Partner Spotlight: Analyze Closed Source Intelligence With Intel 471

Illuminate the darkness with the open source breadth of Recorded Future and the closed source depth of Intel 471.

By Glenn WongDirector of Technology Partnerships

PARTNER BRIEF

R E C O R D E D F U T U R E

Summary

Through our OMNI Intelligence Partners Program, threat researchers can easily pivot between Recorded Future Intel Cards and Intel 471’s closed source intelligence collection. This integration enables all-source analysis to uncover hidden connections on new and emerging threats. In this article you’ll find a:

› Broad overview of the challenge Intel 471 helps to solve.

› Detailed example of how this integration can expose timely details on criminal threat actors.

Intel 471 is a Recorded Future OMNI Intelligence Partner and is available for lookups on the IP Address, Domain, Hash, and Malware Intel Cards. The Intel 471 extension will also be available on Threat Actor Intel Cards soon!

3

Partner Spotlight: Analyze Closed Source Intelligence With Intel 471

Recorded Future

Challenge

Threat intelligence analysts get frustrated attempting to manually correlate threat data from multiple sources, especially from the dark web. The process is time consuming, often confusing, and can produce a final report with stale information.

On top of that, analysts are never confident they have access to timely and relevant data from both a tactical and proactive point of view. Without the ability to access dark web intelligence, many analysts are left with the feeling they can only react to the threat, not get ahead of the threat.

Solution

To stay ahead of security risks, threat intelligence analysts need to detect, evaluate, and prioritize emerging threats in real time. Reducing clicks is critical for creating actionable threat intelligence with speed and confidence.

Security teams want access to closed sources where threat actors actually collaborate, communicate, and plan cyber attacks.

Recorded Future’s open source intelligence, combined with Intel 471’s actor-centric dark web intelligence, contains a wealth of information about global threat actors, their methods, and associated technical indicators — organized in a single view on the following Intel Cards.

Example

The following analysis provides a taste of what’s possible with our Intel 471 integration.

In September 2016, FireEye published a report titled “Vendetta Brothers, Inc. – A Window into the Business of the Cybercriminal Underground.” This report covers two cyber criminals that FireEye refers to as the “Vendetta Brothers”; they operate under the handles 1nsider and P0s3id0n.

These two are believed to be involved with compromising point-of-sale (POS) systems to obtain payment card information that can be sold through their own underground marketplace called “Vendetta World.”

Researching Vendetta World on Intel 471’s platform revealed that Intel 471 researchers first reported and linked P0s3id0n to the underground marketplace Vendetta World in late 2015.

4

Partner Spotlight: Analyze Closed Source Intelligence With Intel 471

Recorded Future

At the time, P0s3id0n and 1nsider were soliciting fellow members of the underground to collaborate with them by installing their malware on systems involved with scanning or storing credit card information. In addition, Intel 471 intelligence included information on P0s3id0n’s POS malware, called Cerebrus.

Using Recorded Future, we find several references earlier this year linking Cerebrus with the malware known as CenterPOS.

Public references to Cerebrus found in Recorded Future.

Control panel login page from P0s3id0n’s POS malware, Cerebrus.

At this point, we can pivot to the Recorded Future Malware Intel Card for CenterPOS. This provides an overview of the available open source information about this malware, which was first mentioned in September 2015 and has references as recently as two weeks ago.

5

Partner Spotlight: Analyze Closed Source Intelligence With Intel 471

Recorded Future

Forum posts from Intel 471 as viewed from the Malware Intel Card for CenterPOS.

Intel 471 also has an extension for Malware Intel Cards, and a simple click can provide a search on what forum posts have included references to CenterPOS.

Recorded Future Intel Card for CenterPOS malware....

...

6

Partner Spotlight: Analyze Closed Source Intelligence With Intel 471

Recorded Future

Of note, in June 2016 the user identified as “cashoutsmith” appears to be selling Cerebrus (CenterPOS), hence showing that this POS malware is potentially beyond the use of the Vendetta Brothers alone.

Returning to an analysis of the two actors themselves (1nsider and P0s3id0n), Intel 471’s platform allowed us to paint a historical picture of the two actors’ activity.

For example, 1nsider was first active under this handle in the criminal underground from early to mid 2015. He almost certainly operated under another handle previously as three other cyber criminals, including P0s3id0n, had vouched for him at another well-known underground forum.

Also, P0s3id0n, who had previously used the handle viscolul, has been active since at least 2011. Interestingly, back in March 2015 viscolul put out the following request.

Intel 471 captured posts before and after the actor changed handles from viscolul to P0s3id0n.

The various malware mentioned (Alina, vskimmer, blackPOS, and Dexter) may have influenced the development of Cerebrus (a.k.a. CenterPOS); indeed, Intel 471 analysis of a P0s3id0n malware build appears to have similarities with the memory dumps of Dexter.

As in any marketplace, reputation is very important to being successful in the underground. Often times actors will operate across forums in different languages and under different handles. The Intel 471 platform offers the ability to track and link together these bits of information. Intel 471 has seen P0s3id0n active across a number of underground forums both in Spanish and English. Also, as we previously mentioned, P0s3id0n had previously operated under the handle viscolul. He had changed to P0s3id0n after being labeled a scammer.

POS Skimmer solicitation collected by Intel 471.

7

Partner Spotlight: Analyze Closed Source Intelligence With Intel 471

Recorded Future

Advertising, sales incentives, and customer service are also important components of the marketplace. Using Recorded Future, we find a lot of marketing from these actors promoting their wares in late 2015 to early 2016; among the notable features are 24/7 customer service with 360 min refund/replace guarantees and increasing discounts for larger upfront payments.

Intel 471 infrastructure data linked to Cerebrus in late 2015, displayed via the Intel Card extension.

Recorded Future timeline of references that included either 1nsider and/or P0s3id0n.

Intel 471 researchers were also able to tie the following infrastructure and indicators of compromise, used at least through late 2015, to both Cerebrus and the “Vendetta Brothers.”

8

Partner Spotlight: Analyze Closed Source Intelligence With Intel 471

Recorded Future

Intel Card for one of the IP addresses identified by Intel 471 as part of the Cerebrus infrastructure.

These technical indicators are from an Intel 471 information report written over a year ago and security teams likely would have found high value in them at the time. Checking the indicators against Recorded Future, one can note that some of them are indeed suspicious, as illustrated in the Intel Card for IP address 104.31.77.36.

Closing

Threat intelligence analysts can gain deeper insight into criminal cyber activity using the combined resources of Intel 471 and Recorded Future.

The two intelligence sources are highly complementary (closed forum versus open sources and human-curated versus machine analyzed, respectively) and together they help build a broader picture of actor activities and related technical indicators.

Intel 471’s integration with Recorded Future’s Intel Cards make it easy to pivot between the two intelligence sources, giving researchers opportunities to explore hidden connections and facilitate faster analysis.

Demo

Want to learn more about using Intel 471 with Recorded Future? Click and request a free demo. You can also contact Intel 471’s Vice President of Sales and Strategy, Steve Laskowski at sales [at] intel471 [dot] com or complete the contact form on their website.

We arm you with real-time threat intelligence, for cyber security programs that decrease operational risk and maintain durable competitive advantages for the business. With billions of indexed facts, and more added every day, our patented Web Intelligence Engine continuously analyzes the entire Web to give you unmatched insight into emerging threats.

About Recorded Future

Recorded Future, 363 Highland Avenue, Somerville, MA 02144 USA | © Recorded Future, Inc. All rights reserved. All trademarks remain property of their respective owners. | 11/16

www.recordedfuture.com|REQUEST A DEMO

@RecordedFuture

Partner

Intel 471

Intel 471 provides an actor-centric intelligence collection capability that focuses on infiltrating and maintaining access to closed sources where threat actors collaborate, communicate, and plan cyber attacks. Their mission is to understand the adversary in a way that does not bring added risk to your organization.