Terrorism Case Studies

Once a general grasp of the terrorist hostile planning process is attained, the important role of case studies is to take this subject out of mere theoretics and show how the planning process was actually, physically, conducted in real life. The classic type of terrorist case study seminar or article has, for obvious reasons, become quite popular, as the case studies in and of themselves are fascinating stories. But If at the end of an article or seminar on case studies, all you are left with is a general understanding that attacks should be prevented, then you have been short changed. Case studies that do not reveal specific information about hostile planning, and that subsequently have nothing to teach you about how to potentially prevent hostile planning in the future, are no more than interesting stories.

The goal of this article is to explain as much as possible about hostile planning through actual real world case studies, and to lead the conversation towards actual real world methods which can be used to disrupt such planning. Remember, the idea is to understand the general logic behind the hostile decision making process. Most of the intricate details of specific attacks, as fascinating as they are, can do little to teach us exactly how we can decrease the chances of future attacks, because it is very unlikely that any of the intricate details will ever repeat themselves in exactly the same way. Therefore, as fascinating as the details of these attacks might be, try to take a wider angled approach to case studies because the measures of prevention (detailed in future articles) must also necessarily be wide angled. Understanding every single detail about every single case study will not, therefore, lead you to understanding every single detail about how future attacks can be prevented. And though we strive to take as much of the guesswork out of our attempts to prevent the next attack, we must accept the fact that we cannot eliminate it completely. The idea is to locate as many hostile planning common denominators as we can, try to find common vulnerabilities in them, and formulate common solutions that can exploit these vulnerabilities.



Planned and executed by Timothy McVeigh with assistance from Terry Nichols and Michael Fortier.

On April 19, 1995, at 9:02 a.m. a rented Ryder truck, containing over 4,800 pounds of explosives, detonated in front of the north side of the nine-story Alfred P. Murrah Federal Building. The explosion destroyed a large part of the building, killing 168 people and injuring 680.

This was the largest terrorist attack on US soil before 9-11, and serves as one of the strongest case studies to date, since the planning for this attack was so extensive, and so much information is known about it.

What follows is a breakup of the hostile planning process as it was actually put into action:

Selection of potential targets

A number of federal buildings were considered for this attack, including locations in: Missouri, Arizona, Texas, and Arkansas.

Open source information collection

Using the relatively limited capabilities that were available in the mid 1990s, McVeigh still managed to collect information about the locations of federal buildings, and the specific agencies that were housed in them.

Initial surveillance

McVeigh traveled to each of his potential targets to get a general idea about them, and to compare each target to the others in order to determine which was the best/easiest target.

Final target selection

Selecting the best target was relatively simple, as it became apparent that the Oklahoma City federal building fit all the requirements set by McVeigh, and was found to be the easiest target in all three categories mentioned in The Hostile Planning Process: It was easy to physically park a truck-bomb in front of the building – it even had a part of the curb dedicated to delivery trucks; it was easy to collect information about the building – to establish that it would be easy to park a truck in front of it in the first place; and it was easy to collect this information covertly – during the entire process of surveillance (initial, operational, advanced and last minute) no one had ever noticed what McVeigh was doing, much less questioned him about it.

The Alfred P. Murrah Federal Building was also seen as a good target due to the large open space in front of it (a parking lot). This space, according to McVeigh, would not only limit non federal casualties, but would allow for good media coverage of the attack by supplying many angles from which the destruction could be photographed.

Operational surveillance

Though McVeigh already had a general idea about using a truck-bomb, he still spent a few weeks around his selected target, collecting as much information as he could in order to establish precisely when and where to attack..

Operational planning

Though this step had begun long before, when McVeigh and his accomplices had started to gather, buy, and steal large amounts of explosives – storing them in a rented storage unit – they still needed to plan how and when the truck-bomb would be delivered to the target. They also considered various ways in which the explosives would be placed inside the truck in order to maximize the blast efficiency while reducing the risk of being discovered. McVeigh had also decided that the attack should not take place when the building was empty and should instead inflict many casualties in order to make a stronger political statement.

Training and rehearsal

McVeigh conducted training by putting together a prototype bomb using a plastic Gatorade jug containing ammonium nitrate, liquid nitromethane, a piece of Tovex sausage, and a blasting cap. This prototype was then detonated in a remote desert. The fact that McVeigh did not omit this important step was a testament to his deadly capabilities and know-how. As was mentioned previously, many of the failed attacks in recent years (shoe bomber, underwear bomber, Time Square bomber, etc) can be directly attributed to the attacker’s failure to conduct this step.

McVeigh did not conduct a rehearsal (dry-run), for two logical reasons. First, over the course of weeks, he observed a sufficient number of trucks driving up and parking in front of the building to conclude that rehearsing what turned out to be such a mundane action would be quite unnecessary. Secondly, if he were to conduct a proper rehearsal – rent a truck, with his fake ID (which he later used), park this truck in front of the federal building, and then spend time observing it from a distance, he would take the risk of someone eventually asking some questions and perhaps uncovering the plan. For these reasons, McVeigh decided to skip this step – the only such skip he made.

Advanced surveillance

Despite his skipping the rehearsal step, McVeigh still conducted a considerable amount of advanced surveillance. This advanced stage of surveillance, and subsequent planning, could only come after the general details of the operational planning had been decided. Having knowledge about the location of the truck-bomb and the approximate blast radius,  McVeigh surveilled and planed out the route he would take on his way to the federal building while driving the truck-bomb, the route that he would take on foot from the truck after he parked it, and the amount of time it would take him to get himself out of the blast radius before the explosives detonated. He then based the length of the bomb’s fuse on the amount of time he would need to get out of harm’s way (he set it at 5 minutes). McVeigh then surveilled a safe location for his getaway car (a yellow Mercury Marquis), and a route to get back on the highway; making sure that both the location of the car and the route to get on the highway were outside of the blast radius.

Last minute surveillance

This was conducted from inside the truck as McVeigh made his way to the federal building – making sure he had a spot to park his truck.


McVeigh parked the truck in the drop off zone in the front of the building, got out and walked on his predetermined route towards his getaway vehicle. At 9:02 am the explosives contained in the truck detonated.

Escape and exploitation

McVeigh’s initial escape on foot went according to plan but because he had removed the license plates from his getaway vehicle, he was stopped by a state trooper on the highway as he was driving away from Oklahoma City. He was then discovered to be in possession of a concealed weapon and was arrested. Though the rented Ryder truck that was used for the attack was completely destroyed, federal agents discovered the identification number of the truck, traced it to the rental agency and eventually reached McVeigh (who was still in custody).

This attack provides a vivid illustration of how hostile planning, when conducted meticulously and properly, can result in devastatingly effective attacks.

For the sake of brevity, the following cases will not be broken down in the same detailed manner as the Oklahoma case was. Each case will however shine a light on specific hostile planning steps, in order to show their significance.


On Wednesday, 17 October 2001, the Israeli minister of tourism, Rehavam Ze’evi, was shot at close range outside his hotel room at the Hyatt hotel in Jerusalem. The assassination was carried out by a squad of assassins from the Popular Front for the Liberation of Palestine (PFLP). Ze’evi was the most senior Israeli person to be killed by militants during the entire Arab-Israeli conflict.

Before the assassination, Ze’evi had been known to have refused the protective services of the Israeli government’s dignitary protection unit (as a sign of solidarity with the general Israeli population). This piece of information had become open to the public (open source information collection), and had prompted the PFLP to put Ze’evi on their target list. Having neither the physical protection of the dignitary protection unit, nor their assistance in varying his routine and detecting hostile surveillance, Ze’evi had become a very easy target. The PFLP then easily surveilled and established his whereabouts and routines – consistently staying at the same hotel (the Hyatt), maintaining the same room (816), and holding to the same morning routine. After a sufficient amount of intelligence had been collected, the assassination squad members booked a room at the hotel by telephone, using a fake ID, the night before the assassination.

Anticipating Ze’evi’s routine, At 6:00 am, on the day of the assassination, one of the assassins, Hamdi Quran, went to the dining room of the hotel to make sure that Ze’evi would indeed be there with his wife as anticipated. At 06:20 am Ze’evi and his wife arrived at the dining room of the hotel and as soon as Quran noticed them, he immediately went back to the room where the assassins were staying to updated the other team members. As they had planned, two assailants then headed out of the room towards their vehicle, which was parked in the hotel’s basement parking lot, to get their handguns, which were modified with sound suppressors. In order not to raise suspicion, the two assailants returned separately back to their room through the staircase instead of the elevator. The two assailants met in their room, prepared their weapons, and headed towards Ze’evi’s room. They waited for Ze’evi near the fire escape, in a location adjacent to Ze’evi’s room, and at 06:50 am Ze’evi headed by himself towards his room using the elevator. When the elevator door opened, Ze’evi stepped out and passed the two assailants. According to the assailants testimony, Quran shouted at him “Hey!” and when Ze’evi turned to Quran, he shot Ze’evi in the head three times.

This case illustrates how open sourced information collection can factor not just into the determination of how easy a target is, but can sometimes be the catalyst to the entire attack. Ze’evi’s principled, and public, stand on being unprotected was a pivotal factor in the attack against him. It also serves as a vivid illustration of the importance of varying one’s routines and being aware of hostile surveillance.


On August 9, 2001 a Hamas suicide bomber detonated a bomb inside a busy branch of the Sbarro Italian restaurant chain in the center of Jerusalem. The bomb, which contained nuts, bolts, and nails for shrapnel effect killed 15 people and wounded 130.

Surveillance for the attack was conducted by Ahlam Tamimi, a 20 year old female university student and part-time journalist. Tamimi conducted her surveillance on the entrance to the restaurant from a bench that was up the busy street, less than a block away. At the time, every place of business above a certain size had (and many still have) a security officer at its entrance. Tamimi centered her surveillance on the actions of the security officer at the entrance, and noticed that he was doing the routine job of checking people’s bags before they entered the restaurant. The one thing he did not bother to check, however, were cases of musical instruments that some people had carried in with them (guitar cases, violin cases, etc). Because there is a music shop in the neighborhood, it was, and still is, not rare to see people in the area walking around with musical instrument cases. This vital piece of information was used during the operational planning step when it was decided that a suicide bomber (Izz al-Din Shuheil al-Masri) would carry a guitar case full of explosives into the restaurant. On the day of the attack Tamimi and Masri, who was carrying the guitar case, walked into the restaurant pretending to be a couple on vacation. Tamimi ordered lunch for the two and they waited until the restaurant was full of diners. Tamimi then left Masri to detonate the bomb inside the busy restaurant (she was not supposed to be killed in the attack, and was later arrested and tried for her involvement in the attack).

This case illustrates the type of detailed information that can be collected during operational surveillance, and the type of planning that can result from it.


On March 4, 1996 a member of the Hamas terrorist organization detonated a powerful bomb he was carrying outside of the largest mall in Tel Aviv. The bomb, which included nails and pieces of metal for shrapnel effect, killed 13 people and wounded 130.

Interestingly, the original operational planning for this attack called for a bomb to simply be left on a busy Tel Aviv street. The organization then rehearsed this plan a number of times. Each of these rehearsals included a bag that was left on a busy Tel Aviv street, with an advanced surveillance operative covertly observing how people react to the unattended bag. In each case, the advanced surveillance operative noticed that the Israelis on the street were very aware of, and vigilant about, unattended items on the street. In each dry run, people would immediately stay away from the unattended bag and the police would be called to dispose of the suspicious item soon thereafter. Realizing that this operational plan would not be an effective means of killing a large number of people, the organization decided to go back to the operational planning step and change their plan to a suicide bombing – where the bag containing the bomb would be carried and detonated by a suicide bomber.

This attack illustrates how the rehearsal step works, and how this step is tied to the advanced surveillance step. It also shows the type of logical decision making that can flow out of the observed outcomes of rehearsals.


Believed to be by Red Army Faction (RAF)

On November 30, 1989, Alfred Herrhausen, chairman of the Bank of Germany, was assassinated by a roadside bomb shortly after leaving his home in Bad Homburg, Germany. The bomb was contained in a schoolbag that was placed on a rear carrier of a bicycle next to the road.

Herrhausen was traveling in the back seat of the second vehicle in a well secured and bulletproofed three car convoy. As the first vehicle reached the bomb, it broke an infrared beam that was connected to the bomb’s detonator. A programmed delay made sure that the bomb would only explode as Herrhausen’s vehicle reached it, and the bomb detonated exactly in front of the back door of the second vehicle, where Herrhausen was sitting. The 10 kilogram shape charge launched a 2 kilogram copper plate projectile which penetrated the vehicle, killing Herrhausen.

This still unsolved case was one of the best planned and executed assassinations in recent history. Not only was it the first time that an infrared beam was used to trigger a bomb, the precision in which the attack was executed – killing one of the best protected dignitaries in Europe – was almost unprecedented. Though it is still unclear who exactly the attackers were, the logical conclusion is that surveillance on Herrhausen began from his place of work (the Bank of Germany building), since this was information that was open to the public. Mobile surveillance could then follow Herrhausen’s motorcade to his residence, and once these two locations were established (the residence and the workplace), the route the motorcade took could be established. As it happened, this route never varied, nor did Herrhausen’s location in it (always in the back seat of the second vehicle), nor even did the timing and the distance between the vehicles vary. The hostile surveillance team managed to establish these facts using the cover of a roadside work team; pretending to work on the sidewalk while observing Herrhausen’s motorcade pass by every morning. The location of this fake roadside work team was the spot where the bomb carrying bicycle was later placed.

This attack is a strong illustration of the power of operational surveillance, and the type of precision attacks that can flow out of high leveled surveillance.

As there are only so many case studies that can be contained in one article, let me leave you with an open ended challenge:

Take any terrorism case study about which you know a good deal regarding its planning process, and try to locate the phases of the hostile planning process in it (collection of information; analysis, planning and training; execution; escape and exploitation). Next, try to locate as many of the sub-steps which punctuate these phases, and try to determine how close it came to a textbook version of the hostile planning process. As you do this, notice how many of the more opportunistic attacks, including many of what are known as “lone wolf” attacks, are simply condensed, non-textbook, versions of what better planned attacks generally follow. Recall also cases of failed attacks, and try to determine which steps of the hostile planning process were omitted or successfully disrupted by security forces – leading to the failure of these attacks.


Protection Circle_avater_due i Ikon

Learn more about this subject—and many others—in my master class on Hostile Activity Prevention
Utilizing Israeli know-how and delivered by me, Ami Toben, this online course teaches actionable, time-tested methods of prevention, detection and disruption of hostile attacks.

20 thoughts on “Terrorism Case Studies

  1. Ami , this article is a God send.I have been chanting this mantra for ages especially in the context of understanding the actions of rhino poaching syndicates in South Africa.
    Thank you for this.

    1. Chris. My name is matthew Towill, friend of Dean. Nie…..
      I believe that this whole Rhino poaching debacle could easily be controlled as it was in the past yet this epidemic is part of a much greater malay in an endeavour to keep intelligence focus off of what is really happening in this high crime socitey.


  2. This is a master piece and a must read by security professionals, very incisive and informative, wishing to read much more ,,,Thanks for good work. ……Okolie , Sebastine

  3. Well thought through. Great understanding on the appropriate use of a case study. There is such a need to be out in front of the would-be anarchists and your delivery of this work is a good start. I would like to speak to you by email on behalf of the ICTOA (International CounterTerrorism Officers Association) please drop me an email at director@security-consulting.us if you are willing. Thank you, again Ami.

  4. This is all about information gathering people doing what they have been assigned to do thoroughly for instance some hotels take less seriously check on guess. Government official are more likely taking risk in public places. Sharing stories like this would help the civic society to take seriously security matters.Terror attackers often prepare option B counter attack by security agents should give no room to escape attackers.Above all thorough surveillance is critical to uncover planned attack. Well done boss

    1. Though guarding information for the sake of discretion and secrecy is indeed important, it’s also important to disseminate and share knowledge and information that can help people prevent attacks. Case studies is a good example of this.

  5. It’s important to note that no matter how much time is spent planning, there is a trail of bread crumbs left behind to determine the actions of the assailants. Covertly planning threats will always leave a signature of some sort and the only way we can plan safety is to continue studying the actions of society.

    1. Yes, it is true, but all the analysis, the up-to-date follow-up, and data gathering is worthless without forward thinking to anticipate next hit

  6. yes it might be true, but all the time spent in case studies, analysis, up-to-date follow-ups, data gathering, is worthless without critical thinking and forward thinking to anticipate next hits.

Leave a Reply