Endgame Systems (founded 2008) has been of interest to this investigation due to the firm’s close association with corrupt HBGary CEO Aaron Barr, their stated intent to avoid public attention towards its work with the federal government, its longtime collaboration with Palantir employee Matthew Steckman (whom Palantir fired in the wake of the Team Themis affair, quite improbably claiming that Steckman had acted on his own), and its creation of a report on Wikileaks and Anonymous which was provided to Team Themis for use in its campaign against both entities. In July of 2011, an investigation by Business Week revealed the probable reasons for the firm’s secrecy:
Endgame bills itself thusly:
Endgame Systems provides innovative software solutions to meet customers security needs in cyberspace. Our products include real-time IP reputation data, protection of customers’ critical information, proactive data analysis, and cutting edge vulnerability research. Endgame’s highly skilled workforce provides a full range of engineering services and solutions that raise awareness of emerging threats, and help prevent and respond to those threats globally. The company was founded by a proven leadership team with a record of success in the information security industry and is headquartered in Atlanta, GA.
Endgame works directly for a number of U.S. intelligence agencies and has a subsidiary called ipTrust. Beyond a presence at Shmoocon 2012, little has been heard from the company publicly since they deleted their website in summer 2011 following the release of this text.
Compare to Team Cymru.
Endgame is intent on remaining under the radar and otherwise seeks to avoid public attention, as show by the e-mail excerpts below:
CEO Chris Rouland to employee John Farrell: “Please let HBgary know we don’t ever want to see our name in a press release.”
John Farrell to Aaron Barr: “Chris wanted me to pass this along. We’ve been very careful NOT to have public face on our company. Please ensure Palantir and your other partners understand we’re purposefully trying to maintain a very low profile. Chris is very cautious based on feedback we’ve received from our government clients. If you want to reconsider working with us based on this, we fully understand.”
Aaron Barr to John Farrell: “I will make sure your [sic] a ‘silent’ partner and will ensure we are careful about such sensitivities going forward.”
Note: The following was written before Business Week’s July article, which provides additional context and is linked and excerpted above.
Although little info has been obtained regarding the specifics of Endgame’s operations, e-mails taken from the small firm Unveillance indicate similarities in at least one capacity to another firm called LookingGlass. In one e-mail, the CEO of Unveillance is told, “One thing I could have said is that your data is the main feeder for LookingGlass and Endgame.” Earlier in the same exchange, more clues appear when the following statement by a “friend/contractor in the pentagon [sic]” is presented: “They [Unveillance] were discussed yesterday at a meeting about the CSFI project on Syria. Frankly, I wasn’t all that blown away. Not sure what makes them better than LookingGlass or Endgame.”
Other clues are available in the same e-mail set, there being discussion of a potential purchase by Endgame of a troubled firm called Defintel, from which the CEO of Unveillance proposes to “‘cherry pick’ the talent” in order “to run the sinkhole/data creation component of our firm.”
From another e-mail exchange:
14 Apr 2011 16:53:54 -0400 From: Wayne Teeple <[email protected]> To:"[email protected]" <[email protected]> Hi again Karim, I was able to meet with Keith today, not much to say other than business as usual. He was very reserved, but open enough, but not enough if you know what I mean. He did confirm that Chris Davis has sold himself to Endgame along with his datafeed, and that Morrigan Research Inc is dissolved - see attached. Hence, I believe he sold his "IP" directly as an individual because Morrigan is dissolved as oppose to shares acquired by Endgame. Keith had nothing real to contribute other he is staying out of everything and just focusing on Defintel biz, he did state that he does not require the datafeed at all to execute the Nemesis cloud service, and that he has a "non-compete" with you, Endgame, and Morrigan. Also, he is in touch with Davis, and I get the impression that Davis may recommend Endgame acquiring Defintel for Nemesis code - although that could be Davis blowing smoke up Keith's you know what!! Keith did state that he is light on technical support. Finally, we both agreed that Ginley is a lone wolf and a gun for hire by anyone. All and all, I am very concerned about presenting this solution any further to my clients, nor did I get a complete warm and fuzzy that he was completely on the up and up. Cheers wayne
Keith above refers to Defintel CEO Keith Murphy.
Compare the above statements on Morrigan and DefIntel to this tweet from Chris Davis.
Brian Masterson of Xetron worked with Endgame for quite a while and made a number of references to the firm to Barr:
“They told me that they did 10M last year. Said they were working for NSA, Navy, and USAF. Also mentioned another customer who we do work with. While I was at their place getting briefed by Chris, Gen. Patraeus’ exec called three times to set a follow-up meeting.”
“EndGame did offer up a cut of their US data.”
“Doing the botnet is not that difficult but doing it to the degree that EndGame says that they have is what is impressive.”
Barr himself had long sought to include Endgame in his proposed “consortium” of firms, which itself would provide intelligence capabilities to clients (and which eventually came about in the person of Team Themis, made up of HBGary, Palantir and Berico, with Endgame having provided the team an unusually accurate report on Wikileaks and Anonymous. E-mail excerpts from Barr:
“I know we are going to talk to some senior folks in Maryland in a few weeks and would very much like to take a combined Endgame/Palantir/HBGary product.”
“I think I had mentioned the idea of a cyber consortium to you when we had lunch. That idea is coming together. We will start with cyber intelligence then when we have the capabilities fused build in the hooks for cybersecurity. Need the information before you can act.
here are the companies on board and their area of expertise. Application – HBGary Host – Splunk Network – Netwitness External – EndGame Systems Social/Link – Palantir”
John Farrell of Endgame Systems to Aaron Barr, 2/8/10:
“for now, let’s focus on:
1. OSI RFP response – dan ingevaldson and I will work with you on this
2. EGS/Palantir integration – we talked to Matt Steckman last week and we’re looking into next steps on this
3. customer briefings and new business opportunities like ARSTRAT, etc.”
A June 2010 e-mail sent from Ted Vera to fellow HBGary employees after a phone meeting with Endgame provides additional data:
I tried to keep notes during the call — my chicken scratch follows: EndGames is tracking 60-65 botnets at this time. They have a ton of conflicker data, they’re plugged in and pull millions of related IPs daily. Their data is generally described in their tech docs. They are pulling in data from IDS sensors, rolling in geolocation information, and anonymous proxies / surfing next Quarter. EndGames does not do any active scanning — all passive. They intercept botnet messages and collect / log to their database. The “SPAM” category is a generic filter that indicates the IP has been used to pass SPAM. Higher chance for false positives with SPAM filter. They try to correlate SPAM activities to known botnets, if they cannot correlate, then the event gets a generic SPAM label. Confidence %: Documented in technical docs. Primarily time-based. Looking at the overall length of infection for a given IP. Looking at half-life / decay of infections on specific IPs. The algorithm is currently very simple and time is the highest weighted factor, although the nature of the event is also weighted, ie conficker has higher weight than SPAM event. Plan to start discriminating between end-user nodes with dynamic IPs vs Enterprise / static IPs. Static IPs would decay slower than dynamic. EndGames gets malware data from various sources and REs it to pull out C2 and other traits that can be used for signature / correlation. They have Sinkholes for Conficker A and B which collect IPs of infected hosts.Cannot provide samples because they do not collect samples from specific IPs. They are ID’ing based on their observations of IPs, taking advantage of their hooks into various botnets. That said, they could probably gest us some samples and or manual tests for Conficker A and B which we could use to verify / eliminate false positives or negatives.
April 5, 2010 – John Farrell tells Aaron Barr he will no longer be accessible @ Endgame
October 2010 – Raised 29 million USD from Bessemer Ventures, Columbia Capital, Kleiner Perkins Caufield & Byers (KPCB), and TechOperators, for web-based malware detection services: iPTrust.
October 28, 2010 – Endgame announces the launch of ipTrust, “the industry’s first cloud-based botnet and malware detection service … that collects and distills security data into a reputation engine.”
February 2011 – Endgame announces partnerships with HP and IBM to use their IP Reputation Intelligence service within HP’s TippingPoint Digital Vaccine service and IBM’s managed services offerings.
Mr. Christopher Rouland, CEO and Co-Founder of Endgame Systems has over 20 years of experience in the field of information security. Mr. Rouland previously held the position of CTO and Distinguished Engineer of IBM Internet Security Systems after IBM purchased Internet Security Systems, Inc. in 2006. Prior to the IBM acquisition of ISS, Chris held the position of CTO of ISS where he was responsible for the overall technical direction of the ISS product and services portfolio. Prior to his executive roles at IBM and ISS, Chris was the original Director of the famed X-Force vulnerability research team which was responsible for the discovery of hundreds of security vulnerabilities.
Mr. Daniel Ingevaldson, SVP of Product Management and Co-Founder of Endgame Systems was previously the Director of Technology Strategy with IBM Internet Security Systems. Prior to the acquisition of ISS by IBM in 2006, Mr. Ingevaldson held various positions within the ISS Professional Services organization where he lead the X-Force Penetration Testing consulting practice, and as Director of X-Force R&D where he helped expand the research capacity of the X-Force zero-day vulnerability identification and disclosure program.
Mr. Raymond Gazaway, Senior Vice President and Co-Founder of Endgame Systems was previously the Vice President of Worldwide Professional Security Services with IBM Internet Security Systems. Ray joins Endgame Systems with over 30 years of government and commercial services experience and executive management positions with IBM, Internet Security Systems and Dun and Bradstreet.
Mr. David Miles, Vice President of Research & Development and Co-Founder of Endgame Systems, brings nearly 10 years of experience in information security and was previously the Director of R&D within ISS Professional Security Services managing strategic security research engagements, designing and delivering custom cyber security products and solutions, as well as assisting in emergency response services and forensic investigations. Prior to that, in X-Force, he designed and implemented processes and procedures for delivery of hundreds of security content updates for the entire ISS product portfolio.
Mr. Mark Snell, Chief Financial Officer of Endgame Systems, oversees all aspects of Finance and Administration including financial planning, reporting and analysis, investor relations, human resources, information technology and office management. Prior to Endgame Systems, he was Corporate Controller at Suniva, a solar cell manufacturer based in Atlanta, Georgia. At Suniva, he helped to develop the financial infrastructure and systems to manage a business that would quickly become recognized as one of the fastest growing private companies in the Southeast. Earlier in his career, Mark served as Corporate Controller of Servigistics, a software developer in the service lifecycle space and in various positions of financial management for IBM and Internet Security Systems. Mark holds an MBA from Georgia State University and a Bachelor of Arts from the University of Virginia. Mark is a Certified Public Accountant in the State of Georgia.
Rick Wescott, Senior Vice President of Worldwide Sales and Marketing, brings over 20 years of technology sales and management experience to Endgame Systems. Before joining Endgame Systems, Rick served as Vice President & General Manager of Federal Operations for ArcSight (acquired by HP for $1.5 billion in late 2010), which he joined pre-revenue in 2002 and was instrumental in identifying and closing key foundational sales. Rick helped to manage and grow the company’s revenues to $170 million and saw the company through its Initial Public Offering (IPO) in 2008 and $1.5 billion acquisition by HP in 2010. Prior to his tenure with ArcSight, Rick lead sales efforts at several leading industry firms including VeriSign, Entrust, Sybase and IBM.
David Gerulski, Vice President, Commercial Sales & Marketing at Endgame Systems
Thomas Noonan- Chairman
Tom Noonan is the former chairman, president and chief executive officer of Internet Security Systems , Inc. , which was recently acquired by IBM for $1.3B, at which time Noonan became GM of IBM Internet Security Systems. Noonan is responsible for the strategic direction, growth and integration of ISS products, services and research into IBM’s overall security offering. Tom Noonan and Chris Klaus launched ISS in 1994 to commercialize and develop a premier network security management company. Under Noonan’s leadership, ISS revenue soared from startup in 1994 to nearly $300 million dollars in its first decade. The company has grown to more than 1,200 employees today, with operations in more than 26 countries
http://cryptome.org/0003/hbg/HBG-EndGames.zip (got the this^^ from the PDF in the zip)
Senior Software Engineer
Matt Culbreth Came from… Yield Idea, President
Pete Hraba Came from…
ArcSight, Account Manager
Zodie Spain Came from…
Helios Partners, Executive Assistant/Office Manager
Corporate Headquarters 817 West Peachtree Street Suite 770 Atlanta, GA 30308 t. 404.941.3900 f. 404.941.3901
November 3, 2010
You can take a person out of X-Force, but you can’t take X-Force out of the person. A group of former ISS X-Force veterans at Endgame Systems has been very busy doing security research of consequence for the federal space since 2008. Via a new division called ipTrust, it plans to take some of its botnet and IP reputation capabilities to drive value into the commercial space. Similar to Umbra Data, ipTrust is delivering this value with a ‘zero touch’ modality – requiring no on-premises or capex appliance. However, rather than licensing an intelligence feed like Umbra Data, ipTrust has opted to share its research via an API, which may make it more accessible for new use cases. As we were writing up this report, news broke that parent company Endgame Systems closed a series A round of $29m. With no appliances or heavy back-end capex requirements, this stands out as an oddly large round, and has, therefore, piqued our curiosity.
As we recently noted with Umbra Data, there is high concern over botnets, but the demand for solutions is greater than the appetites for buying a dedicated appliance to augment the blind spots in traditional AV and other legacy tools. Well beyond script kiddies, attacks like Stuxnet, Zeus, BredoLab and Vecebot have people concerned – and those are all publically known ones. Adaptive persistent adversaries employ a number of techniques to avoid detection by mainstream adopted countermeasures. Several CISOs have told us they want the capabilities of anti-botnet and command-and-control identification to be delivered via their existing security investments or in other opex-consumption models. Perhaps both Umbra Data and ipTrust are hearing the same. By delivering intelligence via an API, ipTrust may find itself called out to by all sorts of Web applications to inform how trustworthy an endpoint is and adjust the interactions accordingly. We see this as an interesting delivery model, and are encouraged by the embrace of modern Web-scale technologies. Given that, the large series A funding is a bit odd. We will have to watch carefully how that is leveraged – with our first thought being: Which acquisition target would fit within that budget?
IpTrust is a new division of Atlanta-based Endgame Systems. While the 32-person Endgame Systems was more focused on federal and cyber security clientele, ipTrust aims to leverage its experience, research and platforms for commercial consumption. Endgame Systems was founded in 2008 by several Internet Security Systems (ISS) X-Force Alumni with the research chops to tackle emerging threats. Cofounders include former ISS CTO Christopher Rouland as CEO, Daniel Ingevaldson as COO, Raymond Gazaway as SVP, and David Miles as VP of engineering. Former ISS CEO Tom Noonan serves as chairman. Coinciding with the reveal of ipTrust, Endgame Systems just closed a series A round for $29m, involving Bessemer Venture Partners, Columbia Capital, Kleiner Perkins Caufield & Byers, and Noonan’s own TechOperators. The round adds two new board seats for Bessemer Venture’s David Cowan and Columbia Capital’s Arun Gupta.
IpTrust is a new commercial division of Endgame Systems; it leverages a lot of the back-end technology and methods that have fueled Endgame’s federal offerings since 2008. The enabling technology has three basic pieces: a collection method for identifying botnet-compromised end nodes, a scoring system to generate a confidence rating for the implicated IP address and the exposition of the results of the analysis to clients via an API.
Since the bulk of botnets use DNS to find their command and control servers, ipTrust’s primary collection method for identifying compromised systems is to preregister or work with registrars to create sinkholes to redirect network traffic. From the vantage point of its many sinkholes, ipTrust can find new infected systems ‘phoning home’ for the first time or other reasons. The sinkholes tracked by ipTrust are a combination of its own and those from third parties. It is important to note that not all botnets communicate through DNS command and controls. Some use peer-to-peer, some use covert channels and some have one or more alternative command-and-control channels in case some are blocked or detected. We fear that this sinkhole method may miss existing infected systems that phoned home initially, but are participating on more dynamically assigned servers. While this is true, ipTrust pointed out that many samples are pretty chatty and do end up talking back to default phone-home targets in the current samples. Beyond the sinkhole method of harvesting compromised IPs, ipTrust studies the malware and spam data for clues, as well as employing honeypots and honeynets. Although attribution is nearly impossible, ipTrust also captures Geolocation information as well as proxy and satellite link details when available.
IpTrust claims its collection methods net massive amounts of data – so it needed modern, cloud-based Web-scale technologies to analyze it all. Some of the vital stats it claimed included scoring 255 million IP addresses for risk. The company claims to have 75TB of stored security events – adding more than 1TB of malicious events per week. To scale all of this data, it leverages (and contributes to) Hypertable, an open source clone (GPLv2) implementation of Google’s BigTable leveraging the Hadoop Distributed File System (HDFS). Through high-performance map reduction in the colocation hosted infrastructure, ipTrust is able to apply its reputation engine’s scoring algorithms in a continuous fashion. A floating-point integer confidence rating is assigned per IP, along with myriad other data, such as domain, company, country code, and security events involving known botnets and variants. Given the fleeting and transient nature of the Internet, this confidence score continually degrades unless preservation is merited by the analysis. As such, consumers of the IP reputation score can make graduated nonbinary decisions on how to contextually handle trust associated with that IP.
Finally, the reputation confidence score can be exposed via an XML-RPC/REST-based API. IpTrust touts a sub 100ms response time and more than 3,000 queries per second. Supported output formats include XML, JSON and CSV. As an API, developers of applications could make Web ‘look-aside’ calls to determine how risky a transaction may be with a specific endpoint and either terminate or place limits on the interaction. For example, a questionable reputation may lead a banking application to deny funds – or perhaps to cap the maximum transaction amount via some predetermined policy.
IpTrust offers three levels of product: ipTrust Web, ipTrust Web Premium and ipTrust Professional. IpTrust Web Premium is not yet released. IpTrust Web is free service, capped at up to 1024 IP addresses for 24/7 monitoring. When available, ipTrust Web Premium will allow for unlimited IPs and will tentatively be priced by IP per month, we’re told.
IpTrust Professional allows full access to the reputation engine via the aforementioned API, with bulk IP submission for current and historical scoring as well as the supported output formats. At the moment, the API currently shares the compromised IP, but not the details about the command-and-control channel. IpTrust claims it is planning to add more actionable information in the future, such as port information and user-agent strings in HTML, which may assist other security tools in spotting or stopping command and control. Pricing for ipTrust Professional has plans starting at $1,000 per year – or less than $0.01 per query. IpTrust claims it is already working with a hosting provider and a financial services firm – with betas getting underway in healthcare, large enterprise, managed security services providers (MSSPs) and early stage security OEMs.
IpTrust plans to go to market with a mix of direct sales and a series of strategic partners. Primary targets to consume its ipTrust intelligence include hosting providers, MSSPs, VARs, and specific technology partnerships. The 451 Group has covered such power alliances, with Fidelis Security Systems XPS leveraging Cyveillance intelligence feeds.
As an API, ipTrust may also be able to tap into systems integrators and application-development communities. Within the context of a specific application, contextual risk decisions can be made in the natural flow of the transaction. This may be of value to SaaS and PaaS players trying to differentiate themselves.
IpTrust may not be apples-to-apples competition with anyone; it will likely compete for limited budget within a few pockets. Most users seeking anti-botnet capabilities are currently looking at Atlanta-based Damballa or FireEye. FireEye uses virtualization to spot new unknown malware with botnet participation. Umbra Data is fresh out of stealth, offering an XML intelligence feed alternative to appliance purchases. Service providers, MSSPs, and security OEMs may choose more than one intelligence feed or API.
Traditional antivirus players continue to leverage their incumbency (and sometimes stall with it), so people may simply deal with Symantec, McAfee (soon to be a division of Intel) Trend Micro, Sophos, Kaspersky Lab and others. Commtouch touts being well plugged-in to the internet backbones to give its Web and mail security offerings visibility into botnets and compromised systems. Most Web and mail security gateways, like Cisco (both ScanSafe and IronPort), M86 Security, Websense, Blue Coat Systems, Barracuda Networks (and Purewire), Zscaler’s hosted Web proxy, etc., leverage one or more reputation and open source intelligence feeds to operate. This fact make them both more likely to take limited wallet share, but also more likely to benefit from ipTrust’s APIs. The same could be true for enriching the value of other security appliances and products. The classic example we shared was with data loss prevention. We see sensitive content leaving the network – should we block it? Imagine now adding knowledge about whether the source or destination is a known compromised system.
The former ISS/X-Force heavy hitters are no strangers to advanced threats, and have been cutting their teeth with federal clients since 2008. It is also aggressively embracing disruptive, cloud-scale IT innovations – while many others have been resistant.
While there is value in anti-botnet and IP reputation, the spending climate is unfriendly to noncheckbox-compliance products and services. We’re also surprised by the size of the recent series A round without a stated use for it.
In addition to ipTrust’s stated strategy, we believe the API could find ESIM uptake. It would take effort, but it could gain traction with SIs, and SaaS and PaaS players.
The market may perceive that it is already receiving similar capabilities from incumbents. Customers may also simply resist adding new vendor relationships to manage.
EndGame Systems currently has a variety of IPs at their disposal. Currently identified networks are: 22.214.171.124 – 126.96.36.199 and 188.8.131.52 – 184.108.40.206. One set are servers with COLOCUBE(direct IP allocation to EndGame), and the other is on IPs allocated to “Tulip Systems”. Interestingly, both Tulip Systems and Endgame Systems are located in Atlanta Georgia. They’re actually located 1.8 miles apart from eachother
Whois For 220.127.116.11 – 18.104.22.168:
OrgName: TULIP SYSTEMS, INC.
Address: 55 Marietta Street
Address: Suite 1740
Additional Information From rwhois://rwhois.tshost.com:4321
network:IP-Network-Block:22.214.171.124 – 126.96.36.199
network:Street-Address:75 5th Street NW Suite 208
Whois For 188.8.131.52 – 184.108.40.206:
NetRange: 220.127.116.11 – 18.104.22.168
CustName: Endgame Systems
Address: 817 West Peachtree Street NW
Address: Suite 770
Endgame Systems Capabilities Briefing Jan. 2009