Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The Intel 471 Reports CDF returns a list of Information Reports or Intel Reports matching filter criteria ordered by creation date descending (the most recent are on the top).

The integration provides the following feeds:

• Intel 471 Reports - ingests reports and relevant context from intelligence streams.
• Intel 471 Breach Alerts - ingests reports & relevant context from the Breach Alerts intelligence stream.
• Intel 471 Spot Reports - ingests reports and relevant context from the Spot Reports intelligence stream.

The integration ingests the following system objects:

• Adversaries
  • Adversary Attributes
• Attack Patterns
• Indicators
  • Indicator Attributes
• Malware
• Reports
  • Report Attributes

Installation

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Commercial option from the Category dropdown (optional).

   If you are installing the integration for the first time, it will be located under the Disabled tab.

3. Click on the integration entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   All Feeds

   Parameter	Description
   Email Address	Your Intel 471 account email address.
   API Key	Your Intel 471 account API key.
   Count per Page	The maximum number of records to retrieve from the provider per request (0-100).  The default value is 10.
   Fetch GIR names	When disabled, GIRs will be left in their raw format (i.e. 3.1.1). When enabled, GIR names will be fetched and used (i.e. 5.2.1 - Initial access tactic).
   Relationship Filter	Select which relationship context to ingest into ThreatQ. Options include: Actors Subject of Report (default) Handles (Adversaries) Malware Families (default)
   Indicator Filter	Select which indicators to ingest into ThreatQ. Options include: Malicious URLs (default) Malicious Domains (default) IP Addresses (default) CVE IDs (default) MD5 Hashes (default) SHA-1 Hashes (default) SHA-256 Hashes (default) Actor Domains Actor Websites File Paths Email Addresses Jabber Usernames Telegram Usernames
   URL Status (Non-Malicious)	Select the status to use for URLs. Options include: Indirect (default) Active Review Whitelisted The default setting is Indirect as these are typically are not malicious.
   Actor Domain Status	Select the status to use for actor domains. Options include: Indirect (default) Active Review Whitelisted The default setting is Indirect as these are typically are not malicious.
   Actor Website Status	Select the status to use for actor websites. Options include: Indirect (default) Active Review Whitelisted The default setting is Indirect as these are typically are not malicious.

   Intel 471 Reports Feed - Additional Parameters

   Parameter	Description
   Report Location	Display reports related to a certain country or region. Examples: "European Union" (as a region), "United Kingdom" (as a country).   The feed can only search for one location at a time.
   Report Tag	Display reports related to a certain tag. Examples: "Banking & Finance", "Tools", "Airlines", "Phishing", "Spam", "Credit Card Fraud".  The feed can only search for one tag at a time.
   Report Type Filter	Select which report types to ingest into ThreatQ when the Fetch Related Reports parameter is enabled. Options included: Info Reports (default) Breach Reports (default) Intelligence Bulletins (default) Underground Pulses (default) Threat Briefs (default) Whitepapers (default) Intelligence Summaries (default) Malware Campaigns (default) Actor Profiles (default)
   Fetched Related Reports	When true, related reports will be fetched, parsed, and ingested. This will require additional API calls. This may increase the chances of timeout errors.  This parameter is disabled by default.
   Related Report Family Filter	Select which report types to ingest into ThreatQ when the Fetch Related Reports parameter is enabled. Options included: Info Reports (default) Finished Intelligence (default) Spot Reports (default)
   Attribute Filter	Select the context to ingest into the ThreatQ platform.  Options included: GIRs Victims (default) Region Information (default) Country Information (default) Admiralty Codes (default) Motivations (default) Source Characterization Sensitive Source Portal URL (default)
   Ingest Tags	Enable this parameter to ingest tags.

   Intel 471 Spot Reports Feed Additional Parameters

   Parameter	Description
   Search Query	Query for spot reports using this free text search field.
   Victim Name	Optional - Search for spot reports related to a certain victim. You can only search for one victim at a time.
   Attribute Filter	Select the context to ingest into the ThreatQ platform.  Options included: GIRs Victims Victim Industries Victim Countries Confidence Level First Activity Date Last Activity Date

   Intel 471 Breach Alerts Feed

   Parameter	Description
   Search Query	Query for breach alerts using this free text search field.
   Victim Name	Optional - Search for breach alerts related to a certain victim. You can only search for one victim at a time.
   Confidence Level	Search for breach alerts of a certain confidence level. You can only search for one confidence level at a time.  The default value is high.
   Actor / Group	Search for breach alerts pertaining to a specific actor or group. You can only search for one confidence level at a time.
   Attribute Filter	Select the context to ingest into the ThreatQ platform.  Options included: GIRs Victims Confidence Level First Activity Date Last Activity Date

5. Review any additional settings, make any changes if needed, and click on Save.
6. Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

{
  "uid": "cf1d3297dba669b0cbf13c275f973135cd27a4de279899aadb4f7cbde80e04c7",
  "documentFamily": "INFOREP",
  "documentType": "INFOREP",
  "admiraltyCode": "B2",
  "motivation": ["CC"],
  "subject": "Russian actor, bulletproof hoster yalishanda (aka downlow, stas_vl) adds 12 front-end proxies to fast-flux offering; Current proxy-net size sits at 250 IP addresses",
  "created": 1686921777000,
  "dateOfInformation": 1686873600000,
  "sourceCharacterization": "Information was derived from a reliable source in direct contact with yalishanda and visibility into the actor’s bulletproof hosting service.",
  "relatedReports": [
    {
      "uid": "63c31296bcb43fd226513fb15bb1db08a76dd36d8c3cbb30b434a4d0beab4210",
      "documentFamily": "INFOREP"
    },
    {
      "uid": "1c895446738ca1280fae73fb1ba3219480a606e469f543ab985a05b1155585c3",
      "documentFamily": "INFOREP"
    }
  ],
  "entities": [
    {
      "type": "SHA256",
      "value": "4c9b551910643eb2c5a4adaf517f41cf1c5035c1526b11f108accd970e675e31"
    },
    {
      "type": "MaliciousDomain",
      "value": "amazo-ne.com-system-1359650.xyz"
    },
    {
      "type": "MaliciousDomain",
      "value": "amazo-ne.com-system-7558190.xyz"
    },
    {
      "type": "MaliciousDomain",
      "value": "babypetstore.shop"
    },
    {
      "type": "IPAddress",
      "value": "109.234.38.205"
    },
    {
      "type": "Handle",
      "value": "yalishanda"
    }
  ],
  "locations": [
    {
      "region": "Oceania",
      "country": "Australia",
      "link": "impacts"
    },
    {
      "region": "North America",
      "country": "Canada",
      "link": "impacts"
    },
    {
      "region": "Europe",
      "country": "Germany",
      "link": "impacts"
    },
    {
      "region": "Europe",
      "country": "Netherlands",
      "link": "impacts"
    },
    {
      "region": "Europe",
      "country": "Russia",
      "link": "impacts"
    },
    {
      "region": "Europe",
      "country": "United Kingdom",
      "link": "impacts"
    },
    {
      "region": "North America",
      "country": "United States",
      "link": "impacts"
    },
    {
      "region": "Europe",
      "country": "Russia",
      "link": "originated_from"
    }
  ],
  "tags": [
    "Banking & Finance",
    "Bulletproof Hosting",
    "Bulletproof Hosting Tracking",
    "Extortion",
    "Malware - Usage",
    "Phishing",
    "Ransomware"
  ],
  "portalReportUrl": "https://titan.intel471.com/report/inforep/0d7f4312db15947e3ac8e330a8e55175",
  "lastUpdated": 1686921779000,
  "actorSubjectOfReport": [
    {
      "handle": "yalishanda"
    }
  ],
  "classification": {
    "intelRequirements": ["3.1.1"]
  },
  "reportAttachments": [
    {
      "url": "https://api.intel471.com/v1/reports/download/0d7f4312db15947e3ac8e330a8e55175/d7481f4c2a545304d4d806d586a62bc53c0f33ed2b39ea35066d424f48957dd0",
      "fileName": "2023-06-16_yalishanda.csv",
      "malicious": false,
      "mimeType": "text/csv",
      "fileSize": 955544
    }
  ],
  "researcherComments": "<p>[Redacted]</p>",
  "executiveSummary": "<p>As of 10 a.m. GMT, June 16, 2023, the actor <strong>yalishanda’s </strong>fast-flux network stands at 250 total hosts. There were 12 hosts added to the network in the last 24 hours, while 15 hosts were dropped during this period.</p><p>The actor hosted phishing campaigns targeting Amazon and National Australia Bank (NAB) customers, and PrivateLoader malware samples.</p>"
}

{
  "activity": {
    "first": 1646665224000,
    "last": 1646747082000
  },
  "last_updated": 1646747082000,
  "uid": "053ba72b1878c5b43241037a18cc781d",
  "data": {
    "spot_report": {
      "uid": "053ba72b1878c5b43241037a18cc781d",
      "spot_report_data": {
        "related_reports": [
          "94fa5d7114312f942173821ab0cc8458",
          "99313d87ca836e9aaaf761cedd75c66f",
          "fc2300976c64b6e5b175e8c48e9a20bd"
        ],
        "victims": [
          {
            "name": "Saudia",
            "urls": ["http://www.saudia.com/"]
          }
        ],
        "date_of_information": 1646352000000,
        "text": "[POSSIBLE BREACH ALERT] On March 4, 2022, the actor behind the Telegram channel AnonyMous IslaMic at @anony_islamic claimed a data breach impacting the Saudi Arabia-based airline Saudia, formerly Saudi Arabian Airlines, at the saudia.com website. The post credited the actor The Yemeni Ghost for the breach and mentioned 2 GB of information allegedly was leaked. The actor also posted several resume files of Saudi citizens and a data sample that contained credit card information as proof of the breach, however, the information provided was insufficient to prove the claim.",
        "intel_requirements": [
          "5.5.3",
          "6.1.1.2",
          "6.2.5.11",
          "4.2.3",
          "4.2.5",
          "5.2.9",
          "5.2.11"
        ],
        "version": "1",
        "links": [
          {
            "type": "internal",
            "url": "https://titan.intel471.com/ims_thread/c8461bf13fca8a2b9912ab2eb1668e4b?message_uid=84e377651e5fbae47900c71e664a5cb3",
            "title": "Telegram post"
          }
        ],
        "released_at": 1646665224000,
        "title": "Actor The Yemeni Ghost claims data breach impacting Saudia"
      }
    },
    "entities": [
      {
        "type": "Telegram",
        "value": "@anony_islamic"
      },
      {
        "type": "Handle",
        "value": "AnonyMous IslaMic"
      },
      {
        "type": "Handle",
        "value": "The Yemeni Ghost"
      }
    ]
  }
}

{
  "activity": {
    "first": 1687264522000,
    "last": 1687268325000
  },
  "last_updated": 1687268325000,
  "uid": "4f38ec47e6a75e28c532171237b039cd",
  "data": {
    "breach_alert": {
      "date_of_information": 1686960000000,
      "confidence": {
        "level": "high",
        "description": "Assessment is based upon high-quality, corroborated intelligence from trustworthy sources."
      },
      "intel_requirements": [
        "1.1.1",
        "1.2.2",
        "4.2.5",
        "5.2.9",
        "5.2.11",
        "5.2.12",
        "5.5.3",
        "5.5.4",
        "6.1.6.4",
        "6.2.6.5",
        "6.2.6",
        "6.1.6"
      ],
      "released_at": 1687264522000,
      "title": "Akron-Summit County Public Library possibly compromised by actor/group Akira on Jun 17, 2023",
      "victim": {
        "name": "Akron-Summit County Public Library",
        "industries": [
          {
            "industry": "Education",
            "sector": "Public sector"
          }
        ],
        "urls": ["http://www.akronlibrary.org/"],
        "country": "United States",
        "revenue": "US $25.8 Million",
        "region": "North America"
      },
      "summary": "<p>On June 17, 2023, Intel 471 collected a sample of the Akira ransomware with the 57e4a5c937bc58b01622997ca2acaa91cea2ff5cc9e7f9c4c8bf82349c23e0a9 SHA-256. Our monitoring of ransomware attacker communication revealed the sample likely was used in an attack against the Ohio, U.S.-based Akron-Summit County Public Library at the akronlibrary.org website. The perpetrators allegedly deployed the ransomware on or about May 30, 2023, exfiltrated about 71.2 GB of data and demanded US $300,000 in ransom. They also shared a complete listing of stolen files with the victim as the proof of the claim.</p>",
      "actor_or_group": "Akira"
    },
    "entities": [
      {
        "type": "SHA256",
        "value": "57e4a5c937bc58b01622997ca2acaa91cea2ff5cc9e7f9c4c8bf82349c23e0a9"
      },
      {
        "type": "Handle",
        "value": "Akira"
      },
      {
            "type":"BitcoinAddress",
            "value":"bc1ql5f3m75qx3ueu2pz5eeveyqsw6pdjs3ufk8r20"
        },
      {
        "type": "MalwareFamily",
        "value": "Akira"
      }
    ]
  }
}

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Intel 471 Reports

Intel 471 Spot Reports

Intel 471 Breach Alerts

Known Issues / Limitations

• Feed runs of very long periods of time (ex. 7 months) might result in exceeding the offset limit, resulting in 412 errors. To avoid this, ThreatQuotient recommends running the feeds for shorter periods (ex. 24 hours) of time. 

  The number of reports for a defined period will also impact the allowed time period for a run.

• Due to platform limitations, images will be removed if the description is very long.

Change Log

• Version 2.0.2
  • Resolved an issue where missing date fields would result in reports not being ingested.  
• Version 2.0.1
  • Resolved the following issues where:
    • Embedded images were stripped out from descriptions.
    • Users encountered a filter-mapping error when loading MITRE Attack Patterns from the ThreatQ API.   
  • Improved the HTML formatting for descriptions.
  • Added a new entry to the Known Issues / Limitations regarding ingestion behavior of images with long descriptions.  
  • Updated the minimum ThreatQ version to 5.24.0.
• Version 2.0.0
  • Updated minimum ThreatQ version to 5.6.0.
  • Added new Breach Alerts feed.
  • Added new Spot Reports feed.
  • Add support for the following document types:
    • Breach Reports
    • Intelligence Bulletins
    • Underground Pulses
    • Threat Briefs
    • Whitepapers
    • Intelligence Summaries
    • Malware Campaigns
    • Actor Profiles
  • Report descriptions are no longer truncated at 65k characters.
  • Added the option to fetch GIR human-readable names to use in attributes.
  • Added support for ingesting related malware family entries.  
  • Added improved country/region attribution support. 
  • Added support for the following entities: CVE, Malicious Domain, and specific username.
  • Added the following configuration fields:
    • Relationship Filter - all feeds
    • Report Type Filter - Intel 471 Reports feed.
    • Indicator Filter - all feeds.
    • Adds user field for selecting statuses for certain indicator types
    • URL Status (Non-Malicious) - all feeds
    • Actor Domain Status - all feeds
    • Actor Website Status - all feeds
    • Ingest Tags - Intel 471 Reports feed.  Tags were previously ingested as attributes.
  • Added improved victim attribution support.
  • Added support for parsing MITRE ATT&CK techniques for Actor Profiles.
  • Resolved an issue where report titles containing 4-byte unicode characters would cause the feed to complete with errors.  
  • Added performance updates to optimize feed runs and prevent rate limiting.
  • Added a new known issue / limitation regarding feed run time frames.    
• Version 1.1.1
  • Resolved an issue that would occur when the title attribute was not included in the response.  
• Version 1.1.0
  • Added new Detailed Spot Report supplemental feed call for SPOTREP reports.
  • Removed BREACH_ALERT reports to prevent 404 responses from Detailed Reports supplemental call.
  • Updated report descriptions to truncate at 32,630 characters.
• Version 1.0.3
  • Fix added to handle an empty response from the supplemental feed.
• Version 1.0.2
  • Updated report description.
• Version 1.0.1
  • Created Indicators and Adversaries have the same attributes as the Report objects.
• Version 1.0.0
  • Initial release.