The Analysis Intelligence site provides open source analysis and information on a variety of topics based on the the temporal analytic technology and intelligence analysis tools of Recorded Future. Shortly after the release of 175 pages of documents from the Combatting Terrorism Center (CTC) a very interesting assessment was posted on the site. This assessment sheds light on the nature of these documents and also highlights some of the important context that the powerful capabilities of Recorded Future can provide.
The analysis by Recorded Future is succinct and well done so I cite most of it below. I'll conclude with some of my own thoughts as an experienced intelligence professional and technologist on some of the "So What" of this assessment.
First, from the Analysis Intelligence site:
The Combating Terrorism Center (CTC) released 17 new letters (175 pages) discovered in the Abbottabad compound where Osama bin Laden was discovered and killed last year. The documents were made available as part of a report entitled “Letters from Abbottabad: Bin Ladin Sidelined?”
This post shows analysis of all 17 letters using Recorded Future’s temporal analytic technology and intelligence analysis tools. This first effort analyzes the English translated text and will be followed by an analysis of the letters in their original Arabic.
We treated these letters like they were any other source in the Recorded Future system. Our linguistic algorithms extracted a variety of data points available in the text that we then visualized in the Recorded Future user interface
Analyzing these documents in aggregate and visualizing them using Recorded Future immediately reveals a number of patterns and insights. We’ll start with a network graph generated from the connections found in the body of letters where it’s clear to see the focal points of God, Yemen, and Afghanistan:
Seeing the locations described in the network, we can actually uncover what locations are mentioned the most:
Shifting back to a network view, let’s find what individuals are associated with Iran in the collected letters:
And to serve as a comparison, below are those relations referenced with Yemen:
Moving to a timeline analysis of the letters and references within, there is a glaring absence of communication during 2008. Was this a time when Osama bin Laden went dark? Or is there sensitive information in documents from that period meaning they’re still under wraps?
Getting a deeper look at the years from which we capture quite a bit of data:
Lastly, one of the unique features of Recorded Future includes the ability to extract references to predictions and future periods of time. From this particular set of documents, one future reference emerged related to planning the foundation of a Muslim state.
- Experienced intelligence professionals have long found value in using automated tools to help extract value from text. These tools have been maturing over time, with some of the most modern, most capable being those in use at Recorded Future. Analysts have many other good options for their tools, but I don't know of any better than those that produced the graphics in the post above. This is interesting to me for several reasons, but perhaps the most important reason is that analysts can access these tools using online systems vice old clunky hard to instal, expensive systems in place at most organizations today.
- It was a real eye opener for me to learn that Recorded Future could do this sort of analysis on documents like this. I know a great deal about what they can do with the open source information on the entire Internet and I should have assumed they could do this sort of work, but for some reason I was so excited about their other capabilities that it completely escaped my mind that they would be masters at this important use case of document exploitation. Imagine if every document ever captured by our forces could be analyzed together this way.
- I have to conclude that Recorded Future could have actually done far more with this if they had been given access to more info. This is clearly one of those cases where the tools and methodologies are in place to do more with more data.
- The analysis above is insightful and would have been particularly helpful immediately after the documents were collected (we can all assume that many tools were used on the entire take right after these documents were collected). Analysis like this is also of use in many other subject domains of course. One of the reason this is helpful in so many domains is that rapid analysis can help drive further collection that can deduce an adversary's options and therefore give our decision-makers better support.
- I also conclude that if this capability existed in a system where classified information could also be brought to bear it would be even more useful to analysts.
Latest posts by Bob Gourley (see all)
- 15 under 15: Rising stars in cybersecurity - October 25, 2016
- O’Reilly Security Conference NYC Oct 30- Nov 2 - October 24, 2016
- DDoS Attacks: What Happened And What We Should Do About It - October 24, 2016