Sunday, October 20, 2019

You're Either Doing OSINT Or.....You're A Cop or a Criminal

Editor's note: I use the term "intelligence" in this post a lot. It is not being used to denote solely government intelligent service activities. If you're a no-shit spook reading this post, you should already have some idea of what I'm driving at.

If you've been in security long enough, you've heard people abuse, misuse, and utterly diminish the meaning and subsequently, the impact of certain security-related buzzwords. Everyone is doing "threat intelligence" or being "asymmetrical" or defending against "information operations" these days. Back when I was somewhat popular, two terms everyone was using (including myself) were OPSEC and OSINT. Most of us were using these terms to articulate very briefly basic methodologies. However; brevity is a serious MOFO. Soon, everything was OSINT or OPSEC. Years later, the infection has spread and I have had enough. We'll cover OPSEC another day but I really want to set the record straight on OSINT. At its best, our collective confusion means mistakes or missed opportunities to provide better answers. At its worst, it places our stakeholders and ourselves in almost certain peril.

Let's define what OSINT is and what it is not. OSINT is an acronym to describe a type of intelligence gather technique which stands for Open Source Intelligence. I won't bore you with the book definition but I will provide you with a pretty standard definition. Don't believe me? Find your nearest neighborhood spy and ask them. I digress. OSINT is merely the collection of actionable intelligence from openly available sources. How about we steer away from saying "public" because some people denote that as being "free"? If you've actually done OSINT, you know a lot of what we do costs some cash. Just because it's "open" also doesn't mean it's always readily available to the public.

There very well could be limitations on the data you collected and whether it can be used by you or even collected in the manner in which you received it. As vague as the Computer Fraud and Abuse Act reads, it behooves anyone collecting online data to have clear legal guidelines and authorization to conduct OSINT operations online.

You would think this would alleviate confusion within the security industry about what OSINT is and what its sources consist of. Nope. Not a chance. I find everyone who has been tasked with researching something or someone online believes they are "doing OSINT" because their sources are "open".

The best way to see beyond this "fog" of confusion is to simply define what the end-result of your research will be.

  • Are we answering a series of questions posed to us by stakeholders who need them to complete their mission? Then, you're doing OSINT.
  • Are we tracking criminals to report a crime? Then, you're conducting an investigation using open sources. 
  • Has a lawyer contacted us to look into a civil case they have pending? Then, you're still doing an investigation.
  • Are we researching "people search" sites and breach data to find dates? Then, you're committing a crime and seem super creepy, dude. Stop.

Aside from being a distinct method of collecting data, a lot of what differentiates OSINT from other methodologies of collection and analysis also has to do with how you're pivoting or analyzing the data. For example, just because I find someone's address doesn't mean I have verification of that address. If I'm authorized, then a pretext and social engineering maybe needed to do that. That part is something else entirely which is called "human intelligence". This involves exploiting human beings to gain information. What if I'm looking at an image I gathered during an OSINT operation? Then, that analysis in part would require "imagery intelligence". 

Too many OSINT professionals forget there's a distinction in these INTs regardless if the collection or source analysis are in one house. This is an important distinction to make because different methodologies require different skillsets which in turn, require different training. Jumping into pretext or getting imagery wrong based on bad assumptions or inadequate training could prove disastrous for you.

I don't have a problem with OSINT collectors answering investigatory questions. I grow concerned when they use certain methods of analyzing data outside of OSINT. What happens when they "solve" a crime using imagery analysis but haven't received training which may have also shown techniques to find exculpatory information? Are OSINT collectors aware of what separates their activities from private investigators? Are their clients?

Finally, a clear distinction between OSINT has a good deal to do with reporting and documentation of your findings. Obviously, in an investigation I'm concerned with authorizations and preservation of any evidence gathered. In many jurisdictions, it's simply not enough to show up to court with a screenshot or even a map. In intelligence operations, those might be all you need to give a stakeholder what they need. My suggestion is to be in the habit of always archiving and reporting intelligence in ways that allow you and your stakeholders to pivot, if need be.

Understanding what OSINT is versus throwing out a term and conducting business based on bad assumptions and worse interpretations could provide your stakeholders and you with better actionable intelligence and less legal headaches.

Monday, September 2, 2019

OPINION: The Problem With The Questions We Ask After Every Active Shooter Incident

Another active shooter and I feel like I'm having the same discussions over and over again. Oh, that's right - because I am. In the course of each shooting, a variety of reactions happen. Some of them are helpful to constructive discourse and some are not. Let's list some of my least favorite reactions and why:
  • "We need to do something, now!" Ugh. I hate "something" for a few reasons. First, "something" is rarely anything specific and is merely a reaction to the status quo. As a security professional who works at mitigating these kinds of threats, I often feel like "something" means "anything" which works contrary to mitigation which does protect us. Finally, "something" is often a veiled attempt at prompting to discuss political solutions which are normally, not multi-pronged nor appreciative or comprehensive of the entirety of the threat. In other words, "something" is almost certainly, a "nothing"-burger.
  • "Why can't we do what XYZ European country does with guns?" Well, for one, we're not XYZ and while they may have had a problem with gun violence, their causality is likely different than ours. XYZ also does not have our proliferation problem. Guns in the United States are everywhere and the means to manufacture and supply them is not difficult. The science to make firearms and their ammunition is not difficult nor is it restricted. We banned machine guns and someone made "bump guns". Our supply chain with guns is likely different than XYZ as well. In XYZ, the government had a monopoly on firearms but in the US, the citizenry has a monopoly on firearms with zero demand diminished.
  • "It's so simple to solve this." Nope. Not quite as simple as you think. First, taking care of the tool does NOTHING to fix what drives people to murder. In fact, the demand for the tool will likely increase. You won't like where mass murderers go for alternatives either. Also, see what I said about proliferation in #2. Legislating your way out of this gets even tougher because America isn't as monolithic as people on social media would like us to believe which means the political landscape in this country is also more diverse and obfuscated than we appreciate.

    This thinking also blinds us to unintended, collateral damage. For example, modern gun control was done as a means to restrict gun possession by extremist groups. As the laws took shape, over the decades, these laws were meant to further limit access to firearms by convicted felons who may have been involved in ongoing criminal behavior. Their access to firearms would only mean further violence. With crime becoming sensationalized as an "epidemic" almost daily by the media and politicians, a "war on crime" was waged and more laws and police officers were ordered to the streets. These laws incentivized police departments to make more contacts with potential criminals or those who they suspected were criminals. How? Every good war needs soldiers and you can't recruit soldiers without a war. More contacts with an armed public meant lower crime rates. It also meant more police officers involved in more contacts. The problem isn't that contacts were happening but they were disproportionately happening with demographics who were often under-represented and owned far less guns than the majority demographic. I don't have to tell you the rest, do I?
  • "Why won't they release the shooter's name?" Glad you asked. It could be for a few really good reasons.
    • The investigation is still ongoing and releasing the name too soon could reveal a great deal to potential co-conspirators.
    • The shooter may belong to a demographic who could suffer collateral damage from vigilantes seeking revenge in a hostile socioeconomic climate.
    • They're following established FBI and scholarly recommendations to not give the shooter any undue notoriety. Why? The police could be concerned about copycats and the potential for harmful distractions to their case.
        • "The hallmark of contagion is seeing events unusually bunched together in time. The details of our analysis, where we fit a mathematical model of contagion to the data to quantify the level of contagion, are quite technical. But really, what it essentially amounts to is seeing if there are unusual groupings of events. In mass killings (four or more people killed), where the tragedies usually get national or international media attention, we saw significant evidence of this kind of unusual bunching. In mass shootings — with less than four people killed, but at least three people shot — we didn't see any evidence of unusual bunching. Interestingly, those events are so common in the U.S., happening once every few days, that they don't even make it past the local news. Because we saw evidence of contagion in high-profile events, and no evidence of contagion in events that mostly just got local news, we hypothesize that media attention may be the driver of the patterns we see. This kind of contagion has been suspected for a long time; our study is the first to quantify it."  
      Various pictures of Christchurch shooter's firearms used in shooting

      • The contagion theory looks especially prescient when we look at the Christchurch shooting where the shooter wrote the names of various other shooters on his weapons he used during the shooting and wrote in his manifesto how they motivated him. How many shooters have mentioned or idolized other mass shooters? How many shooters are glorified and celebrated on various forums where they congregate? Don't we see the same with terrorist groups like ISIS? How many "soldiers of the Islamic State" were "inspired" by the acts of other "soldiers"? I'm not saying these events were caused by other shooters going first but for many shooters, I'm certain it showed how it could be done with minimal effort and little exposure during the planning and execution phase. As I always caution, "the secret sauce is out in the wild."

        What about our own history with a public mob mentality towards "give us a name"?

          A man lynched from a tree. (Library of Congress; 1925)
The simple and painful truth is we may never see the end of mass violence in the United States. That doesn't mean workable and viable solutions are not probable. I believe they are. However; as we examine these events, perhaps it's time we ask how much of our reactions have done less to mitigate these threats and do more to provide us "security". The latter is about addressing what makes us "feel" safe versus doing what protect us by critically going over the data, having constructive discourse within the subject matter experts, and determining what are our most viable, sustainable, and effective solutions.

There is one question we should be asking but we don't. Its absence from  the discourse makes me believe we care less about the victims of these crimes and more about the political solutions we can employ. Few people are asking "why" because they confuse methodology with motive. The problem shouldn't be how these murders are committed but why. Until we ask that question, we'll continue to have discourse which does little except provide cover for murderers and aid and abet political ambitions counter-intuitive to our collective survival.

    Saturday, August 24, 2019

    OPINION: Isn't It About Time Security Gets Its Own Crowd Mitigation Laws?

    If I were the seriously academic type, I'm quite certain there would be a white paper I could write on how many lives the fire service saves by having cities empowering the fire marshal to enforce fire codes. Seriously, when you sit back and examine the impact fire codes have had in either showing how dangerous crowds can be and how mitigating their growth in dense packs reduces casualties in fire events, it's truly amazing at how well they work in both regards. If people die in a crowded nightclub because of a fire, no one writes a think-piece on what drove the fire or the firestarter. No one even contemplates if we need stricter anti-fire laws. Nope. Within a few seconds of reading there was a fire at a crowded nightclub, we automatically deduce a large amount of the carnage was because the club was too densely packed. What if after every active shooter incident we did the same?

    Imagine a set of laws structured around mitigating mass casualties during active shooter events in target-rich environments. At the heart of how we effectively deal with these incidents is how we deal with the crowds. You've heard me say this before but I believe the largest contributor to target selection and engagement is the crowd. With security, there's a misguided public perception businesses will act in the best interests of life safety and business owners and operators will take threat mitigation seriously. For those of us in security, we know this is a daily battle - one in which we suffer countless deaths for. In a world where businesses are rewarded by showcasing demand and not minimizing their risk caused by demand, motivation to encourage, grow, and develop further crowds often outweighs those associated risks. What we require is a set of codes which the authorities can enforce to make those risks unacceptable without effective mitigation.

    What would my proposed "codes" look like? As is said in the military, it's all METT-TC or "situation-dependent". That said, here's a very rough idea of what I envision:
    • Utilize the same formula and science, the fire service uses in determining acceptable crowd sizes in densely packed areas. This encompasses looking at egress points, potential points of origin, probable incident path, time to egress, and potential secondary hazards.
    • Make it mandatory businesses have a minimum number of egress points solely for active shooters. The egress points should be fully expansive and allow for fluidity in crowd movement. There should be more than one way out of an area.
    • Ensure employees have a means of ensuring those egress points remain available and unencumbered.
    • Fire exits can be utilized for egress but should not be the sole means. Fire and security/LE will likely have different concerns about crowds and their movements.
    • Egress should be marked and illuminated. Egress from fire emergency exits should also be alarmed and enunciate at a fire and police dispatch center.
    • Every venue where crowds are a consideration and are likely targets of active shooters should have "blue boxes" which would contain a button like fire call boxes. These boxes would sound an immediate alarm with a "tactical response required" notification to the local police.
    • Schools and daycare centers should rehearse mandatory crowd mitigation drills. School event planners should attend a mandatory crowd mitigation course which addresses basic event security guidelines to be implemented. Failure to follow the guidelines should be considered violations of the law. Exceptions can be addressed by through an SRO and approved by a department chief.
    • All on-duty security personnel should attend a mandatory course on behavior detection and tactical response. Failure to pass the initial and follow-up training should result in a mandatory suspension of their security license. Posting unlicensed and untrained personnel should be considered a violation of law.
    • Stadiums and large scale event security should be required to do annual mass casualty event drills. Active shooters should be addressed in those scenarios.
    • Businesses must have a crowd mitigation plan filed with their local police department.
    • No-notice inspections by the police should be done semi-annually. Inspection failures should be considered for a mandatory 30-day operations suspension, depending on the nature of violation. Serious violations should constitute permanent operations termination.
    I know. I know. Too harsh? Perhaps, but I think this is the shot in the butt we all need as practitioners and business owners. These events happen in places we're supposed to be protecting. Yet, everyone pretends like they won't see these incidents, despite evidence which says we don't have a clue as to when, where, or even how they could occur. What I'm asking for takes minimal effort and is ever-evolving as the threat also changes. That's what makes it such a great idea, to be quite honest.

    About Us