Identify the "Who" and "Why" of Attacks with Intel 471

When dealing with a cyber intrusion, some of the first questions asked are “who” did this and “why” us. Though the questions posed are simple, they are extremely difficult to answer and require intimate knowledge of the cyber underground in order to begin constructing an intelligent response. PassiveTotal relies on data partners for such actor-data and is excited to announce our latest integration with Intel 471.

Formed in 2014, Intel 471 was created in order to provide unique, high-value actor-centric cyber threat intelligence information in support of our customers' information security operations. Whilst some companies may offer raw indicators or feeds as threat intelligence, Intel 471 focuses on the individual threat actors and groups that pose a threat to your organization and sector. Intel 471 employs specialists located globally who are experts in their region and is incorporated in the United States.

PassiveTotal users, who also subscribe to Intel 471’s services will now be able to view Intel 471 data directly from within PassiveTotal as they conduct analysis on threat infrastructure. Due to the sensitive nature of actor information, Intel 471 requires that two-factor authentication be enabled on accounts looking to activate the integration. Registered users can easily do this by visiting the “settings” page of your account and clicking the “Two-Factor” tab.

After activation, users will get the added benefit of seeing Intel 471 intelligence collection directly within their PassiveTotal results. This data will show up in two ways, 1) a tab of reports with links directly out to Intel 471’s portal and 2) contextual tags automatically extracted from the information reports and merged with PassiveTotal’s existing tags.

The above redacted screenshot shows an example of what a user would expect to see if they searched for a domain or IP address that matched Intel 471 details. In order to differentiate tags per report, we have also included them inside of the table of intelligence reporting. Additionally, we have included the type and motivators associated with each report.

In a recent investigation, a malicious domain searched within PassiveTotal produced several Intel 471 information reports which revealed that an adversary associated with it was involved in developing the Cerebrus point of sale (POS) malware and was looking for help to infect retail devices. With all the domain and threat actor activity information, including the details of each Intel 471 information report, contained in a unified view, security analysts can instantly discover an adversary’s digital footprint as well as their active and even upcoming campaigns.

We look forward to working with Intel 471 in the future and hope that their customers are able to take advantage of the great integration we have released today. For questions or comments, please feel free to send messages to