Skip to main content

Two Methods for Visualizing Intelligence

March 18, 2014

You should be familiar with the phrase “a picture is worth a thousand words.” In the gTIC, we agree 100% and are sure that most Information Technology professionals feel the same. So, let’s explore a couple forms of visual representations analysts can produce and how they can be useful analytic methodologies or tradecraft.

Link analysis consists of visually associating items together via a networked diagram. Not unlike a network architecture diagram, this provides a way for the analyst to have a graphic representation of how objects relate to one another in a hierarchical diagram. Link analysis can be used for many subjects and is obviously not limited to intelligence visualization. For example, link analysis could be used for mapping out social networks via Twitter feeds or Facebook members or putting together an organizational chart of company executives.

In the military, it is heavily used in building and identifying cells or networks of insurgents or terrorists. For those of us concerned with cyberthreat analysis, this form of visual examination can be used to relate malicious or benign files, IPs and URLs, lateral movement of malicious code within a network, country of origin for any of the previously mentioned data types or known malicious actors.

It benefits the intelligence analyst by being able to visually represent relationships between the subject matter. It can also provide a way to justify an assessment.

As an example, we can look at the victims of the Syrian Electric Army (SEA) and discern what industry verticals are being targeted. This can allow organizations in these targeted industries to take preventative measures so they don’t fall victim to additional attacks.

As we can see in the figure, the majority of reported attacks affect those in the media. We can discern that this industry is affected most because the main motivation for the SEA is to spread pro-Assad regime propaganda.

Two Methods of Visualization 1

There are several programs or applications available - either for a fee or as an open-source project - which can perform linking of nodes and applying background or collected information concerning the node inside the object. Some of the most well-known programs used for intelligence analysis are IBM’s i2 Analyst Notebook, Paterva’s Maltego and Palantir’s many platforms. The above example was built using the open-source link analysis tool NodeXL.

Timeline analysis is the chronological order of events or actions visually displayed via a graphic. This method of visual analytics is useful when an analyst needs to create a baseline of expected network traffic for anomaly detection, trend historical data to perform predictive analysis or determine a timeline of an attack or actions taken against the attack by incident response personnel.

In the chart below, we can identify a spike in Malicious Code incidents reported from December 13 to 19[1]. By having this visually displayed, it draws the analyst to this date to begin investigating potential root causes for the spike - such as new malware being introduced in to the environment that host antivirus was not detecting - or to see if the organization was being explicitly targeted. Additionally, the bar chart in the top corner shows an overall rise in the total amount of incidents throughout the reporting period.

Two Methods of Visualization 2

Visual analysis is one of the ways analysts can recognize trends, patterns, anomalies and relationships in data. With contextual visualization, such as one of the methodologies outlined above, the analyst can gain knowledge which might not be readily apparent when only looking at the raw data. Finally, the analyst can incorporate a visual representation of the data into a finished report to provide the consumer with context for the conclusions made and provide confidence in the assessment.

[1] Incident categories based on US-CERT defined Federal Agency Incident Categories:


Related Blogs

March 05, 2015

Why do they call it DLP?

I always have to ask myself every time I hear the acronym “DLP.” Why do they call it that? There is no “prevention” in most DLP. It should be called D...

See Details

February 05, 2015

GHOST Vulnerability Puts Linux Systems at Risk | Optiv

A critical security vulnerability in the GNU C library, CVE-2015-0235 (a.k.a. “GHOST”), was reported on January 27, 2015. Many Linux systems are vulne...

See Details

January 15, 2015

DDoS Attacks Are Seldom What They Seem

In performing incident response over the years, I have frequently been pulled into DDoS incidents. These calls don’t come in every day, but they are p...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

May 09, 2013

How Managed Security Services (MSS) Is A Win-Win-Win

For Information Security professionals in Small and Midsize Business (SMB) organizations, it often feels like you and your team (if you’re lucky enoug...

See Details

June 16, 2016

Cloud Security Services

Movement to the cloud is a necessity for organizations. Learn how Optiv’s comprehensive suite of cloud solutions can help you get there securely.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.