TL; DR: Intel 471 is on a mission to deliver the adversary and malware intelligence that security and fraud teams need to proactively combat cybercrime. The company maintains far-reaching access to sources where threat actors operate, and it uses the information collected to provide strategic, operational, and tactical intelligence. Ultimately, Intel 471’s goal is to help teams across the globe make more informed decisions via situational awareness.
Garden-variety cybersecurity companies are sprouting up worldwide as increasing threats invade today’s online environment.
These organizations commonly focus on blacklisting risky IP addresses, keeping software up to date, installing antivirus protection, backing up critical data, and securing infrastructure — all valid risk mitigation strategies.
But some proactive cybersecurity experts are taking a more novel approach, shifting their focus to the cyber underground, where crimes take root. There, undercover agents get firsthand knowledge about the motivations of threat actors.
Of course, these globally deployed security operatives must be carefully embedded in local culture or risk exposure. Intel 471, for example, aims to help security and fraud teams proactively combat cybercrime by sending intelligence operators and native speakers to infiltrate closed sources where threat actors operate.
“That’s why we believe in the boots on the ground model — when people are communicating, you have to be located in the same area to understand the contextual details: what’s being said, what’s not, the wording,” said Maurits Lucas, Director of Intelligence Solutions at Intel 471. “It’s similar to how virtual assistants like Siri and Alexa can’t yet mimic human intellect because they don’t understand subtle meanings.”
The company offers two complementary products. Adversary Intelligence, Intel 471’s flagship product, combines field-based intelligence collection and internal analysis. Malware Intelligence, available through an online portal, RESTful API, or third-party integrations, helps customers understand and block the latest crimeware campaigns.
Ultimately, the company’s underground capabilities provide timely data and relevant context that empowers customers across the globe to make informed decisions via situational awareness.
Focusing on the Malicious Actor, Not Just the Attack
Intel 471 was founded in 2014 by Mark Arena, a cyber intelligence professional who had previously served as a Technical Specialist within the High Tech Crime Operations of the Australian Federal Police and Chief Researcher at the cyber threat intelligence company iSIGHT Partners.
“At the time, there were numerous threat intelligence companies — as there still are today,” Maurits said. “Most of them focused on the technical aspects of threats; connecting lists of IP addresses and such. Our focus was to look at the actual actors and adversaries behind them.”
Today, the company is headquartered in Dallas and boasts an international presence in Washington, D.C.; San Francisco; Chicago; Amsterdam; London; Ukraine; India; Colombia; Romania; Brazil; and Singapore.
In all these areas, experienced operatives infiltrate forums, chat rooms, and other online environments where malicious actors gather to understand who they are and what they are trying to achieve.
“What you see on the perimeter is the tip of the spear — you may detect malware or attacks, but it’s important to know who’s behind them and what are they trying to accomplish,” Maurits said. “If you understand the threat landscape, you can also be more proactive in mitigating risk. You can prepare yourself and take steps to become a less attractive target.”
Maurits said the web is comparable to Venice during the Middle Ages. “The internet is a fairly chaotic and unpredictable place in the middle of these little islands of global order,” he said. “But if you look at medieval Venice, they didn’t wait for people to turn up at the gates — they had a network of spies and informers who kept tabs on what was going on so they could plan ahead. We provide that same function for the underground aspects of the internet.”
Identifying the Motives and Structure Behind Cybercrime
The Intel 471 team isn’t fond of describing the internet underground as the deep, dark web, though the words are popular media fodder.
“As Arthur C. Clarke said, any sufficiently advanced technology is indistinguishable from magic,” Maurits said. “This terminology attempts to turn part of the internet into magic.”
Maurits said one of the key challenges the industry faces is that the average user’s eyes tend to glaze over when highly technical concepts aren’t made easily accessible.
“Ultimately, the web is not deep, and it’s not dark,” he said. “Threat actors are trying to accomplish various goals, and they need to strike deals, form alliances, and have some type of organization to do so. We try to map out that structure.”
For example, spammers and other threat actors typically seek bulletproof hosting, a service that provides the customer with significant leniency when it comes to the materials they upload and distribute. From the malicious actor’s perspective, choosing the wrong bulletproof host could be the difference between success and failure.
“They want to identify the best bulletproof hosts rather than risk their entire attack being taken down,” Maurits said. “They need some structure to do that, and rather than assuming the problem is too deep, dark, and spooky to solve, we map that structure out.”
The team also aims to stay one step ahead of the trends that are going mainstream.
“The key is being proactive, trying to get ahead of the curve by budgeting, preparing, and having a mental model where things are heading,” Maurits said. “As they say, generals are always preparing for the last war. Similarly, a network or organization’s defenders should be preparing for today’s threats — not yesterday’s.”
Leveraging Years of Experience to Achieve Strategic Goals
Maurits said he is proud of Intel 471’s talented and experienced team.
“Our people have rich industry experience working for other cyber threat intelligence companies and inside organizations to beat threats and malicious actors,” he said. “We may have earned some scars along the way, but we’re using that experience to achieve all the goals we’ve wanted to.”
Intel 471 takes a multifaceted approach to intelligence that involves malware tracking, vulnerability monitoring, and strategic, operational, and tactical intelligence. But ultimately, Maurits told us his team believes that intelligence in and of itself is useless.
“You as a customer decide to do something; you are armed with knowledge, and you use that knowledge to make decisions,” he said. “That’s all we do — we support decisions.”
At the tactical level, simple decisions, such as whether to accept a connection from an IP address or whether an email is legitimate, can be made entirely by machines. This saves time for humans to make more strategic decisions involving significant threats and protective actions. The idea is to arm clients with technical, tactical data, as well as the intelligence to help them make longer-term decisions.
“For example, if you saw the amount of data that actors were connecting via databases and the tooling they were putting together, strategically, you would have said ‘I don’t want anything within our estate to be protected by username and password,'” he said. “Everything internet-faced would have to be protected with two-factor authentication (2FA).”
Make Smarter Decisions Via Situational Awareness
Maurits said at the end of the day, Intel 471 is more akin to a smoke detector than a fireman.
He said that while there’s little glory disaster prevention, the company is happy to reside in that space.
“If you wait until flames are coming out of the roof and come in, sirens blaring, and put out the fire, you’ll be a hero,” he said. “But that’s the kind of challenging world we want to live in — the one where it may be harder to demonstrate value, but you’re giving customers the situational awareness they need to understand what’s out there.”