Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
SOCMINT is derived from the abbreviation of the words Social Media & Intelligence. In Turkish defined as Sosyal medya Istihbaratı, SOCMINT is defined as the analyses and solutions that intelligence agencies, organisations or governments produce in response to needs, by monitoring conversations taking place on social channels, responding to them, and examining socially data-driven conversations. SOCMINT emerged with the increase in OSINT sources.
In particular, the examination of people’s actions, behaviours and conversations on social networks, the measurement of the reactions given in social events, and the events brought about by terrorist organisations or cyber attackers have revealed the importance of these data analyses. When it comes to SOCMINT, the rule of law, privacy, civil liberties and even copyright come under threat. Because, unlike OSINT, in SOCMINT non-open, that is intrusive, intelligence activities come into play. When we look at the main components of SOCMINT,
We see data collection and intelligence activities. In the second one, that is non-open intelligence activities, NOSINT or covert intelligence (reading other people’s private messages or e-mails) is used. Naturally, while working under legal rules, public acceptability must also be considered. For SOCMINT to be successful in the long term, the most decisive role has been gained through non-open data collection activities. Perhaps a morally questionable activity, but it has emerged as a publicly available and legally accessible option. This feature of SOCMINT continues to be a frequent subject of debate even today. Especially in the legal field, these debates have made clear that new rules and laws need to be put in place.
Social media usage is among the most fundamental tools of internet usage. Many social networks such as Facebook, Twitter, Instagram, LinkedIn and so on are used actively, on a daily basis, by millions of users. The text, image, video and audio data that users upload and share on the internet also means that a great deal of data with informational value is in circulation in the internet environment. Of course, it is a likely and unavoidable situation for intelligence organisations to start using this new technology to enrich their intelligence sources.
Alongside OSINT, in SOCMINT intelligence has moved into a different dimension. While open source intelligence is used with OSINT, in SOCMINT information-gathering activities are carried out through open or closed profiles, with intrusive or non-intrusive methods.
In order to detect social events in advance, or to carry out retrospective research on events that have taken place, social media has become a very important intelligence environment. When the data produced is taken into consideration, intelligence activities to be obtained through various algorithms have begun to be of importance for social events.
SOCMINT, which has become a sine qua non of cyber intelligence, is seen in today’s internet world as an important area in which governments and intelligence agencies make large investments.
Countries have begun to set up cyber intelligence units within their intelligence agencies, and because of the important tools and requirements of cyber intelligence, they are training special teams that will take traditional methods to a higher level. In line with the requirements that arise, using different programs and algorithms, it has become possible to reach the desired and accurate results from social media data.
Social media sites, which are very important from an intelligence perspective, have begun to be analysed for commercial, academic or security purposes. At the same time, it is necessary to underline that the data produced on social networks is being monitored (kept under record).
The fact that people around the world have such close and rapid interaction with one another has also increased the effect of social media sites in mobilising the masses. At the same time, both social media sites and the number of people using these sites continue to grow day by day.
During the 15 July uprising that came our way in the recent past in our country, social media was also used effectively, and communication between politicians and the public was supported through social networks and internet broadcasts. While the coup organisation tried to shut down television channels, people communicated via social media, took to the streets and stood against the coup plotters.
Similar examples are seen in Turkey and around the world and continue to take place. These events have once again revealed the need for countries to concentrate on social media, in terms of both state intelligence and commercially oriented intelligence. Social media has ensured that the virtual world turns into reality, and in a sense has led to the “virtual life being seen as a shadow of real life”.
It has been clearly demonstrated that this area, called cyberspace, provides both an advantage and a disadvantage for national security with the technology of the information age. In short, just as cyber struggle is used as an important tool in the fight against organised crime and terrorism, it is also used by these organisations, which may pose a threat to national security, to obtain strategic information.
Thanks to social networks, people have come to a point where they can establish communication networks with one another, influence large communities, and transmit their ideas to millions of people within seconds. In this way, individuals or communities have begun to create their own media and agendas.
It is also an unavoidable situation that, in such an information-rich environment, there may be people, brands or intelligence organisations who want to use this information in useful, harmful or commercial ways by monitoring it.
At this point, “Cybersecurity” gains importance. Cybersecurity covers the tools, policies, risk management and similar activities used to protect the assets of individuals, organisations or institutions in virtual environments. Cybersecurity is the provision of the confidentiality, integrity and availability of our actions, behaviours and virtual world in all kinds of electronic environments. For this reason, cyber intelligence work for security purposes has become one of the most important topics of today.
Thanks to the major reflection of social networks in daily life and the big data that emerges, there is a need to seek different solutions at the cyber level for individual, corporate and state security issues. Some countries are able to obtain intelligence on the people they want, thanks to the agreements they make with social media owners. Even if social media giants such as Facebook and Twitter have strict rules, in some cases states can obtain what they want from these sites directly or indirectly. With the emergence of OSINT and SOCMINT, these intelligence activities have rapidly increased.
In today’s world, we can say that in Western societies many intelligence companies allocate considerable budgets for the development of internet technologies that will enable detailed analysis of internet user information.
In the concept of cyber intelligence, SOCMINT or OSINT covers data collected both on open channels and over closed networks. This data, alongside social networks, must also include forums, Deep Web environments, blogs and even closed groups.
We see that governments place a great deal of importance on this issue and, by engaging in unlawful initiatives, are punishing people based on data collected through SOCMINT and similar next-generation cyber intelligence tools.
We can give as an example of this situation a Palestinian case in Israel. A 15-year-old Palestinian girl was arrested by the Israeli police merely for writing “forgive me” on her Facebook wall, and in the statement made to the press it was indicated that she had been taken into custody on the grounds that “she was about to carry out an attack”.
We can liken this situation to the following example. You are walking down the street, a patrolling police officer looks at you, and for no reason at all blocks your way with his vehicle and bundles you off under arrest. At this point there is no reason, and you have been taken into custody on suspicion. The suspicion is simply that you are walking down the road.
When we look at traditional rules, we can say that formal procedures such as evidence, a search warrant, suspicion and a court ruling are required. Or, when you are taken into custody on suspicion, shortly afterwards you should regain your freedom by giving your statement. However, when the incident takes place through social networks, we see that rules and laws are being violated. Today, we are seeing that in many countries, including those of the most important democracies, such follow-up, surveillance or arrest decisions are being taken in a manner that does not recognise laws or rights.
In short, by governments, by intelligence agencies or by other persons, individuals can be listened to and watched through social networks, and analyses can be performed on them so that predictions can be made. And in cases of risk that may emerge in these predictions or analyses, your freedoms can be restricted.
We can see that the British use many tools alongside SOCMINT at this point. According to statements that have appeared in the press, under the control of a 17-person team within the British intelligence service, every kind of data, including publicly accessible Tweets, YouTube videos, Facebook and Instagram profiles, is being examined and tracked. Moreover, this data does not need to be public. That is, it is stated that closed profiles are also under surveillance. With many reporting tools in which SOCMINT is combined with artificial intelligence, the data collected is passed through certain filters in order to reveal risk situations.
Sentimental Analysis is used to detect mood, Horizon Scanning is used to check whether there is any criminal element in the data you share on the internet, Facial Recognition Technology is used to identify real identities from shared photos and videos, and Geo-Location technology is used to mark on maps, retrospectively, the location you connected from and the places you have visited.
Imagine someone following you as you walk down the street. It is quite natural that you would be uncomfortable. While you are surfing the internet, too, people are tracking you, analysing you and commenting on you. Moreover, they can have more than the data you produce while walking down the street. At this point, the British state that they use SOCMINT and similar cyber intelligence techniques to understand who in society is saying what, and how, and to ensure community safety. On the other hand, according to rumours spread on the internet, it is stated that the British government has placed 9,000 people, who are linked to political groups or said to be activists, on a special list for close monitoring. That is to say, it is possible to say that not only what these people say but even their private messages are being tracked!
Again, in the recent past during the London riots, we see that the British police collected social media data in a way that exceeded the boundaries of private life, used the intelligence they uncovered to put down the riots, and took preventive action for similar situations.
We would like to draw your attention to the article by Michael Tauberg, in which an analysis of US President Trump’s tweets was carried out. Unlike other presidents, Trump exhibits a different style of administration in the USA. At this point, we see that he also uses Twitter actively.
It is possible to say that the Tweet analyses carried out for Trump are a special study that can be shown as an example in the field of Cyber Intelligence. When we look at the data that emerges from this analysis, in which more than 24,000 of Donald Trump’s tweets were analysed…
He uses simple language.
When you read Trump’s tweets, the first thing that emerges is how simple his use of language is. To analyse their complexity, the tweets are run through the Hemingway application, and a reading level of 5th grade is detected. Note that simple words are effective, and it was witnessed that Trump’s tweets shared about many heads of state caused major repercussions.
If we look at the most frequently used words in Trump’s tweets (removing words such as and, or, a), we can see that they are short and clear.
The chart above shows the most frequently used words in Trump’s tweets. Most of this simple language stems from Trump’s adherence to standards in his choice of adjectives. The most common word in Trump’s lexicon is “great”. If we list his other common adjectives in his tweets, the use of simple language (good, bad, best, worst, new, old, fake, fair, smart, dumb) is the pattern.
When we look only at these adjectives, another tendency emerges. Most of Trump’s descriptive words have been used positively (see those shown in blue).
While the tweets were being analysed, Sentimental analyses were also carried out. We can define sentimental analysis as mood analysis (emotion analysis). It emerges that the tweets were shared sometimes in a positive, and sometimes in an angry mood.
When we look at the chart above, it emerges that Trump’s Twitter account is shared from two separate devices. With this data obtained via the Twitter API, tweets are examined separately by device. According to the result that emerges, it has been revealed that Trump sent his own tweets from his own personal phone and used a Samsung Galaxy. His adviser, on the other hand, was using an iPhone. That is to say, the tweets sent from this account were shared by two separate people. The other person was identified as his adviser.
According to the data that emerged, hard tweets came from the Android device, while soft posts came from the iPhone. This data is also clearly confirmed in the emotion analyses. While images and links are used frequently (38 times more) in posts coming from the iPhone, it emerges that they are used much less often in posts coming from Trump’s Android phone.
After these analyses were performed, the White House Director of Social Media made a statement and confirmed this data. After this data was confirmed, it was stated that the use of Trump’s Samsung-brand phone had been discontinued because the FBI had identified a security risk.
When we look at what the most frequently used words in Trump’s tweets generally were, and at the kind of conclusions we can draw from these words, we can say that when a shared Tweet has no hashtag and uses negative words, it was sent by Trump personally. On the other hand, it has been revealed that Trump uses many “emotionally charged” words such as “bad”, “crazy”, “weak” and “dumb”, and that these are overwhelmingly more common compared to the tweets sent from the iPhone.
In conclusion, if there were no SOCMINT or OSINT, how much time, money and effort would we have to spend if we wanted to obtain this information? By asking this question, we can emphasise the importance of OSINT and SOCMINT. Even if it is the President of the USA, we are living in an era in which, with new-generation cyber intelligence sources such as OSINT or SOCMINT, we can reach much more data much more quickly and at affordable cost.
On social media platforms, surveillance has become possible with SOCMINT. Messages published publicly or privately (closed accounts, private posts) are becoming examinable. Of course, we can also include closed groups in these posts. As SOCMINT develops, we are heading towards a world in which even private messages sent through social media can be read.
When the data of users on whom SOCMINT is performed is examined, their interests, political choices, preferences, behaviours and much more information can easily be reached. When we look at the predictions made, it can be seen that they reach successful results with 80% accuracy. The social media intelligence (intelligence) combined with artificial intelligence can produce accurate intelligence through big data analyses.
However, SOCMINT alone will not be sufficient. SOCMINT, OSINT, HUMINT, GEOINT, SGINT, IMINT and many other intelligence types need to be used together.
On the other hand, it is not limited only to Twitter and Facebook profiles. Data is entered from many points, including blogs, forums, Deep Web sources, YouTube, Instagram and other networks. Users usually have more than one social media account, and it emerges that different information can be reached through each network. We see that a user who develops a political discourse on Twitter shares personal messages on their Instagram account, and shares messages aimed at family and similar friends on Facebook.
Many analyses can be carried out on the content shared. Not only on the messages shared, but also on content such as photos and videos, a great deal of data can be obtained, such as location (GPS) information, sound, environment and emotion analysis. We see that, just as users share information specific to themselves on social networks, they also share information such as the birthdays, marriages and political views of their friends.
We see that measuring and understanding the viewpoint of millions of people who share ideas, debate, talk, have fun, condemn and applaud in digital environments has broad value for many areas, interest groups and industries.
In addition to the use of SOCMINT as a source of information, it also needs to be made acceptable to the public by law enforcement and governments. At this point, putting in place the necessary laws and determining the necessary rules are of importance. Because, in the analyses performed, results can now emerge that threaten the security of personal data, by way of intrusive practices and the obtaining of personal data. The most important condition in the use of SOCMINT is that it must be legitimate. However, in Europe and America too, the problems and debates around the legitimacy of SOCMINT continue.
Many states have a legal framework for the regulation of intrusive intelligence gathering for the purposes of ensuring national security and the prevention and detection of crime. The content of such legislation should specify and limit, at the legal level, the procedures to be followed for the access rights required for intrusive SOCMINT.
The opportunities offered by the popularity of social media are striking. At this point, SOCMINT must be a member of the intelligence and law enforcement services.
With SOCMINT, sentimental evaluations must be performed. Put simply, “sentiment analysis” can be translated as ‘Emotion Analysis’. It analyses whether the comments made by the audience speaking about a person, organisation, product or social issue are positive or negative, along with the emotional and psychological state. Sentimental analysis has today become an indispensable part of SOCMINT.
A great deal of intelligence data has been obtained from a test account that was created. In this test, on social media such as Facebook, Twitter and LinkedIn, a fake profile that was created was described as a cyber threat analyst working in the naval forces. The data coming from this fake account was analysed, and interesting results were reached.
Through the fake account, contact was made with senior managers working at the US Department of Defense and other US intelligence agencies. At the end of the two-month test, job offers were received from important firms such as Google and Lockheed Martin, dinner invitations were received from men, many intelligence personnel became friends with this fake account, and operational security and personnel security rules were violated with most of the information that was offered to it.
Cyber intelligence has become important for organisations. In recent years, many products and solutions on cyber intelligence have been brought to market. These products and solutions generally collect data from open sources and produce alerts so that organisations can take measures against risks that may threaten them. However, at this point, using only open sources (Pastebin, forums, blogs, Twitter, Facebook and so on) will not be sufficient.
Because, in targeted cyber attacks, cyber attackers can also share this kind of information through Deep Web sources and closed illegal hacker forums. Naturally, organisations are forced to examine closed sources as well in terms of cyber intelligence.
When we examine Deep Web sources, we see that, particularly in closed hacker forums, very critical corporate data, hacked data of banks, or information such as hacked credit cards are present, sold or shared.
On the other hand, organisations come under hundreds of attacks every day. During these attacks, too, many clues can be left on corporate networks and security devices. Among the information left behind by cyber attackers are fake e-mail addresses, user-agent information, IP addresses, header information, EXIF information, signatures and information obtained from the code inside the malware that has been deployed, and much more data.
Organisations have come to a point where, using this information against cyber attacks, they can extract the identities of the attackers, the attack methods they used, and forensic analysis information from the traces they have left behind. Naturally, by using SOCMINT and OSINT sources, they can take measures against these attacks or gain an advantage in identifying the attackers.
At this point, the most important OSINT / SOCMINT example we can give is the WannaCry attacks that came our way in recent years. The WannaCry attacks first started in Russia and Ukraine. After cyber intelligence products first detected these attacks in Ukraine and Russia, security experts forwarded to the organisations and institutions they served the IPs, User-Agent, attack vector and domain names obtained in the WannaCry attacks, and before the attacks had even started in Turkey, by passing this information on to organisations, they developed defensive measures (IPs and domain names used in the attack were placed on blacklists, and were blocked by products such as Firewall, Endpoint, IPS and IDS). Naturally, firms using cyber intelligence were not affected by these attacks or got through them with little harm. However, in firms that did not receive a cyber intelligence service, we witnessed that these attacks caused major damage.
Privia Security Github:
https://github.com/Privia-Security
You May Be Interested In These
