Intel 471 Adversary Intelligence

Updated 1 week ago by Elvis Hovor

Introduction

TruSTAR is a cyber intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description of how paying customers of Intel 471 Adversary Intelligence can ingest reports and indicators from Intel 471 into the enclave in TruSTAR and correlate with other data sources in TruSTAR. 

Prerequisites

This integration requires TruSTAR users to be paying customers of Intel471 and have access to Intel 471 Adversary Intelligence API keys. Users can generate their API keys from the Intel 471 Titan portal or reach out to the Intel 471 support team.

Configure Integration

After you have retrieved your Intel 471 Adversary Intelligence API key follow these steps:

  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Click on Intel 471 Adversary Intelligence logo and fill in your API key.
  4. Click Submit.

TruSTAR will validate and enable your Intel 471 Adversary Intelligence integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.

After the integration in enabled you should see reports from Intel 471 Adversary Intel being submitted into an enclave you control.

FAQ

Do i have to be a company admin in TruSTAR to configure integration? 

Yes, a user needs to have company admin privilege in TruSTAR to be able to setup Intel 471 Adversary Intelligence Integration

What data do you currently pull from Intel 471 Adversary Intelligence? 

Our integration currently pulls reports from Intel 471 Adversary Intelligence and can extract and correlate the cyber IOC’s listed below

These include:

  • IP
  • Domain
  • URL (Domains are extracted from URL)
  • SHA256
  • SHA1
  • MD5
  • REGISTRY_KEY
  • Malware
  • Bitcoin Addresses

Please contact us if you would like to discuss additional indicators that should be extracted and correlated.

How often is the data pulled?

Our integration retrieves data from Intel 471 Adversary Intelligence every 15mins.

Technical Details 

Intel471 Adversary List
WorkFlow
  • Fetch records from below API as per checkpoint timestamp.
  • Submit individual item/record response as TruSTAR report
For any record, which has more than 400 ioc's (e.g 1000 ioc's count), create multiple reports and split ioc's like first report with 400 ioc, second report with 400 ioc and third report with 200 ioc's.
Report Update logic

If the same report needs to be updated, we will update only the original report with latest fetched IOC's from current record.

Example:

Scenario

Feed

Reports created

Report Updation

Reports Unchanged

SC -1

Feed1 record - 200 iocs

Feed1 : 1 report with 200 iocs - ReportA

SC -1.1

Feed1 record - 100 iocs

Update 1st report (100 IOCs)- ReportA

SC -2

Feed2 record - 1000 iocs

Feed2 : 3 reports for Feed2 - ReportA(1st 400 IOC), ReportB(Subsequent 400 IOC), ReportC(Remaining 200 IOCs)

SC -2.1

Feed2 record - 100 iocs

Update 1st report - ReportA

ReportB, ReportC

SC -2.2

Feed2 record - 500 iocs

Update 1st report - ReportA, ReportB

ReportC

Max number of indicators pulled will be 500.

Report API - https://api.intel471.com/v1/reports?lastUpdatedFrom=1539085956900&lastUpdatedUntil=1539099756977

Sample Response -

{

 "reportTotalCount" : 1,

 "reports" : [ {

   "uid" : "daf8a134ce1654fe934ca384bf82e63c1cc13cdf68bda785c894bf158d3a48e0",

   "admiraltyCode" : "B2",

   "motivation" : [ "CC" ],

   "subject" : "Actor Lampeduza (aka BigPetya) reveals Fxmsp group's plans to privatize, partner with regular client",

   "created" : 1539060642000,

   "dateOfInformation" : 1538604000000,

   "sourceCharacterization" : "Information was derived from the Russian-language cybercrime forum Exploit and our sensitive and reliable source.",

   "similarReports" : [ {

     "uid" : "85d94face15b81d1954d5f4ef3e14d9b39b2a7784b6b17e3e8194a8cb4bc3c58",

     "admiraltyCode" : "B2",

     "motivation" : [ "CC" ],

     "subject" : "Possible Kazakh actor Fxmsp (aka Uwert) sheds light on partnership with actors Antony Moricone, BigPetya, Fivelife, Lampeduza, Nikolay; Sells access to Air Italy",

     "dateOfInformation" : 1537394400000,

     "sourceCharacterization" : "Information was derived from our sensitive and reliable source.",

     "portalReportUrl" : "https://titan.intel471.com/report/8682aff402810b69810b28835fe9fbff"

   }],

   "entities" : [ {

     "type" : "Handle",

     "value" : "Antony Moricone"

   }, {

     "type" : "Handle",

     "value" : "BigPetya"

   }, {

     "type" : "Handle",

     "value" : "Fxmsp"

   }, {

     "type" : "Handle",

     "value" : "JokerStash"

   }, {

     "type" : "Handle",

     "value" : "Lampeduza"

   }, {

     "type" : "Handle",

     "value" : "Nikolay"

   }, {

     "type" : "Jabber",

     "value" : "zeusl1fe@exploit.im"

   } ],

   "derivedEntities" : [ {

     "type" : "ActorWebsite",

     "value" : "1O1O.RU"

   } ],

   "locations" : [ {

     "region" : "Africa",

     "country" : "Egypt",

     "link" : "impacts"

   }],

   "tags" : [ "Malware - Usage", "Vulnerabilities & Exploits" ],

   "portalReportUrl" : "https://titan.intel471.com/report/0af070edc910af8d6e4655332e27b65f",

   "lastUpdated" : 1539085956900,

   "actorSubjectsOfReport" : [ {

     "handle" : "Lampeduza",

     "aliases" : [ "BigPetya" ]

   } ]

 } ]

}

TruSTAR Report - Content is json formatted.

Report Title - UID: Subject field of response(e.g xxxx: Actor Lampeduza (aka BigPetya) reveals Fxmsp group's plans to privatize, partner with regular client)

(For subsequent report Report Title - UID-{incremental No}: subject field of response(e.g xxxx: Actor Lampeduza (aka BigPetya) reveals Fxmsp group's plans to privatize, partner with regular client))

External ID - encoded value of (uid field of response(e.g daf8a134ce1654fe934ca384bf82e63c1cc13cdf68bda785c894bf158d3a48e0))

(For subsequent report External ID - encoded value of (UID-{incremental No}(e.g. daf8a134ce1654fe934ca384bf82e63c1cc13cdf68bda785c894bf158d3a48e0-1)))

Report Body - individual item of json response(fields to be added in report body - uid, subject, created , Tags , portalReportUrl, reportIOCs - list of report indicators : ReportIOCs - List of unique values from {entities + derivedEntities} field of json response

Time Begun - created field of response(e.g. 1539060642000)

Tags - Tags field of response(e.g. ["Malware - Usage", "Vulnerabilities & Exploits"])

Deeplink - portalReportUrl field of response(e.g. https://titan.intel471.com/report/6b186800c307897f15e5ebc7d317309e)


How Did We Do?