Illuminating the darkness with the open source breadth of Recorded Future and the closed source depth of Intel 471.
This is the first of a series of blog posts on useful “all-source analysis” research and collaborative approaches using Recorded Future and our OMNI Intelligence Partners.
Through our OMNI Intelligence Partners Program, threat researchers can easily pivot between Recorded Future Intel Cards and Intel 471’s closed source intelligence collection. This integration enables all-source analysis to uncover hidden connections on new and emerging threats. In this article you’ll find a:
- Broad overview of the challenge Intel 471 helps to solve.
- Detailed example of how Recorded Future and Intel 471 together can expose timely information on criminal threat actors.
Information security analysts get frustrated attempting to manually correlate threat data from multiple sources, especially from the dark web. The process is time consuming, often confusing, and can produce a final report with stale information.
On top of that, analysts are never confident they have access to timely and relevant data from both a tactical and proactive point of view. Without the ability to access dark web intelligence, many analysts are left with the feeling they can only react to the threat, not get ahead of the threat.
To stay ahead of security risks, information security analysts need to detect, evaluate, and prioritize emerging threats in real time. Reducing clicks is critical for creating actionable threat intelligence with speed and confidence.
Security teams want access to closed sources where threat actors actually collaborate, communicate, and plan cyber attacks.
Recorded Future’s open source intelligence, combined with Intel 471’s actor-centric dark web intelligence, contains a wealth of information about global threat actors, their methods, and associated technical indicators — organized in a single view on the following Intel Cards.
|Threat Actor||Coming Soon|
The following analysis provides a taste of what’s possible with our Intel 471 integration.
In September 2016, FireEye published a report titled “Vendetta Brothers, Inc. – A Window Into the Business of the Cyber Criminal Underground.” This report covers two cyber criminals that FireEye refers to as the “Vendetta Brothers”; they operate under the handles 1nsider and P0s3id0n.
These two are believed to be involved with compromising point-of-sale (POS) systems to obtain payment card information that can be sold through their own underground marketplace called “Vendetta World.”
Researching Vendetta World on Intel 471’s platform revealed that Intel 471 researchers first reported and linked P0s3id0n to the underground marketplace Vendetta World in late 2015.
At the time, P0s3id0n and 1nsider were soliciting fellow members of the underground to collaborate with them by installing their malware on systems involved with scanning or storing credit card information. In addition, Intel 471 intelligence included information on P0s3id0n’s POS malware, called Cerebrus.
Using Recorded Future, we find several references earlier this year linking Cerebrus with the malware known as CenterPOS.
At this point, we can pivot to the Recorded Future Malware Intel Card for CenterPOS. This provides an overview of the available open source information about this malware, which was first mentioned in September 2015 and has references as recently as two weeks ago.
Intel 471 also has an extension for Malware Intel Cards, and a simple click can provide a search on what forum posts have included references to CenterPOS.
Of note, in June 2016 the user identified as “cashoutsmith” appears to be selling Cerebrus (CenterPOS), hence showing that this POS malware is potentially beyond the use of the Vendetta Brothers alone.
Returning to an analysis of the two actors themselves (1nsider and P0s3id0n), Intel 471’s platform allowed us to paint a historical picture of the two actors’ activity.
For example, 1nsider was first active under this handle in the criminal underground from early to mid 2015. He almost certainly operated under another handle previously as three other cyber criminals, including P0s3id0n, had vouched for him at another well-known underground forum.
Also, P0s3id0n, who had previously used the handle viscolul, has been active since at least 2011. Interestingly, back in March 2015 viscolul put out the following request.
The various malware mentioned (Alina, vskimmer, blackPOS, and Dexter) may have influenced the development of Cerebrus (a.k.a. CenterPOS); indeed, Intel 471 analysis of a P0s3id0n malware build appears to have similarities with the memory dumps of Dexter.
As in any marketplace, reputation is very important to being successful in the underground. Often times actors will operate across forums in different languages and under different handles. The Intel 471 platform offers the ability to track and link together these bits of information. Intel 471 has seen P0s3id0n active across a number of underground forums both in Spanish and English. Also, as we previously mentioned, P0s3id0n had previously operated under the handle viscolul. He had changed to P0s3id0n after being labeled a scammer.
Advertising, sales incentives, and customer service are also important components of the marketplace. Using Recorded Future, we find a lot of marketing from these actors promoting their wares in late 2015 to early 2016; among the notable features are 24/7 customer service with 360 min refund/replace guarantees and increasing discounts for larger upfront payments.
Intel 471 researchers were also able to tie the following infrastructure and indicators of compromise, used at least through late 2015, to both Cerebrus and the “Vendetta Brothers.”
These technical indicators are from an Intel 471 information report written over a year ago and security teams likely would have found high value in them at the time. Checking the indicators against Recorded Future, one can note that some of them are indeed suspicious, as illustrated in the Intel Card for IP address 184.108.40.206.
Threat Intelligence analysts can gain deeper insight into criminal cyber activity using the combined resources of Intel 471 and Recorded Future.
The two intelligence sources are highly complementary (closed forum versus open sources and human-curated versus machine analyzed, respectively) and together they help build a broader picture of actor activities and related technical indicators.
Intel 471’s integration with Recorded Future’s Intel Cards make it easy to pivot between the two intelligence sources, giving researchers opportunities to explore hidden connections and facilitate faster analysis.
Want to learn more about using Intel 471 with Recorded Future? Click and request a free demo. You can also contact Intel 471’s Vice President of Sales and Strategy, Steve Laskowski at sales [at] intel471 [dot] com or complete the contact form on their website.
Intel 471 provides an actor-centric intelligence collection capability that focuses on infiltrating and maintaining access to closed sources where threat actors collaborate, communicate, and plan cyber attacks. Their mission is to understand the adversary in a way that does not bring added risk to your organization.