Jason Passwaters, Intel 471: "the goal in using threat intelligence is to obtain actionable information and insight"

Cybercrime is ultimately a human endeavor that uses sophisticated underground networks and business models to buy and sell stolen data.

Experts can evaluate how and where organizations are most at risk from cyber threats using big data from cybercriminal networks – threats that don't originate from exotic technology but from easily mitigated flaws in security. The analysis of online forums where criminals exchange information and tools gives businesses a head start on detecting possible threats.

To gain insight into the ever-evolving cybersecurity landscape, we spoke to Jason Passwaters, co-founder and CEO of Intel 471 – a company that uses advanced data collection to thwart cybercriminals.

Tell us the story behind Intel 471. What has the journey been like?

I co-founded Intel 471 with Mark Arena in 2014. Our intention was to create a business that would protect organizations from cyber threats and crime. We noticed that companies had increasingly started to hire former law enforcement and intelligence professionals to get a grasp of the risk. We saw this as an opportunity: Develop an exceptionally good intelligence collection capability, then transform that raw collection into finished intelligence products that security professionals can use to guide their operations and mitigate risk. BData breaches, ransomware attacks, and fraud have emerged as some of the greatest sources of risk for companies and organizations.

I served as the Vice President of Intelligence at Intel 471 until 2018 before taking over as its Chief Operations Officer. Recently, I took over as CEO in March after Mark moved into an advisor role. We are backed by Thoma Bravo, which invested in Intel 471 in 2021.

Can you introduce us to what you do? What are the main challenges you help navigate?

As former practitioners, we built an intelligence platform that is designed for security teams to be able to tap into data and trends, enabling them to take proactive steps to defend their organizations. We built the platform that we wished we would have had.

Cybercriminals don’t work in a vacuum, and they’re all humans behind computers. They’ve achieved scale by adopting legitimate business models. Most recently, this includes offering cybercrime-as-a-service components and interacting with one another on underground forums. They sell stolen data. They buy services from each other, from money launderers to malware coders to botnet maintainers.

Collecting intelligence on what these threat actors are doing can provide a crucial head start for organizations that might be targeted. But it’s difficult for an individual company’s security team to grasp the depth and volume of the so-called "deep or dark web." It’s a whole field in itself. Our mission is to collect and catalog the cybercriminal underground, organize the data, and interpret it in ways that are meaningful and actionable for our clients.

What technology do you use to analyze the cyber underground?

We use automation, scraping, and actual engagement with threat actors (HUMINT) to collect data. We collect underground forum postings, messages posted to Telegram channels, and listings on marketplaces, amongst other sources. The data goes into our intelligence platform, TITAN, where it is categorized and labeled.

Our collection efforts are aimed at providing high-fidelity alerting of top-tier cybercriminals and gangs, as well as the tools that they’re using to compromise organizations. We collect and analyze the top malware families and botnets. We monitor underground advertisements for stolen login credentials by initial access brokers (IABs).

We also monitor software vulnerabilities with a view to see if threat actors are monetizing exploits, which helps guide our clients with patch management. Our analysts and researchers come from a variety of backgrounds: reverse engineers, analysts, intelligence services, military, and law enforcement. Often, our analysts are native speakers with deep knowledge of the cybercriminal communities they study, which provides our clients with insight.

Have you noticed any new threats arise as a result of the recent global events?

Russia’s full-scale invasion of Ukraine in February 2022 caused a large rift in cybercriminal circles. Russian and some Ukrainian cybercriminals who collaborated before split over the war. We’ve also seen an evolution in Russian threat actors. We’ve seen Russian hackers undertake distributed denial-of-service (DDoS) against countries that have lent support to Ukraine.

The Russian state doesn’t appear to be directing those efforts, but we do see groups aligning themselves with state priorities, perhaps to ensure that their own cybercriminal activities don’t invite domestic scrutiny. Unfortunately, the war and ongoing tensions with Russia will make the anti-ransomware efforts of Western countries more difficult.

Just prior to the full-scale invasion, Russia arrested several alleged members of the REvil ransomware gang following increased pressure from Western countries to take action. Given the current tensions, it’s unlikely Russia will undertake efforts to crack down on ransomware groups, which are allowed to operate as long as their targets are outside of Russia.

How can people best stay informed on all things related to cybersecurity so they can better protect their networks against malicious actors?

I think it’s easy to get lost in the sea of news stories, technical feeds, vulnerability advisories, and more. Organizations should determine what is relevant to their organization. What do they view as the greatest sources of risk? What kind of intelligence should be collected to evaluate those risks? And then, finally, can we turn that intelligence into a security benefit?

As an example, we track threat actors discussing vulnerabilities. If we know through our research that those threat actors are linked to ransomware groups, we might be able to conclude that if they successfully develop an exploit for a particular vulnerability, that access may be passed to the ransomware groups. In that example, organizations can take away what they need to patch that application ASAP or take steps to mitigate exposure.

Why might some organizations not be aware of the security risks they are exposed to?

As mentioned before, there’s always a lot happening in the cybercriminal underground, and there’s a lot of innovation. Our analysts and researchers look for new developments and evaluate the potential for harm from advanced phishing kits to malvertising to new malware and more.

Security teams at organizations have their own priorities and often can’t dedicate the time to trying to figure out and analyze the risks, which is where we can help.

What problems can organizations run into if proper threat intelligence solutions are not in place?

Threat intelligence tracks people and groups who may try to cause harm to your organization. The goal of using threat intelligence is to obtain actionable information and insight to improve security operations and avoid incidents. Threat intelligence can be voluminous, overwhelming, and irrelevant if not carefully curated and finely tuned. We recommended that organizations use General Intelligence Requirements (GIRs) to guide how they ingest various types of threat intelligence.

GIRs are part of a taxonomy for classifying intelligence collection that allows organizations to prioritize the collection of intelligence that is most relevant to them. For example, an organization’s security operations team may be most interested in data that falls into a GIR covering vulnerabilities and exploits. The type of intelligence collected for that GIR may include threat actors’ discussions and sharing of exploit code and the reputation of the threat actors.

Besides threat intelligence solutions, what other security best practices do you think are essential for modern companies?

Many organizations are not compromised because threat actors are using exotic, zero-day vulnerabilities. They’re being compromised in routine ways that we know how to defend against. They’re getting compromised due to stolen credentials for accounts that don’t have multi-factor authentication (MFA). They become infiltrated after failing to patch applications in a timely fashion.

They fall victim to phishing attacks which are effective at both stealing credentials and delivering malware. Sometimes it’s human error, such as misconfigured applications, that attackers discover. I sympathize with defenders who face a dynamic, evolving threat environment every day.

And finally, what’s next for Intel 471?

Not every organization is ready for full-on adversary intelligence. Operationalizing threat intelligence is a journey, and we are opening it up to mid-size organizations with helpful offerings that can reduce their risk. For example, we recently acquired SpiderFoot, which is an attack surface management tool. Attackers often reconnoiter their targets, looking at everything from technical information, such as open ports or exposed applications, to social media profiles of their executives.

SpiderFoot consolidates hundreds of open-source intelligence tools, data sources, and analysis techniques to unearth exposed information that organizations aren’t aware of. We’ve also developed automated tools that can provide immediate tactical information that can be put into use around vulnerability management and patch prioritization. We monitor markets selling access and login credentials, and our customers get alerts when threat actors claim to have their credentials.

Also, we plan to build integrations with third-party supply management tools for the supply-chain risk data we collect. These offerings deliver an immediate security benefit and value, particularly for small organizations starting on an intelligence-led security approach.