Kiris Group Intelligence Security

Online Monitoring Part 2 – Analytical value and automation...



A popular internet meme depicts quite how far technology has come in a relatively short timeframe. Your smartphone is capable of what it used to take several devices to achieve and it fits in your pocket, can be carried anywhere and in most cases will last the best part of the day on a single charge (owners of certain brands may disagree…) The key factor though, is that it offers connectivity to a vast network where you can instantly share your latest thoughts, images and videos, and experience those of others. With all this information being so readily available, it can be almost impossible to know how to exploit this data for maximum value. Part one of this blog post focused on the analytical process surrounding online monitoring and alerting and the mechanics of how it is delivered. Part two focuses more on the real value – how we take the metaphorical needles that we have sifted from the haystack, and then make them add value as intelligence products, rather than simply flagging information.


The advent of mobile technology has seen a shift in the availability of information and by extension, how informed people are and how informed people expect to be. This trend reflects the wider, ever-growing trend of globalisation and instant access to information – in 2021 internet access isn’t seen as a luxury but a necessity. As often happens with technology as it develops; the cost of owning it and its availability to the masses decreases and increases proportionately as it improves. Mobile phones are so ubiquitous today that approximately 63.6% of the world’s population own one, that’s 4.88 billion people. Smartphone users are at approximately 3.8 billion users worldwide which is just shy of half the global population at 48.53%. This has also climbed substantially since 2016 when the figure was 2.5 billion (33.58%). Unfortunately, the distribution of wealth is unequal, and some areas of the world are not as well connected as others. In the developed world it’s a safe bet that anyone over the age of 16 has possession of a smartphone, but beyond that the chance of someone every other person having one is almost a certainty.


What this means for online investigations is that it is possible to get real-time information about ongoing events almost anywhere in the world, as long as people are around to see it, and almost inevitably, share it via some form of social media. We’re all guilty of getting our phones out to record or stream events unfolding in front of this and a lot of us share this publicly to inform or warn others, some of us share it for attention or financial gain, but either way the result is the same – almost anything noteworthy that happens anywhere in the world, gets shared in real-time. This puts that information right in the wheelhouse for OSINT.


A recent example of how OSINT could have been (and was) used to gain insight into real-time events were the riots at the capitol building on 6th January this year. Prior to the event, chatter online was broadcasting what was about to happen as extremist groups rallied support on platforms like Parler, having been removed from more mainstream platforms (a separate blog post entirely).


During the event, live-streamed footage circulated online and across social media depicting the event, ironically shared by many of those it has subsequently condemned to prison sentences, in an attempt to further their own cause through the lens of social media. As all of this unfolded (in real-time) there was a huge effort by the online investigations community to preserve content for subsequent exploitation, knowing that many of those involved would realise the incriminating nature of their actions and attempt to delete these videos.


Though the vital factor here is that much of the online chatter has only been picked up after the fact – by analysts (not computers) trawling back through accounts associated with those highlighted. Indeed, this neatly encapsulates the crux of the discussion. These analysts were mostly woken up or notified of events through various automated alerting services – giving them instant access to the information. But the intelligence they have produced (from staggering efforts cohered across the whole community and enabled almost exclusively online) is all through human value added – something automated process simply cannot deliver.


There are a number of platforms that offer alerting and monitoring services online that look to leverage all of this information. They differ in operation but are all broadly similar. At the more advanced end they use machine learning algorithms or AI, whilst at the more rudimentary they use keyword searches or libraries to sift through the noise to bring back the relevant information for the user. Either way the idea is to get back the most relevant information as quickly as possible in order to generate the deepest understanding of a given ongoing situation. Whilst these services are good and can provide insight into unfolding events (and artificial intelligence sounds fancy) the reality is that machines on their own can only take you so far.


Until such a time that technology is capable of recognising the nuanced distinction between a sarcastic tweet and a strictly negative one (and it still isn’t) there will always be a place for a human analyst. Indeed, even when algorithms that deliver this nature of AI are effective, they still have to be designed with analytical input at inception. So, even if technology advances sufficiently that it can achieve this level of nuanced insight, all it really delivers is better sifted information. Intelligence will never be solely delivered by technology; thus, all the best alerting platforms provide little more than (very effectively sourced) information. To add real value, information needs to be turned into intelligence, and to do that, you need an analyst.