Unsuccessful targeted cyber attacks can yield useful information on future targets and attack vectors, according to a researcher at security firm Symantec.
This suggests that IT departments would be well advised to share data on all types of persistent attacks with their security vendors, in order to be better safeguarded in future.
Martin Lee, senior analyst at Symantec, wrote on his blog that his resesearch is aided by the small number of targeted attacks, and the fact that attackers will often keep trying to breach the target's security.
"Since April 2008, when we started recording such attacks, we have identified 72,500 targeted attack emails sent to 28,382 email addresses," he wrote.
"To put this into context, we block approximately 500,000 malicious emails each day, sent to the approximately 10 million email addresses that we protect.
"However, the rarity of targeted attacks and the persistence of attackers can be exploited by researchers to draw up maps of activity of what may be the activities of single gangs."
He explained that companies are often reluctant to release details of successful attacks for fear of revealing their own security failings, but details of unsuccessful attacks can also prove useful.
Presenting his research at the Virus Bulletin conference in Barcelona this week, he explained the type of intelligence likely to be held in this data.
"By looking at the kinds of organisations that are being targeted, the industries that they're in and other data such as geographic location, it's possible to identify some interesting patterns," said Lee, according to security firm Kaspersky's news service Threatpost.
"We can come up with guesses as to who's next. It's an interesting question.
"What tends to get overlooked is the attacks that weren't successful and were identified. Once you start pulling the data together, you can analyse it topologically and see what's going on."
However, there are still areas of uncertainty, in particular when it comes to understanding the reason behind some types of attack.
"It's not clear what the business model is with many of these attacks," he said. "We don't necessarily know how they're making money from this."