How Does SecureCo’s Platform
Protect Data Networking?
ALEX HARRINGTON, SECURECO
he SecureCo data delivery platform for
cloud or hybrid cloud environments creates
a private subset of the internet for secure
communications and data connections. Using an array of stealth techniques, including anonymization methods reclaimed from the dark web, SecureCo camouflages data-in-transit, making data blend inconspicuously with background noise and benign third-party traffic. Hackers cannot interfere with what they can’t find.
The design purpose for the SecureCo offering stems from the growing risk of monitoring and surveillance from adversaries. The platform is designed to offer military-grade security with the flexibility of support and operations needed in the modern enterprise. The goal is to ensure that customers can continue to innovate and grow their business without the distraction of having to deal with unwanted traffic monitoring and associated threats to confidentiality and continuity.
In this article, we outline the salient aspects of the commercial SecureCo platform with emphasis on how it can be deployed into an enterprise network to address the risks of attribution and monitoring. A major goal is to address the threat of inappropriate behavioral traffic analysis, and this is addressed in the SecureCo offering through obfuscation measures that support secure networking and assurance of data-in-transit.
4.1 OVERVIEW OF PLATFORM FEATURES
To address the sophisticated nature of traffic monitoring threats, SecureCo has developed a software-defined transport protocol that combines multi-layered encryption, virtual circuit randomization, digital rendezvous, and decoy data-injection (chaffing) countermeasures to obfuscate client traffic as it traverses the internet. The platform includes support for various advanced security techniques, as outlined below.
• Resilience – The distributed mesh network architecture inherent in the SecureCo design provides
redundant and region-spanning communications with rotating IP ranges and segments. This results in support for continuity, QoS, and DevSecOps agility. In addition, SecureCo supports a so-called moving target defense (MTD) which involves routing via random ephemeral circuits with a minimum of three direct routing hops.
• Deception, Evasion, and Removal of Attribution – Onion routing in the platform encloses data in
multi-layer encryption, with one layer added for each hop, thus hiding sender/recipient attribution. Injection of decoy data (chaffing) is also used to disguise payload signatures and obscure data patterns. Finally, a virtual rendezvous system (patent No. 11,088,996) is employed to establish a connection without exposing endpoints.
• Zero Trust and Additional Security Best Practices – Zero trust is ascribed to network and application
nodes to mitigate access breaches. FIPS-approved ECC and AES encryption algorithms are used for high performance, though modularity permits alternative algorithms (anticipating quantum resistance). In addition, core mechanisms and design principles already in place support least privileged access architecture (ZTNA).
4.2 SURVEILLANCE THREATS
The SecureCo architecture is designed to address activity monitoring threats by a surveillance entity. As illustrated in Figure 4.2-1, normal use of virtual private network (VPN) endpoints creates a surveillance exposure. Similarly, even with tunnels, there are signatures that can be recognized by a third party (e.g., existence or non-existence of communications). These threats require a solution that creates a means for enhanced privacy on the internet.
Figure 4.2-1. Surveillance Threats to VPN Usage
Implicit in this threat model is that the surveillance entity is performing unwanted, inappropriate, or even illegal monitoring of traffic and user activity. Where such monitoring is required or considered part of societal safety, it is reasonable for such entities (usually government) to coordinate with service providers, businesses, and users to ensure that sufficient means is available to obtain information about criminals and other bad actor
4.3 SECURECO ARCHITECTURE
The SecureCo architecture is easily depicted in the context of the existing VPN threat model expressed above. The idea is that rather than relying on a point-to-point virtual tunnel across the internet, SecureCo instead creates a decentralized mesh network that includes many properties supporting non-attribution and obfuscation to reduce the unwanted monitoring risk.
Figure 4.3-1. SecureCo Platform Deployment
It should be evident from the diagram that the secure mesh requires a special routing protocol that is multi-path and multi-region. In addition, the endpoints must be obfuscated using rendezvous points that have some commonality with how Tor entry and exit nodes are implemented. In addition, a randomization method is used to route using moving targets (see below) to implement ephemeral circuits between endpoints across the mesh.
4.3 BENEFITS OF THE PLATFORM
The resiliency benefits of routing over a mesh versus a point-to-point connection are well documented. SecureCo utilizes a technique known as random ephemeral MTD routing, which makes the transmission harder to find, increasing the burden of network compromise for a threat actor. The platform’s redundant network is resistant to attack, providing mitigation by automatically reestablishing communication paths to exclude compromised nodes. As the outer layer of protection, SecureCo serves as a leading edge for denial-of-service defense.
SecureCo’s patented virtual rendezvous redefines how connections are established. Instead of the traditional session establishment from source (point A) to destination (point B) endpoints, points A and B negotiate a random location or rendezvous (point C) in which to make the connection. This approach protects endpoints by cloaking or misattributing their actual IP addressing.
To remove source/destination data attribution, SecureCo’s routing protocol leverages technology elements also found in Tor (The Onion Router) open-source privacy network. Tor has proven to be effective at preserving anonymity, though its association with criminal activity and certain key vulnerabilities have made Tor undesirable for commercial use. In contrast, SecureCo’s implementation of onion routing de-attribution provides an elevated security posture by enabling identity suppression for operators seeking concealment of their network activity or location.
An additional security risk is discovery of attributable data-in-transit, which can lead hackers to vulnerable endpoints, resulting in disruption or penetration. Hackers who seek to intercept data from high-value targets over open networks or access points are thwarted if the target’s data is anonymized. SecureCo provides anonymity assurances based on rigorous mathematical algorithms that consistently inform the scale, sustained bandwidth demand, and deployment architecture of the network.
4.4 USE CASE EXAMPLES
Chaffing is another critical capability, since even anonymized and secure data can be intercepted or blocked if it can be distinguished from ambient “normal” internet traffic. The injection of secondary data into the transmission itself makes it much harder to detect a signature pattern, permitting secure streams to blend in as benign and pass undetected to hostile observers. In addition, injection of decoy data makes the ebb and flow of communications harder to observe, flattening out operational security spikes.
SecureCo’s sophisticated mesh network solution delivers hyper-secure
and anonymous communications, providing digital low probability of
intercept/detection across untrusted network environments. SecureCo’s
ability to obfuscate data routing and attribution makes the solution appropriate for a range of government, industrial, and commercial applications, as outlined in the list below:
• Secure Remote Access & Mobility – Our mesh-network-routed, software-defined tunnel provides
a supplementary protective layer for TLS or replacement for VPNs. Easy integration while adding obfuscation, resilience, and security
• Critical Infrastructure –Protects the resilience and integrity of SCADA and OT systems by anonymizing
and hiding data flow using multi-path and multi-layered encryption. Shields infrastructure from interference, disruption, and ransom attacks reducing potential downtime or outages.
• Private or Clandestine Communications –Conceals data channels to avoid disruption, preventing
leakage of identity and geolocation of interlocutors, and thwarting data capture or tampering. Allows critical communication flows to evade and penetrate into global regions many other solutions cannot.
• IoT and Embedded Systems –Protects low security endpoints and prevents intrusion by unauthorized
devices. Small software footprint operates on low-power, inexpensive, and disposable hardware.
• Protection of Ultrasensitive Data Flow – Added privacy and confidentiality for sensitive IP, healthcare
PII, financial information, or any data flows for which interruption or tampering is very costly (e.g., supply chain).
4.5 ONGOING TRENDS IN NON-ATTRIBUTION
First adopted in military and intelligence contexts, where the nation state adversaries have traditionally been the most sophisticated and aggressive, the stakes are literally life and death, and protecting identity and anonymization have first order benefits. However, now, nation state adversaries are targeting enterprise, non-nation-state threat actors have increased in sophistication and aggression, and the ability to observe network activity from the outside exposes attack vectors.
Even when concealing personal identities is less critical (e.g., machine to machine communications), removing attribution from data-in-transit purposefully conceals the identity of the sending and receiving network assets (effectively anonymizing them), which can help reduce targetability and diminish attack surface.
Furthermore, the ability to find, identify, observe, capture, reroute, block, or otherwise interfere with datain- transit supporting critical operating or business activities can lead to catastrophic downtime or even worse, data and network breaches. The SecureCo team is witnessing commercial adoption in a number of areas: critical infrastructure, industrial controls, financial services, and healthcare.
ABOUT TAG CYBER
TAG Cyber is a trusted cyber security research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 100 enterprises. Founded in 2016 by Dr. Edward Amoroso, former SVP/CSO of AT&T, the company bucks the trend of pay-for-play research by offering in-depth Research as a Service (RaaS), market analysis, consulting, and personalized content based on hundreds of engagements with clients and non-clients alike—all from a former practitioner’s perspective.
SecureCo creates the most secure internet connections possible, addressing a critical gap in existing cyber security solutions. Our patented stealth technology protects networks and transmissions from interference and disruption, powering resilient data links, secure applications, and end user privacy. SecureCo offers a next generation replacement or augmentation for legacy VPNs while extending zero trust principles to data transport, cloaking data exchange, services, and assets to reduce network attack surface and targetability. Trusted by some of the most demanding cyber security customers in the world, we deliver high performance, exceptionally secure data transit for military, intelligence, industrial and commercial applications.
IMPORTANT INFORMATION ABOUT THIS DOCUMENT
Contributor: Alex Harrington
Publisher: TAG Cyber LLC. (“TAG Cyber”), TAG Cyber, LLC, 45 Broadway, Suite 1250, New York, NY 10006.
Inquiries: Please contact Lester Goodman, (email@example.com), if you’d like to discuss this report. We will respond promptly.
Citations: This paper can be cited by accredited press and analysts but must be cited in context, displaying the author’s name, author’s title, and “TAG Cyber”. Non-press and nonanalysts must receive prior written permission from TAG Cyber for any citations.
Disclosures: This paper was commissioned by SecureCo Inc.. TAG Cyber provides research, analysis, and advisory services to many cybersecurity firms mentioned in this paper. No employees at the firm hold any equity positions with any companies cited in this document.
Disclaimer: The information presented in this document is for informational purposes only and may contain technical inaccuracies, omissions, and typographical errors.
TAG Cyber disclaims all warranties as to the accuracy, completeness, or adequacy of such information and shall have no liability for errors, omissions, or inadequacies in such information. This document consists of the opinions of TAG Cyber’s analysts and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. TAG Cyber may provide forecasts and forward-looking statements as directional indicators and not as precise predictions of future events. While our forecasts and forward-looking statements represent our current judgment and opinion on what the future holds, they are subject to risks and uncertainties that could cause actual results to differ materially. You are cautioned not to place undue reliance on these forecasts and forward-looking statements, which reflect our opinions only as of the date of publication for this document. Please keep in mind that we are not obligating ourselves to revise or publicly release the results of any revision to these forecasts and forward-looking statements considering new information or future events.
Copyright © 2022 TAG Cyber LLC. This report may not be reproduced, distributed or shared without TAG Cyber’s written permission. The material in this report is composed of the opinions of the TAG Cyber analysts and is not to be interpreted as consisting of factual assertions. All warranties regarding the correctness, usefulness, accuracy or completeness of this report are disclaimed herein.
Download the Complete eBook for Free!
This is one article of a five part research paper from TAG Cyber on advanced stealth and obfuscation solutions designed to defend commercial networks and internet data communications against the world’s toughest adversaries. The eBook is free with registration.