SC Lab Approved: One Year Later: Intel 471
SC Lab Approved: One Year Later: Intel 471

If our other “One Year Later” product was our open source workhorse, this month's is our closed source go-to tool. We have been using Intel 471 in the SC Lab for well over a year, mostly in support of the Threat Hunter blog. Before that we used it in teaching intelligence concepts on the university level and in preparation for supporting Super Bowl 50 security. There are a lot of threat intelligence tools – and we use several of them in the SC Lab – but this one is unique in that it focuses on threat actors.

Intel 471 also is unique in the way it was set up as an organization, the way it gathers its intelligence and the core skill sets for many of its team. First, Intel 471 is an intelligence provider. It is not a technically-oriented group. It is a team of intelligence pros from around the world gathering cyber intelligence in the tradition of government intelligence teams. Second, it gathers intelligence in a variety of ways – from being on the ground in closed/vetted forums to direct contact with threat actors and associates of threat actors. Finally, being intelligence professionals, Intel 471 team members know how to separate actionable intelligence from rumor of mis- and/or dis-information.

Intel 471 reports look like traditional intelligence reports in many ways. They usually consist of the report, the researcher's comments, the sources of the information, the indicators that will allow the intelligence to be verified and the Admiralty Code that lets the reader know how reliable the information in the report is and how confident the researcher is of the information presented.

The company has an enormous database of threat actors, indicators of compromise (such as IP addresses and hashes), plus ongoing tracking of actor activity. Activity is presented in two forms: reports and forum posts of interest. You can conduct detailed searches and set up “watchers” to track the activity of an actor or other information that Intel 471 follows.

We have used this tool on virtually every project we have that includes threat actors. We have several research projects focused around specific actors. We set watchers with various frequencies of reporting – from daily to at the moment an actor makes a forum post or a research generates another report. This lets us track the actors that interest us. We very rarely come up with an actor that Intel 471 is not tracking and when, on those rare occasions, we do come up empty and go to our own internal resources – such as membership in closed TOR-based forums – we find that there is nothing to find.

Generally, we couple the closed source intelligence from Intel 471 with open source intelligence from our other tools to get a complete picture, often through Maltego, our internet link analyzer for which there is connection to the Intel 471 API. We set up our Maltego instance with the Intel 471 API key and every entity for which we are searching can appear on the Maltego desktop and be enriched by Intel 471 and several other tools with an API that Maltego can consume. The result is a full picture of our actor and their activities as seen by all of our tools. By iterating various results with each other we are able to build out a total graphical picture. 

We also can use the data that we develop in Maltego to feed our i2 link analyzer. This lets us correlate the information we got from Intel 471 and perform some sophisticated analysis on it in the context of the rest of our findings. An example of the results of that sort of analysis can be seen in the Threat Hunter blog on Grizzly Steppe.

A threat analysis tool is only as good as the threats that it is tracking and how well you can integrate its results into the bigger picture. An experienced intelligence analyst once told us that there are no big secrets – only lots of little ones. You have to pull the little ones together to get the whole picture. A retired FBI agent once told us that every crime is a story with a narrative, characters, a plot and all of the other things a good story has. Intel 471 has given us an extremely important and reliable tool to find and piece together all of those little secrets into a full story complete with the ability to track the characters over time. 

We could not do our threat research without it. Every malware, attack, campaign and other indicator has, at its heart, a human actor. Intel 471 lets us identify and track those actors and their acts. We designate Intel 471 SC Lab Approved for another year.

Details

Product Actor-centric intelligence collection

Company Intel 471

Price Contact vendor.

What it does Actor-centric cyberthreat intelligence collection focused on closed source intelligence collection of financially motivated cybercriminals and hacktivists.

What we liked The ease of use and power of its searches, plus the immense actor database and ease of setting up “watchers” to flag activity by selected actors.

The bottom line If you are doing any sort of cyberthreat intelligence, you need to monitor the Dark Web. This tool, without question, is the way to do that.