Endgame Systems’ Reputation Service Sniffs Out Botnets

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.,

Startup ipTrust will warn businesses when botnets strike by revealing links form specific IP addresses to Web-threats

Endgame Systems launched iPTrust, a cloud-based botnet and malware detection service that collects and distills security data into a reputation engine. The ipTrust service provides useful information that identifies which system on an organisation’s network has been compromised by a botnet, the company said.

An enterprise is often the last one to know that its systems have been compromised. Until they figure it out, they are inadvertently distributing even more malware to other unsuspecting organisations.

Pinpointing Rogue Computers

The ipTrust services gives organisations “useful and actionable” information they can use to keep their networks secure, Dan Ingevaldson, chief operating office of Endgame Systems, told eWEEK. “With the events data, we know the exact IP address that was compromised, what it did, and when it occurred,” he said.

With this information in hand, ipTrust identifies and tracks botnets over the Internet without relying on any internal network data. There is no software or hardware for anyone to install; ipTrust’s Web-based technology monitors public IP addresses and stores all security-related event data, explained Ingevaldson.

Over 280,000 organisations and more than 250 million IP addresses have been infected with botnets, worms, viruses, and other malware threats, many of which are designed to access networks and harvest private data, said ipTrust. Customers have access to the “hundreds of terabytes” of event data and can determine if their systems, or partner and customer networks it comes in contact with, have been infected and unwittingly carrying out other attacks, said Ingevaldson.

The botnet and malware detection service harvests, analyses and classifies malware and botnet samples into an ipTrust Reputation Engine. According to Ingevaldson, ipTrust will offer two products to take advantage of all that stored data: ipTrust Web and ipTrust Professional. Currently in beta and free for the time being, ipTrust Web remotely monitors the customer network and sends a notification if and when it has been compromised.

Although currently not available, ipTrust Professional will include an API that will allow customers to access the security events stored in the ipTrust Reputation Engine.

“ipTrust is not in the business of making desktop security software,” Ingevaldson said. Instead, organissations can take the “continuous actionable information” from ipTrust and relay it to their own security products, whether they are custom systems or from third-party vendors, to take the appropriate action to fix the problem.

A cloud-based infection notification service operating entirely outside the organisation’s network, ipTrust Web provides customers with 24/7 monitoring and notification of malicious activity originating from a company’s network, said Ingevaldson. The customer provides ipTrust with the range of its public IP addresses when signing up. Then ipTrust continuously monitors its events data to see if those IP addresses ever show up. If there is a match, the service knows a system within the network has been compromised and immediately notifies the customer, he said.

Since the customer is notified as soon as the infected system starts sending out malware, steps can be taken to shut down the offending machine immediately, thus minimising the potential for damage. To determine the “trustworthiness” of an address from a computer accessing the network, ipTrust Professional checks to see whether or not the address belongs to a client.

Intelligent Confidence Scoring

It is not just IP-address monitoring, as ipTrust also takes into account specific behaviour and when it occurs as part of its confidence score calculations. A machine that connected to a known botnet server this week will have a worse confidence score, indicating it is a threat, compared to a machine that connected a year ago and never again, said Ingevaldson.

ipTrust said it provides easy to read reports that provide an efficient view into the threats emanating from the network and the IP addresses likely hosting those threats.

The collected data is available via a Web-based API. IT managers can tap into the Engine and integrate the data with the organisation’s applications, such as checking an IP address trying to access the VPN against the ipTrust engine before allowing access to the network, said Ingevaldson.

The events data in ipTrust’s database was compiled from monitoring academic networks, by setting up honeypots and sinkholes to gather data about malicious networks, and from vendors that gather security data.