In “Understanding Link Analysis and Using it Investigations,” I detailed how to get started and some fundamentals on link analysis. What I didn’t cover was how long you should be involved in the pursuit portion of your investigation, how to present your finding to executives, and what not to include in your presentation.
Open Source Intelligence – How Long should I Hunt?
I get asked many times how long you should spend on an Open Source Intelligence (OSINT) investigation. The answer depends on many variables on the target, the information needed to operationalize another component of the investigation, and — well, frankly the list goes on. In a perfect world, I try to dedicate anywhere between 24-40 hours per entity on collection prior to the documentation phase of the project. (*Once mapped, I’ll start a sub process for monitoring so I can get a feel for them and collect as much data as possible to create a fingerprint on their writing style)
This may seem overboard, but it gives a sober perspective concerning the footprint of the target. If you don’t find anything within a few hours or an extended period of time you either need to ask better questions to find clues or you need to add a few points for the operational security (Opsec) of your target. Remember, even if there isn’t data, this is, in itself data. Everyone still orders pizza, has a mom, and has a daily routine. Adapt, map and rework your plan.
From a process perspective, the dedicated time may not all be at once. Sometimes I will hunt for two days, document for two days, and then get back on collection and mapping. Having a break from collection will enable you to correlate subconsciously as you put the puzzle pieces together. Documenting everything you have when you are stuck or as a time-based process also helps solidify what you know to help you ask better questions when you get back in the ring.
Link Analysis Presentation for Different Audiences
When presenting your link analysis charts, remember you will likely have two different audiences. The executive and the technical audience. Don’t bog the executive down with too many details and try to keep the facts to three or four quick facts followed by the picture to illustrate your point. Don’t stray too far from those facts with your illustration and solution.
With your technical team or other analyst you can have greater details. Just remember if you are sharing things that are highly complex, distill the information into those top three or four. No More. If you have to hold multiple meetings to cover all the facts, do so.
What Not To Do With Link Analysis
Don’t become the greedy analyst (or academic) who wants all the data in the world with no plan on how to utilize it nor enough time to analyze everything you collected. You also don’t want to “Visualize” everything just because you have everything in your link analysis platform. This can result in what I call “Doo-Doo” graphing.
Remember, visualizing Doo-Doo is still Doo-Doo! Just because you have tons of information doesn’t mean it has any meaning whatsoever.
With extensive experience in defensive and offensive security, Daniel has been a quiet trailblazer in digital intel-gathering long before cyber intelligence became a discipline. More than a decade ago he was inventing and applying his own intelligence tools in support of companies and governments around the world facing urgent threats. Using this deep understanding of web technologies and the behaviors of cybercriminals, he has enhanced, updated and packaged these tools under ShadowDragon.
Daniel is a member of the Odonata Holdings, Inc.