The golden egg that we all want the intelligence goose to lay is attribution. Not just where an attack looks as if it comes from, of course, but where it really comes from, right down to the threat actor. One of my pet peeves is the notion – espoused by some vendors (though, certainly not all) – that if you have the “one tool” you can solve the threat analysis problem and get right to the actor. While the “one [tool] to rule them all” may work well for Hobbits, it is not particularly useful in cyberthreat analysis. We usually get stopped at the threat actor and, more often than not, we get stopped well before that.
I am a strong proponent for cyberthreat management – as opposed to cyberthreat analysis. It is all well and good to analyze threats – usually a postmortem activity – but how does that help you get to a proactive threat management stance? A very cool service from a brand new (June 1) company called Intel 471 can help you get right where you want to be. Not by itself, of course – Intel 471 characterizes itself, among other things, as a force multiplier, and that, based on our use for the past three months, seems a very apt description.
AT A GLANCE
Product Intel 471
Company Intel 471
Price Depends on services selected.
What it does Actor-centric threat intelligence.
What we liked The ability to circle around among threat actors, IP addresses, domains and free text to create a complete profile of a threat actor, malware or attacks based on any of several variables.
What Intel 471 does is take a cocktail of resources and apply it to the problem of interpreting the signs leading up to an attack. It provides context for a lot of other information. Intel 471's brochure really says it the way we would: “‘What' is not enough – We need the ‘who' and ‘why'.”
In the government intelligence community, pulling all of these pieces together is common practice. Not so much in the private sector. As in so many product areas, practice seems driven by vendor offerings instead of the other way around. The Intel 471 tool is absolute proof that it is quite possible – even quite desirable – to do things in the private sector the way the government intelligence pros do it.
Intel 471 has several unique – intelligence community-like – approaches that really make a difference. First, it has boots on the ground in several countries around the world where cyberthreats are spawned. These individuals interact, know the players and are able to stay on top of a collection of more than one million threat actors. They know what's going on, they know the tools and malware, as well as attacks, and they know what's credible and what is not.
When an Intel 471 analyst writes a report for users, that report reflects reality in the first person, not rehashing of media stories. Media stories are useful, by the way – very useful indeed – but it is tools such as Intel 471 that give the media stories bite and make them relevant.
We have been using Intel 471 for about three months on several live projects. Here are some things we've been able to do with it in conjunction with our other tools: We have identified stolen credit cards spilling into the underground, and figured out where they came from and when they started to exfiltrate. We have been able to match an actor to a particular kind of malware and follow that to several phishing campaigns. And, we have been able to take a piece of zero-day malware that we identified using another tool and match it to its provenance, likely creator and groups that are using it for cybercrime.
Each entry in an Intel 471 report contains the actual source data, tracking on all of the actors mentioned – that enables a daisy-chain approach to unraveling a spaghetti of links and leads – and the reliability of the report from credible likely true to unknown. Of course, the motivation, such as cybercrime, also is included. When you combine this with tools that analyze malware, provide generalized open source intelligence and provide some history on various attacks, you get a fairly complete picture of the who, what and why with which you are dealing.
Intel 471 comes in two flavors: a portal for manual research and an API. We are looking at including the API in our CRITs platform (https://crits.github.io/) but until we do we are getting a tremendous boost in our analytical capabilities. I mentioned cyberthreat management earlier. That, really, is what this whole process is about. If you think of cybercrime as a continuum that, at one end, begins with the person who builds the malware and goes at the other end to the victim, with all of the other things that impact a cybercrime campaign in the middle, our goal is to discover the production end as close to its existence as we can.
Typically, we don't discover that until we become a victim, and then we scramble to find out what to do next. Using tools such as Intel 471, hopefully, we'll reach that goal of maximizing the time we have to prepare and interdict the attack successfully.