As investigators, we often find that there is a significant disconnect between what less-informed security managers THINK can be discovered during the course of an online investigation versus what ACTUALLY can be discovered. This two-part series from Ami Toben and Travis Lishok gives an appropriate account of how online investigations inform operations on the ground and vice versa. Each has its strengths and weaknesses. And when used in combination with each other, our protective operations have a great advantage.
CREDIT: “The OSINT Connection: Intelligence in Executive Protection” was originally published by Protection Circle, a publication focusing on corporate sector surveillance detection and covert protective operations.
In this article, Travis will describe how to conduct an Open-Source Intelligence (OSINT) investigation and explain the value it can bring to a protective operation. My angle (to appear as a second installment), will cover the follow-up stages after receiving the results of the OSINT investigation, starting from field protective intelligence and culminating in physical protective results.
To set the scene, the event we’re looking at was a political fundraiser that took place in a large metropolitan convention center. There were over 1,500 attendees, and the event included a stately dinner with various distinguished speakers on stage.
Since the political organization that hosted this fundraiser has quite a few enemies, much attention had been given to the online forums and social media pages that are often used to coordinate protests and disruptions at this organization’s events. It was on one of these forums where a specific individual expressed his intention to get himself into the venue (in order to collect information and possibly disrupt it) and made it clear that he had the legitimate means of achieving this feat.
The details we got were very precise and included the name and even the photo of this individual, who belonged to a student organization that vehemently opposed our client. We even knew by which legitimate means the individual intended to enter. We advised our client not to let him into the event, but were told that for public relations reasons, he was not to be turned away. We would check him thoroughly but if no contraband was found, we were instructed to let him in.
Now that I’ve set the scene, let me hand the controls over to Travis so he can show us what we can gain from an OSINT investigation.
In approaching this situation from an open source intelligence (OSINT) perspective, it is our primary goal to answer this question:
Is the individual or their organization likely to take action at the event?
We are primarily concerned with violence or embarrassment directed toward the client, and to a lesser degree any attempts to harm the image of the client (their event, their organization, etc.).
I will use an analogous real-word subject and student organization to give you a detailed, realistic example of how this unfolds in the real world.
If you’ve ever been to any of the University of Nevada Campuses, then you would know that this organization and others like it, have a constant and aggressive presence: Students for Justice in Palestine (SJP). For our purposes, we will specifically focus on the UNLV Chapter. I chose to use this organization and its former president as examples because they fit all of the characteristics that we would expect, given our scenario above. Plus, anyone involved in higher education could relate this to their personal experience with politically active organizations.
During our research & analysis, we will attempt to answer the following questions to assist in our assessment of the subject and their organization.
- Is the individual or their organization likely to take action at the event?
- Does the subject/organization have a history of violent, threatening, or criminal behaviors?
- Is the subject seeking knowledge about the client and the client’s current situation?
- Does the subject possess, have access to, or give evidence of a fascination with weaponry of any type?
- What is the status of the subject’s inhibitors, including any recent losses?
- Has the subject engaged in any ‘final act’ behaviors?
*For a more detailed analysis of these specific questions, refer to my previous post: Assessing Threats in 20 Questions (or Less).
ADDITIONAL RESEARCH NEEDED TO ASSIST FIELD OPERATIVES
During our research, it would be helpful for us to further support the field operatives by gathering the below information:
- Picture of subject.
- Picture of subject’s vehicle w/license plate information.
- Picture of subject’s associates.
IMMEDIATE AREA OF CONCERN
Since the subject is attending the event, we can confirm that they are actively researching the client and engaging in at least a minimal amount of planning. Even if this isn’t hostile in any way, it is important to be conscious of it. This is concerning because we know that research, planning, and preparation are part of the “Path to Intended Violence”. By conducting more online research, we may find evidence to support or contradict this concern.
*Refer to the simple illustration below, depicting the “Path to Intended Violence” as described by the authors Frederick Calhoun and Stephen Weston in Threat Assessment and Management Strategies (second edition).
PATH TO INTENDED VIOLENCE
Grievance → Ideation → Research and Planning → Preparation → Breach → Attack
INTELLIGENCE COLLECTION MIND MAP
The graphic below is a mind map that gives a simplified illustration of my research process. The primary focus is (1) the subject and (2) the subject’s organization.
MIND MAP EXPLANATION
Beginning with the subject, our most valuable sources of information are his social media profiles. These are going to provide us with the most current and detailed information. Once we discover the subject’s email address or username, we can use these pieces of information to search across all relevant social media sites. It is a common theme in online investigations that most users will use a single username across all of their accounts (Facebook, Twitter, Instagram, etc.).
*What if their accounts are private? Then the researcher can target their associates’ profiles and view conversations/interactions between them (target by proxy).
Once we collect information about the subject from open sources, we can next try closed sources such as proprietary databases which typically require a private investigator’s license (or similar barrier to access). These sources would reveal the subject’s previous arrests, debts, associates, and detailed personal information. (For the purpose of writing this post, I did not run the subject’s name through these databases). After viewing both sets of sources, we should have enough information to form a foundation for answering the question, “Is the subject likely to take action at the event?”
Next, we can begin our research about the organization itself. First, Students for Justice in Palestine at UNLV (SJP) has an official website where they make announcements and share their views. Here, they left a contact email for the organization on the main page. This is immensely helpful because we can search this email address in Google to find more pages that are associated with it. Plus, it is highly likely that this email address was used to set up all of SJP’s social media accounts.
*Side Note: Michael Bazzell, author of IntelTechniques.com, has stated for this very reason, that the target’s email address is the single best piece of information to have when beginning an OSINT investigation.
After discovering the username that is used for SJP’s social media accounts (“SJP at UNLV”), it was easy to find their Facebook Page, Twitter, YouTube, associated Instagram hashtags, Tumblr, Facebook Group, Google Group, Yahoo Group, and online repositories they use to share their literature (Scribd & DocShare). Some of their group pages were not open to the public, however, this barrier could potentially be circumvented. Also, on the UNLV website, the organizers of the SJP UNLV chapter were listed by name.
Lastly, there were several websites that wrote detailed profiles about SJP (not necessarily the UNLV chapter), detailing their activity and classifying them as hate groups.
SUMMARY OF FINDINGS: SUBJECT
I was able to discover his social media profiles, articles he published, and Google Drive documents in which a pro-US/Israel group wrote a detailed profile about him (including his personal blog, his associates, his activism, pictures of him, and more).
To assist the field operatives, I was able to find the following: pictures of the subject, pictures of his associates, but no picture of his vehicle. I did not find any significant evidence to support a hypothesis that the subject is likely to act out violently or otherwise at the event. In addition, I was unable to find any evidence of previous violence/criminality, familiarity with weapons, loss of inhibitors, or final act behaviors.
Since the subject is a graduate student, and the leader of his organization, these are likely to inhibit him from doing anything extreme, such as acting out violently. However, I am concerned that the subject’s personal blog contains violent poetry and literature. This likely has a significant influence on his personal outlook, plus he could influence others to act violently though this literature.
SUMMARY OF FINDINGS: SUBJECT’S ORGANIZATION
For SJP UNLV Chapter, I was able to discover their official website, UNLV organization page, social media profiles, online communities, online repositories where they share their literature, and third party sites that comment on controversial groups such as SJP.
I was unable to find instances where the SJP UNLV Chapter acted violently or interrupted events. However, I was able to find instances of alleged violence against students and evidence of shouting down speakers they disagree with, by other SJP Chapters. Given this information and the information about the subject, I would estimate that there is a low to medium risk that the SJP UNLV Chapter would potentially act out (violently or to disrupt) the event.
If we had more time to invest, it would be worthwhile to analyze trends set by SJP chapters at other NV campuses, to anticipate evolving tactics by the UNLV chapter.
Intelligence is about making judgements about the future, interpreting problems, and supporting decision makers. There are significant limitations for anyone attempting to make judgments about the future, by only using OSINT tools. These limitations include, but are not limited to the following: source reliability, analyst biases, limited time, limited information, etc. Therefore, intelligence collection and analysis in terms of OSINT, is only one part of the protective puzzle. It gives the operatives working in the field limited concrete details, and a dynamic framework to view the situation. Where the limits of OSINT ends, field intelligence begins (which we will cover in the next article!).
Author Bio: Travis Lishok, CPP
Travis has nearly 10 years’ experience in public and private sector security, to include conducting intelligence research and supporting executive protection teams. As a professional project, Travis creates protective security related content via EP Nexus, some of which specifically focuses on OSINT, travel risk, and related topics. As you’ve seen in this article, investigative research is a topic that he is enthusiastic about sharing, and that’s why we invited him to contribute this valuable piece.
Author Bio: Ami Toben
Ami Toben is the owner of Protection Circle, and the director of consulting, training and special operations for HighCom Security Services. He specializes in terrorist activity prevention, surveillance detection, and covert protective operations. Born and raised in Israel, Ami has over 15 years of military (IDF) and private sector security experience. Currently based in the San Francisco Bay Area, Ami has been providing high-end protective services to Fortune 500 corporations, foreign governments, foundations, nonprofit organizations and wealthy individuals.
About The Protective Intelligence Blog
By every metric, the role of protective intelligence is growing increasingly important for your security program, as it operates domestically and (especially) internationally. Protective Intelligence is our medium for understanding not only threat matrix and risk level, but also trends, problems, solutions, as well as ideas to support the mission of protective security professionals. The speed by which we can send and receive information, and the amount of information we need to evaluate, has eliminated problems in some areas and exponentially compounded problems in others. Our team seeks to address issues stemming from these problem areas, offering next-level analyses and proven solutions with an eye toward the future.
Our content contributors come from organizations involved in protective intelligence research, corporate executive protection, threat assessment investigations, and related security intelligence fields.