Two Methods for Visualizing Intelligence
March 18, 2014
You should be familiar with the phrase “a picture is worth a thousand words.” In the gTIC, we agree 100% and are sure that most Information Technology professionals feel the same. So, let’s explore a couple forms of visual representations analysts can produce and how they can be useful analytic methodologies or tradecraft.
Link analysis consists of visually associating items together via a networked diagram. Not unlike a network architecture diagram, this provides a way for the analyst to have a graphic representation of how objects relate to one another in a hierarchical diagram. Link analysis can be used for many subjects and is obviously not limited to intelligence visualization. For example, link analysis could be used for mapping out social networks via Twitter feeds or Facebook members or putting together an organizational chart of company executives.
In the military, it is heavily used in building and identifying cells or networks of insurgents or terrorists. For those of us concerned with cyberthreat analysis, this form of visual examination can be used to relate malicious or benign files, IPs and URLs, lateral movement of malicious code within a network, country of origin for any of the previously mentioned data types or known malicious actors.
It benefits the intelligence analyst by being able to visually represent relationships between the subject matter. It can also provide a way to justify an assessment.
As an example, we can look at the victims of the Syrian Electric Army (SEA) and discern what industry verticals are being targeted. This can allow organizations in these targeted industries to take preventative measures so they don’t fall victim to additional attacks.
As we can see in the figure, the majority of reported attacks affect those in the media. We can discern that this industry is affected most because the main motivation for the SEA is to spread pro-Assad regime propaganda.
There are several programs or applications available - either for a fee or as an open-source project - which can perform linking of nodes and applying background or collected information concerning the node inside the object. Some of the most well-known programs used for intelligence analysis are IBM’s i2 Analyst Notebook, Paterva’s Maltego and Palantir’s many platforms. The above example was built using the open-source link analysis tool NodeXL.
Timeline analysis is the chronological order of events or actions visually displayed via a graphic. This method of visual analytics is useful when an analyst needs to create a baseline of expected network traffic for anomaly detection, trend historical data to perform predictive analysis or determine a timeline of an attack or actions taken against the attack by incident response personnel.
In the chart below, we can identify a spike in Malicious Code incidents reported from December 13 to 19. By having this visually displayed, it draws the analyst to this date to begin investigating potential root causes for the spike - such as new malware being introduced in to the environment that host antivirus was not detecting - or to see if the organization was being explicitly targeted. Additionally, the bar chart in the top corner shows an overall rise in the total amount of incidents throughout the reporting period.
Visual analysis is one of the ways analysts can recognize trends, patterns, anomalies and relationships in data. With contextual visualization, such as one of the methodologies outlined above, the analyst can gain knowledge which might not be readily apparent when only looking at the raw data. Finally, the analyst can incorporate a visual representation of the data into a finished report to provide the consumer with context for the conclusions made and provide confidence in the assessment.
 Incident categories based on US-CERT defined Federal Agency Incident Categories: http://www.us-cert.gov/government-users/reporting-requirements#tax.