change fundamentally who they are, they've run out of time, operational window, budget, objectives change, politics, calculus changes, and that is friction. That's where we have to go.
Michael Sikorsky: >> I think one of the place you go, you brought up hacking back. Deception, manipulation. I think any time you're like manipulating people's traffic, I guess that's one line of questioning I wanted to ask you about your technology. I think we've covered pretty well what it does, but maybe if you quickly talk to me about what it does as part of this answer, it'll help us get to the other question I have which is we have trouble getting our customers, Palo Alto Network's biggest firewall company in the world.
Thomas P. Bossert: >> Yeah, not shabby.
Michael Sikorsky: >> Biggest cybersecurity company in the world.
Thomas P. Bossert: >> Yeah.
Michael Sikorsky: >> But one thing we have a big issue with still to this day is doing break and inspect of encrypted traffic. It's like yes, plenty of customers do that, but a lot don't. And just recently, basically all of their customers that are doing that, they had an additional way I could look at the traffic and see what happened, and I was able to reach out to the victims who were hit by it under attack that was happening. But because they had that turned on, but so many still don't. So I guess my question to you is like if we're having trouble turning on - how does that impact the technology like yours? And then just maybe give a quick overview of how it works at a little bit, one level deeper.
Thomas P. Bossert: >> Yeah, that's a fantastic question. And there's a couple of different answers to it. It depends on the perspective of the listener, but first off, break and inspect, depending on who's listening to this, sounds terrifying to people, right? Even I know it's not what it means. What we're talking about is terminating encrypted traffic and it's central to a full application of what we do. And so, one of the things that we've discovered is that there are two different kinds of buyers. And I know you've seen this too. For the most part, I have not encountered yet a security buyer in an organization large or small that doesn't love what we're offering. And probably you feel the same way. But then they often say, now you're talking about something that involves another guy in our organization, I want to call it my network engineer, call him the IT director, and the bad guy says, "Listen, my job is availability and reliability, and anything that makes the Internet less reliable, less available, or slower or even makes me do any work outside of what I already do, is unnecessary to my outcome. My job here is simple, and you security guys need to go do your job." That's an artificiality that I think every CEO listening to this podcast and if they're not, we'll send it to them. We'll find a way to promote it, but they really need to understand it is incumbent of them to reach down and to play referee in that debate. I was reading all these things. I'm sure you did too, and shout out to CAMS, to the Cybersecurity, the MIT team, the Sloan team, if you follow any of them. They came out with a report recently and they're saying all the great numbers. They're saying the trend is going the wrong way. What we're currently doing is not working. I don't know if they call it failing or just not working. And I'm sitting there thinking these are useful statistics. And then their recommendation is a whole lot of, I'm sure, good advice but costly, time consuming, complex work. That enterprises are reading these papers and then engaging in. If they really understood, relatively speaking, how much easier it would be to handle B & I and to push those certificates to the machines in their network and to handle occasional white listing, black listing, kind of the work a day kind of managing of that, hey they've really understood how much time they're spending on doing something that doesn't have a direct consequence on the threat that they've faced. It's not directly stopping the bad guy and how much they're avoiding something that's relatively easy, and it would have direct impact on their security posture. It would change their thinking and then we talk about with little things.
Michael Sikorsky: >> Yeah, and then sort of pivoting to what's everybody talking about is AI. So on every billboard you see out there at RSA today.
Thomas P. Bossert: >> How many zero trust can we fit into [crosstalk].
Michael Sikorsky: >> I think AI is zero trust. But it is important in words and where things are going a lot. I mean, we talk about AI and what we're using it for both attack and defense. We actually have a demo that we built on Unit 42 showing how a generative AI could be used instead of a red team. So, to take each step of the red team is now you give it a problem, it's out solving. It's scanning. It's poking holes. It's grabbing payloads and bedding in malware and shipping off all on its own.
Thomas P. Bossert: >> I love when words like agentic from the text space into the market world.
Michael Sikorsky: >> Listen, how does that impact the defense strategy of Trinity? Or is it just a bigger, it's just faster, bigger scale and all that kind of stuff?
Thomas P. Bossert: >> No, no, no. Actually, no. Just the opposite I was about to twist that in another direction. First, you're right. It's scary. The AI is being trained for the bad guy in a way that's faster than it's being used and trained for the defense of the good guy. It's a world that we've got to reconcile fast. For Trinity Cyber, we are, in my view, the only that's a big word. We are a significant play in the future of identifying and thwarting AI generated attacks because the thing that our current systems do poorly are the things that AI exploits really well. But AI, no matter how it's trained, no matter how fast it works, no matter how quickly those moles are AI generated to pop up in a way that's meant to avoid the whack a mole system that we've created that you described earlier, we're going to find the presence of the exploit in the content. And so, go ahead. You generate seven million attempts to put some type of steganography into an image and then create seven million images and send it through 7000 different channels into your target, among other things that we do, we're going to find that and remove that appended data from the traffic in flight so that what gets to the endpoint doesn't have the AI generated payload in it.
Michael Sikorsky: >> I think we're both so passionate about stopping the attackers. Like it's very obvious to me that that's what we got into this space for is like how do we stop the bad guys is what we're all about. And that's like why I love the technology but also why I love what I do. I don't think a lot of people in working other jobs get to have that where they feel like oh they're also trying to stop this evil that's trying to get us out there. What do you think the most important thing a listener should take away from today's conversation?
Thomas P. Bossert: >> Self help. There is absolutely nothing that is going to change this current trend that we're on other than the CISO's who are responsible for defending their networks, taking the right action, seeking the right funding, applying the right sense of tools and innovative solutions like the one we're offering and others. There is nothing that is going to change the place of the CISO in the world outside of their own good judgement, common sense, and their own action-oriented behavior. It's true. Our vendors have to step up. Our corporations have to step up. There is a big role for government in this whole thing, but the real, I think, probably best and fastest thing to say is the government is not great at doing a lot of things. The government can start to impose costs on foreign governments that can start to do things that help us. They can empower the market. They can provide more perfect information. They can help us sharing data. They can provide even some intelligence that would help do our jobs. But the governments really got a say in the world of doing what they are good at, and I'm not sure if I can offer a prediction. But I think what we're going to see here is another paying round of political debate over cybersecurity because it's now caution of regulation. And people have different relationships with centralized authority. They have different opinions of regulations.
Michael Sikorsky: >> A nice way of putting it.
Thomas P. Bossert: >> Sure.
Michael Sikorsky: >> Still, I always felt like I obviously don't have the political background of you, but you were the first person I called when I was going to testify before Congress.
Thomas P. Bossert: >> And you did a wonderful job.
Michael Sikorsky: >> And I was like I got to talk to Tom. He's going to tell me everything I need to do. And you definitely were a huge help to me with that. But it's like, to me I just feel like it should be a bipartisan issue. It should not matter in my brain compared to so many other things that are out there, it goes back to what you were saying of it ties into everything else and that's why.
Thomas P. Bossert: >> Bipartisan is not my speed. Honest to God, it's non-partisan. So, I think what you and I are saying is that it should not be partisan or bipartisan. There should be some kind of non-partisan consensus that -
Michael Sikorsky: >> How to best defend the country and [crosstalk].
Thomas P. Bossert: >> Well listen, sometimes it has to be said. We have a system where we believe in the virtue of private property, and we believe in the virtue of free market trade. And it's not right for you to walk into my house and do anything with use, convert, possess my property. That's just not how it works in our system, in our culture. Not every culture works that way. And so, it's infuriating to us if others take unauthorized access to our network and our data. And if that's our fundamental principle as a country then we should be in a non-partisan way trying to prevent that, stopping the bad guy is defining the bad guy. And the bad guys are doing exactly what I just said. They're hacking us. We need to distract ourselves with all the other things that we talk about. At the end of the day there's a keyboard operator, and that person has intent, they have tactics, they have an objective, and they have an incentive structure and we can mess with that. I don't think we're going to avoid political debate on whether we should or should not regulate. Whether the market imposes the proper incentives or doesn't. That's an age old kind of conversation. In the cyber world and your listeners are going to have to realize that that's where we are. It stinks. None of us have had to face that before. We've all just been best friends with for 20 years. That chain of expertise that I talked about. People that work in both administrations, both political parties, we don't even think about it. We call it operators. We're texting people and saying, "Are you seeing what I'm seeing?" This kind of this subcommunity that was just righteous. That's over. I mean that still exists but there's going to be a partisan debate and there's going to be a political debate on top of this. And for me, I prefer the political debate without the partisan ranker and all that. So, the most disappointing thing for me is to see that this partisanship that's ugly right now is now starting to hit our community.
Michael Sikorsky: >> I want it to stay away. I was like I thought we were immune. I was hoping for that to stay --
Thomas P. Bossert: >> Me too.
Michael Sikorsky: But listen, people shouldn't be afraid to have an opinion.
[ Music ]
Michael Sikorsky: All right, Tom, it's been awesome conversation. I mean just the diversity between policy and tech. I mean this is a world I don't ever thought I would get into. At least not when I was ones and zeroes at the NSA with Steve back in the day, but now I found myself getting into your world a little bit. And now you're obviously full force and in my world it's just really cool to go see both sides of the coin.
Thomas P. Bossert: >> Listen, man. The students become the master, all sorts of praise and thanks to you. You're killing it every day. Unit 42 deserves a huge shoutout, and I'm just thrilled and honored to be on this podcast. Any time you need it, I'd be honored to come.
Michael Sikorsky: >> If you like what you heard, please subscribe where ever you listen, and leave us a review on Apple podcast or Spotify. Your reviews and feedback really do help us understand what you want to hear about. If you want to reach out to me directly about the show, email me at threatvector@ paloaltonetworks.com. I want to thank our executive produce, Mike Heller. Our content and production teams, which include Kenny Miller, Joe Bettencourt, and Virginia Tran. Elliot Peltzman edits the show and mixes the audio. We'll be back next week. Until then stay secure, stay vigilant. Happy reversing. Goodbye for now.
[ Music ]
David Moulton: >> Hey Threat Vector listeners, this is David Moulton,
Thomas P. Bossert: your usual host, and I wanted to share an extra bonus clip here. It's a moment from behind the scenes as we were recording this episode that was just too hilarious not to include. >> Hey Mike, I changed all my passwords to Kenny. I have a lot of Kenny Loggins.
Michael Sikorsky: >> Danger zone.
Thomas P. Bossert: >> Do you get it? Kenny Loggins?
Michael Sikorsky: >> You're in the danger zone. Login is the hardest.
Thomas P. Bossert: >> Well, this is even better. Kenny Loggins. That was fantastic.
Michael Sikorsky: >> Who is Kenny Loggins?
Thomas P. Bossert: Fantastic. I got to have this login, [inaudible 00:30:33]. To anybody listening, Kenny Loggins is a fantastic punchline and Mike just, right over his head. Right over his head.
David Moulton: >> A big thanks to Tom for being such an awesome guest and to Siko for being such a good sport about this silly joke at the end of our podcast. We'll see you next week.
