In this blog, one of our experienced Tradecraft Advisors draws on his OSINT experience to share his learnings and tips about leveraging the word cloud to inform investigations.
Like many OSINT solutions, Fivecast ONYX contains a whole bunch of really cool, advanced analytical tools – including ones that leverage everyone’s favorite buzzword, Artificial Intelligence. And these tools are undoubtedly useful in helping me focus on important bits of information when I’m doing an OSINT investigation! With all those bells and whistles, though, I recently realized that I was returning time and again to an old, no-frills capability – the word cloud.
A word cloud from a Fivecast ONYX investigation into Russian propaganda online
Visualize and Analyze OSINT Data with Word Clouds
The ubiquity of word clouds makes them very easy to overlook. Much of the time, the user is right to focus on either more advanced or much more specific tools. But I think dismissing its utility out of hand – as I’ve been guilty of a time or two – risks missing the proverbial forest for the trees. I’ve found the word cloud particularly useful when I’m looking at medium-to-long term investigations. The word cloud is just a simple graphical depiction of how often these words and phrases are cropping up – the bigger the word in the cloud, the more mentions it has in the dataset. With Fivecast ONYX this data can also be exported to support reporting requirements.
In these cases, the usefulness of the word cloud in larger, long-running investigations comes down to one main thing – it helps me see how narratives, conversation, and communication change over time. It also provides a starting point for understanding how a group or individual I am looking at uses communication, colloquialisms, and slang online- especially where a group may have developed their own ‘language or code’ to obscure their intentions or meaning. Suppose I have a set of keyword searches or channel collections that I’m running. In that case, I hope to, at some point, grasp the general tenor of the conversation – and I learn, consciously or unconsciously, to pay attention when certain words or phrases come up. These can be references to illegal activity, calls to action, or just locations or events – but the important thing is that they mean something unique to the people posting them, and when that is the case, those words often pop up.
Request our White Paper – The Evolving Role of OSINT
Detect Emerging Trends with OSINT Word Clouds
Thus, paying attention to what words appear, grow, and shrink within a word cloud that you’re tracking over time can give the analyst a vital window into how targets are talking about whatever issues are important. Understanding how the language is changing is vital to ensuring that you don’t fall behind in tracking the conversation – the last thing you want to happen is for a threat group to actively discuss something relevant but have it missed because the evolving importance of a certain word or phrase got missed in the shuffle of the other analytical work you’re doing!
At the end of the day, the word cloud isn’t going to solve all of your analytical problems. I wish it could! But I’ve gotten into the habit recently of forcing myself to check and compare recent word clouds (or word cloud data) over time on some of my longer-running cases, and the results have been interesting. The most frequent use case is that the shifting words cause me to do a deep dive into a newly important/high-volume phrase that I haven’t seen before – and one way or another, I learn more about my audience and their interests. Even if the word(s) in question don’t turn out to be relevant to my next report or presentation, I’ve learned more about how a community or group of interest is talking, and I’ll be better equipped to understand future linguistic evolution and weird, unfortunately, relevant internet turns of phrase and threat indicators that may be hidden within text through the use of code or slang when the next big issue arises.
To learn more about detecting threats with OSINT, sign up to the FIvecast Intel Hub
