Investigation and INT Fusion

People in investigation often make the mistake of thinking that data fusion and normalization occur exclusively at the level of the -INT: OSINT, SIGINT, HUMINT, GEOINT and so on.

This mistake is understandable, as many still view OSINT through the prism of blogs, Tweets and more in a wider national-security context. What is missed, however, is the power of OSINT in investigations of all kinds and its utility for public and private-sector investigations.

OSINT is more than curated and verified alerts, especially in the private sector.

Across the financial services industry, OSINT plays a key role in Know-Your-Customer, due diligence, anti-money laundering and counter-terror finance investigations. These diverse investigation sets require analysts to know how to navigate the online media landscape, harness social media for hidden insights into risk vectors, identify corporate registration documents globally, monitor tankers and planes, track cryptocurrency transactions, dive into customs datasets, uncover shell firms and trace assets by using a multitude of open-source investigation tools and platforms.

For information security and cyber threat intelligence teams, OSINT plays a crucial role. Deep investigations of threat actors require the use of people-oriented investigation tools and datapoints, such as usernames, email addresses and social media accounts, while investigating hostile infrastructure requires the integration of IP addresses, name and mail servers, WHOIS records and more.

OSINT plays an even more foundational role in Trust and Safety. Trust and Safety moderation teams are in many ways utilizing their own form of automated OSINT investigation – flagging and escalating harmful material for deeper investigation by dedicated threat intelligence teams. These threat intelligence teams also utilize external people, company and social media investigation tools to enrich internal datapoints with a bevy of additional data sources – such as IP address geolocation, various social media and messaging accounts registered under email-addresses and phone numbers, mentions in media and more to map out networks of bad actors both on and offline, thwart nation-state and organized crime efforts to exploit their platforms and more. Policy teams and managers utilize OSINT to identify relevant research and promote new policies based upon the findings generated by the OSINT efforts of the content moderation and threat intelligence teams.

The above are but a few of the various entities and datapoints that OSINT analysts must know how to normalize and fuse. OSINT arguably is unique in the sheer variety of datapoints under its purview, comparable only perhaps in complexity to MASINT or ELINT.

Findings from SIGINT or HUMINT can be summarized into text snippets, whereas normalizing and fusing disparate datapoints ranging from corporate documents to flight paths to passive DNS records to social media accounts is of an order of magnitude more difficult.

Most industry solutions provide either a product tailored to solve a specific problem set for a given industry or specific INT.

This is problematic for several reasons, but the most important and under-discussed reason is simple: investigations are almost never limited to just “one” sector or INT. Best practices for investigation mandate the utilization of all relevant data, and the same applies to OSINT sources.

Fusing data from corporate registries, information security investigation tools and social media is no easy task but is the order of the day to empower analysts to stay ahead of threats.

Here’s where Falkor comes in. Falkor is the world’s leading analyst OS, empowering analysts from all backgrounds and of all industries to investigate, analyze and collaborate on cross-industry and cross-INT cases. Be it analyzing phone records, user session logs, social media posts or vessel tracking – so long as it can be exported or connected via an API, Falkor supports it.