Exploiting Criminal Syndicate Risks

Combating organized crime is like cleaning oil off your driveway. There are dozens of methods to clean up the mess, yet none of them will do the job alone. Deciding how to clean the mess is just as frustrating as actually cleaning. In the same manner, many law enforcement organizations don’t know where to begin when routing out syndicate crime. In most cases law enforcement aims their resources at the most obvious areas; street level criminals and money. These are not altogether bad tactics however just like cleaning the sludge off your driveway a few methods alone will not eradicate the syndicate. Instead of traditional methods for combating organized crime, law enforcement can learn a few tricks from traditional risk analysis.

Syndicates thrive off the fact they don’t appear complicated on the surface. However, they typically sink deep roots into one or more methods of preserving their existence which adds layers of complexity. Their diffused rooting, while necessary for survival, is also a weakness and can be exploited through common risk analysis.  For example, when examining supply chains, business continuity plans, or site security we look at several factors including communication, redundancy, and resiliency. Using this same tactic we can expose risks within organized criminal syndicates and exploit them to collapse the enterprise.

The first step in analyzing a syndicate’s risk is to map their internal structure. For example, all successful criminal syndicates have at least three levels of organization; upper leadership, mid-level management, and foot soldiers. Many syndicates will have other operational and management levels. To adequately collapse the order you need to know the structure from top to bottom and understand how each level interacts with ones above and below. Mapping may not be easy if the syndicate utilized a cellular structure however that too has weaknesses that can be exploited.

The next step is to detail what the syndicate needs to survive. In most cases you find common needs like communication, recruits, and possibly money. There may be several “needs” and the more the better because with more needs comes more risk. Once you have mapped out the groups’ needs, overlay them on the structure. This will let you see which level of the group is responsible for these needs. At this point, several “red flags” will become obvious. These red flags are what we call “risks.” If no red flags are obvious then deeper analysis may be needed to expose other facets of the group like ideology and cultural dependency.

Similar to prioritizing risks for mitigation, you now prioritize the syndicate’s risks for exploitation. Target one element and become the threat directly associated to that risk. In some cases where the risks are cultural this will require non-traditional law enforcement techniques like outreach and collaboration. In syndicates where the risks are not cultural and easily identified, exploiting the weakness will threaten the group’s entire stability.

Combating organized crime through risk analysis is of course more complicated than described above, however the basic template will not change. Every criminal syndicate has weaknesses, it’s up to law enforcement to find the weaknesses, exploit them fully, and eradicate the group.

Scenarios or Table-tops…Which one is better?

The halls were filled with the sounds of gunfire and fear. Our team moved forward as fast as we could, passing victims and backpacks pursuing the gunfire. We thought the shooting was in front of us, but the labyrinth of walls made it impossible to know for sure. As we cut around a sharp corner I came face-to-face with a suspect. I fired two quick shots, hitting him in the face and neck. He yelled and recoiled backwards. A deep voice roared to life behind me, “No shooting in the face! Scenario over!” Fast forward 11 years and I was sitting at a standard, round, hotel conference room table with four people I’d never met. The woman at the front of the room just finished describing what amounted to the collapse of social order due to several days without power. Our job was to keep a local hospital running with no fresh water, no sewage service, and little to no police protection.

Believe it or not, I left both training events thinking, “That was the best training I’ve ever had” even though they were light years apart in scope and teaching styles. One was a full scope, active shooter, scenario based training module complete with SIM guns, screaming actors, and vicious assailants. The other was in a comfortable room surrounded by calm voices, candy, and chilled bottles of water. The contrast between the two could not be any clearer. If you were to look at both events from an objective standpoint you might be inclined to think the scenario-based module was superior to the table-top. The truth is one is indeed superior to the other, when done correctly.

“Realistic” scenario-based training modules are extremely popular right now. The thought process is, “we will expose our employees to the realities of the event, thus training them for the real thing.” This is not altogether a flawed line of thinking, but it can, and often does, lead to very expensive training modules that produce very little positive outcomes. The main problem with defaulting to scenario-based training is many people are ill equipped to handle the scenario, which almost always leads to failure. For scenario-based training to be effective, employees must have some foundational training upon which to rely. For example an active shooter training scenario will be successful only after employees have undergone basic crisis training. Employees need to have a plan so that plan can be tested. Conducting table-top exercises with employees lets them see the plan in action. Table-top modules build confidence in response plans and more importantly, build confidence in employee’s ability to react to a crisis. When employees finally undergo the scenario-based module, they will already know how to succeed, which in the end will help them survive the real deal.

Just like reliance on scenario based training will fail, so will a reliance on table-top exercises. For several reasons many entities use three or four of the same scenarios each year to train employees on crisis management. During the exercise the most stressful dilemma is usually trying to end the scenario before lunch. In the worst cases, employees skip the training modules and become victims rather than survivors when the real attack occurs. To avoid the monotony and dismissive attitudes, table-tops need to challenge employees and more importantly they need to build confidence. Interspersing real-life, external stressors like active assailants, will show employees the importance of table-tops. If budgets are too low for full-scale scenario-based modules, try simple things like turning out the lights and making everyone work using whatever light sources they can find. You might be surprised to see what weaknesses in personnel and facilities reveal themselves with just a tiny amount of stress.

To answer the overlying question of which is superior; it depends on the company’s level of readiness. An overreliance on either will not be effective. To ensure success, build a good training foundation and complement that foundation with real-life stressors. Most importantly remember, all crisis training is meant to ensure survival. Pick training modules accordingly.

Open Source- The New Art

There is no shortage of high priced OSINT practitioners filling classrooms and lecture halls across the country. The once disregarded art of surfing the Internet for information has become a full blown discipline. Many of the practitioners travelling the country as subject matter experts (SME) are indeed qualified and very experienced in extracting information from various internet sources. The one aspect however most of the current instructors miss is what to do with the information once extracted.

Just like the intelligence cycle, competent OSINT has a specific workflow; Research, Extract, Sort, Analyze, and Disposition. Research is the topic of most open source classes and symposia. Thousands of law enforcement, security, and intelligence professionals are very adept at scouring the Internet for information.  Most of them are equally adept at extracting the information they need. Where the cycle falls apart in many cases is at the sorting phase. Here practitioners need to stop research and extraction and look through the data they have. Decisions need to be made on what is important and what is not based on mission parameters. The data needs to be further categorized in terms of direct impact on the mission, ancillary impact, and questionable impact. From here, the deep analysis begins.

Analysis of open source information is contingent on the overall impact to the mission. If, for example, you are investigating a series of photographs depicting a subject holding firearms, and the subject is a prohibited possessor, the analysis of the photos will need to be rigorous. An investigator will need to determine if the suspect is readily identifiable. Is the weapons he or she possesses real or fake, and what clues lead to either conclusion? How recent is the photograph? Where was the photograph taken? Finally, what was said about the photograph by the poster and the followers? From a criminal intelligence stand point, what about this post has ramifications beyond this case? A private security officer who is examining the photographs must review each comment to measure the general mood of the posts. A lot can be learned about employee social networks and insider threats by reading comments.

Aside from meaningful analysis, the disposition of open source information can be one of the hardest phases of the cycle. Here, a practitioner needs to store the information or deliver it to the needed customer. In law enforcement you have two main choices; case information and criminal intelligence. Case information means the information is evidence and needs to be stored and processed in accordance with court procedures for prosecution. The implications of such a disposition are many due to the various methods for storing digital information. If it is determined the information falls into the criminal intelligence realm, it is governed by 28 CFR Part 23 and will need to be audited. In the intelligence field, this information may need to be sent to other intelligence professionals for analysis on larger threats or trends. Private security may share the information with Human Resource professionals, or store it as a part of insider threat investigations. In any case, disposition of the information will ultimately be scrutinized and must therefore be carefully handled.

Open source intelligence (OSINT) is still an emerging tradecraft and will go through many iterations before it is commonly accepted. Following the cycle above and seeking out training that reinforces the cycle will build a cultural foundation for practitioners and make the discipline far more reputable. As challenges arise, security will be found in establishing solid industry standards like the cycle described above. For those in command positions; seek out full scope training and move away from training that only focuses one aspect of the discipline. After all, looking at a small piece of the canvas is nowhere near as inspiring as seeing the full painting.

New Threats Require New Defense Strategies

As we enter a new phase of terrorism old counterterrorism measures need to be reviewed and updated. Since 9/11 the law enforcement community has been building counter terrorism strategies on the theory that each terrorist event requires significant pre-planning and that this pre-planning is done in a manner detectable by the public and law enforcement. Much of the counterterrorism industry is accustomed to the “Eight Signs” or pre-indicators; Surveillance, Information Gathering, Security Testing, Finance, Logisitics, Strange Behavior, Dry Runs, and Deployment. This strategy worked for several years because it was assumed major attacks would require significant time spent performing each pre-indicator. Today many of these pre-indicators have been compressed or eliminated which reduces the possibility of detection. Two types of attacks illustrate this, and the need for updated strategies; active shooters and cyber attacks.

Active shooter cases appear to be on the rise in the United States. In post-attack analysis certain patterns have emerged, but there is a lack of pre-incident “unifying behaviors” explicit enough around which to craft countering strategies. For example, in all active shooter cases the suspect required access to a firearm. Since the purchase of weapons is not prohibited, nor successfully monitored, there is no way to build a countering strategy around acquisition. Surveillance and Dry Runs are still possible gateways of prevention, but rely more on luck than science to be successful. To effectively combat active shooter attacks we need to look at core prevention strategies with an understanding that the risk of an active shooter attack will always be present. This assumption in place, prevention strategies need to focus on reducing the risk posed to potential targets. Re-writing emergency plans, identifying shelter-in-place locations, and proactive security measures are all proven methods for reducing the risk of active shooter attacks. These strategies are most successful when complimented by real-life training scenarios exposing participants to the sights and sounds of the real incident.

The complexities of cyber warfare are vast and numerous, and because the warfare is conducted in “cyber space” traditional pre-indicators are not valid. Whereas state secrets were once the currency of the realm now cyber collectives attack everyone from corporations to police agencies meaning it is virtually impossible to identify which specific data is at risk and which is not. The old adage of the best offense being a robust defense is very prescient in cyber warfare. By examining threats and trends, and being proactive with system security, the risk of a successful cyber attack is significantly mitigated. It is also vital to examine nontraditional security measures in data management and access controls. Finally, the use of preventative intelligence will add the final touch to a robust security posture. Preventative intelligence leveraged against cyber attacks will be addressed in another entry, however it is vital to understand how important it is in defending your networks.

As the world moves from one iteration of terror to another, counterterrorism strategies need to evolve. Counterterrorism strategies built around significant pre-planning operations needs to give way to current methods of protection, detection, and deterrence. While there is always an inherent risk of attacks regardless of time or place, using intelligence and building strong and flexible defense networks will mitigate risk and save lives.