I’m very excited to host my first guest blogger on Protection Circle, Travis Lishok. Travis is the owner of EP Nexus, a fantastic executive protection blog that explores protective intelligence, OSINT investigations, threat assessment, and more. Travis and I decided to collaborate by writing two different perspectives on the same event (an actual protective detail I managed in 2008), and to ‘cross-pollinate’ our blogs by featuring each of our perspectives on the other’s platform.
In this article, Travis will show how to conduct an Open-Source Intelligence (OSINT) investigation, and explain the value it can bring to a protective operation. My angle, which will appear on EP Nexus, will cover the follow-up stages after receiving the OSINT report, starting from field protective intelligence and culminating in physical protective results.
To set the scene, the event we’re looking at was a political fundraiser that took place in a large Silicon Valley convention center. There were over 1,500 attendees, and the event included a stately dinner with various distinguished speakers on stage.
Since the political organization that hosted this fundraiser has quite a few enemies, much attention had been given to the online forums and social media pages that are often used to coordinate protests and disruptions at this organization’s events. It was on one of these forums where a specific individual expressed his intention to get himself into the venue (in order to collect information and possibly disrupt it), and made it clear that he had the legitimate means of achieving this feat.
The details we got were very precise and included the name and even the photo of this individual, who belonged to a student organization that vehemently opposed our client. We even knew by which legitimate means the individual intended to enter. We advised our client not to let him into the event, but were told that for public relations reasons, he was not to be turned away. We would check him thoroughly but if no contraband were found, we were instructed to let him in.
Now that I’ve set the scene, let me hand the controls over to Travis so he can show us what we can get out of an OSINT investigation.
In approaching this situation from an open source intelligence (OSINT) perspective, it is our primary goal to answer this question:
Is the individual or their organization likely to take action at the event?
We are primarily concerned with violence or embarrassment directed toward the client, and to a lesser degree any attempts to harm the image of the client (their event, their organization, etc.).
I will use an analogous real-word subject and student organization to give you a detailed, realistic example. If you’ve ever been to any of the University of California Campuses, then you would know that this organization and others like it, have a constant and aggressive presence: Students for Justice in Palestine (SJP). For our purposes, we will specifically focus on the UCLA Chapter. I chose to use this organization and its former president as examples because they fit all of the characteristics that we would expect, given our scenario above. Plus, anyone involved in higher education could relate this to their personal experience.
During our research & analysis, we will attempt to answer the following questions to assist in our assessment of the subject and their organization.
Primary Question: Is the individual or their organization likely to take action at the event?
- Has the subject approached the client previously, and if so, in what way?
- Does the subject/organization have a history of violent, threatening, or criminal behaviors?
- Is the subject seeking knowledge about the client and the client’s current situation?
- Does the subject possess, have access to, or give evidence of a fascination with weaponry of any type?
- Is the subject currently seeking to obtain a weapon?
- What is the status of the subject’s inhibitors, including any recent losses?
- Has the subject engaged in any ‘final act’ behaviors?
*For a more detailed analysis of these specific questions, refer to my previous post: Assessing Threats in 20 Questions (or Less).
Additional Research Needed to Assist the Field Operatives
During our research, it would be helpful for us to further support the field operatives by gathering the below information:
- Picture of subject.
- Picture of subject’s vehicle w/license plate information.
- Picture of subject’s associates.
Immediate Area of Concern
Since the subject is attending the event, we can confirm that they are actively researching the client, and engaging in planning & preparation. Even if this isn’t hostile in any way, it is important to be conscious of it. This is concerning because we know that research, planning, and preparation are part of the Path to Intended Violence. By conducting more online research, we may find evidence to support or contradict this concern.
*Refer to the simple illustration below, depicting the Path to Intended Violence as described by the authors Frederick Calhoun and Stephen Weston in Threat Assessment and Management Strategies (second edition).
Path to Intended Violence
Grievance → Ideation → Research and Planning → Preparation → Breach → Attack
Intelligence Collection Mind Map
The graphic below is a mind map that gives a simplified illustration of my research process. The primary focus is (1) the subject and (2) the subject’s organization.
Mind Map Explanation
Beginning with the subject, our most valuable sources of information are his social media profiles. These are going to provide us with the most current and detailed information. Once we discover the subject’s email address or username, we can use these pieces of information to search across all relevant social media sites. It is a common theme in online investigations that most users will use a single username across all of their accounts (Facebook, Twitter, Instagram, etc).
*What if their accounts are private? Then the researcher can target their associates’ profiles and view conversations/interactions between them (target by proxy).
Once we collect information about the subject from open sources, we can next try closed sources such as TLO or Thomson Reuters Clear which typically require a private investigator’s license (or similar barrier to using it). These sources would reveal the subject’s previous arrests, debts, associates, and detailed personal information. (For the purpose of writing this post, I did not run the subject’s name through these databases) After viewing both sets of sources, we should have enough information to form a foundation for answering the question, “Is the subject likely to take action at the event?”
Next, we can begin our research about the organization itself. First, Students for Justice in Palestine at UCLA (SJP) has an official website where they make announcements and share their views. Here, they left a contact email for the organization on the main page. This is immensely helpful because we can search this email address in Google to find more pages that are associated with it. Plus, it is highly likely that this email address was used to set up all of SJP’s social media accounts.
*Side Note: Michael Bazzell, author of IntelTechniques.com, has stated for this very reason, that the target’s email address is the single best piece of information to have when beginning an OSINT investigation.
After discovering the username that is used for SJP’s social media accounts (“SJP at UCLA”), it was easy to find their Facebook Page, Twitter, YouTube, associated Instagram hashtags, Tumblr, Facebook Group, Google Group, Yahoo Group, and online repositories they use to share their literature (Scribd & DocShare). Some of their group pages were not open to the public, however, it would be simple to create an alias account and join to view their conversations. Also, on the UCLA website, the organizers of the SJP UCLA chapter were listed by name.
Lastly, there were several websites that wrote detailed profiles about SJP (not necessarily the UCLA chapter), detailing their activity and classifying them as hate groups.
Summary of Findings: Subject
I was able to discover his social media profiles, articles he published, and Google Drive documents in which a pro-US/Israel group wrote a detailed profile about him (including his personal blog, his associates, his activism, pictures of him, and more).
To assist the field operatives, I was able to find the following: pictures of the subject, pictures of his associates, but no picture of his vehicle. I did not find any significant evidence to support a hypothesis that the subject is likely to act out violently or otherwise at the event. In addition, I was unable to find any evidence of previous violence/criminality, familiarity with weapons, loss of inhibitors, or final act behaviors.
Since the subject is a graduate student, and the leader of his organization, these are likely to inhibit him from doing anything extreme, such as acting out violently. However, I am concerned that the subject’s personal blog contains violent poetry and literature. This likely has a significant influence on his personal outlook, plus he could influence others to act violently though this literature.
Summary of Findings: Subject’s Organization
For SJP UCLA Chapter I was able to discover their official website, UCLA organization page, social media profiles, online communities, online repositories where they share their literature, and third party sites that comment on controversial groups such as SJP.
I was unable to find instances where the SJP UCLA Chapter acted violently or interrupted events. However, I was able to find instances of alleged violence against students and evidence of shouting down speakers they disagree with, by other SJP Chapters. Given this information and the information about the subject, I would estimate that there is a low to medium risk that the SJP UCLA Chapter would potentially act out (violently or to disrupt) at the event.
If we had more time to invest, it would be worthwhile to analyze trends set by SJP chapters at other UC campuses, to anticipate evolving tactics by the UCLA chapter.
Intelligence is about making judgements about the future, interpreting problems, and supporting decision makers. There are significant limitations for anyone attempting to make judgments about the future, by only using OSINT tools. These limitations include, but are not limited to the following: source reliability, analyst biases, limited time, limited information, etc. Therefore, intelligence collection and analysis in terms of OSINT, is only one part of the protective puzzle. It gives the operatives working in the field limited concrete details, and a dynamic framework to view the situation. Where the limits of OSINT ends, field intelligence (surveillance) begins.
Travis Lishok has nearly 10 years’ experience in military and private sector security. He owns and authors the EP Nexus executive protection blog, where he explores protective intelligence, OSINT investigations, threat assessment, and more.
When he’s not actively studying security or writing about it, he reads books by Tim Ferriss and trains his 3-month-old Rottweiler.