The OSINT Scammers

The police commander looked at the woman introducing me as though she was explaining advanced physics. When she completed her introduction and a brief explanation of open source monitoring he simply replied, “okay.” It was less an affirmative response than an indication he was still not sure what type of voodoo I practiced. As we walked away she said to me, “Well, he’s the incident commander and you will be spending a lot of time together…so good luck.”

The commander’s response was common ground for a law enforcement open source practitioner. To me it was neither good nor bad, but an indication of where we stand in the broader LE community. “OSINTers”, as we are called, occupy the land between true computer forensics and black magic. To some we are digital ninjas who can glide along the keyboard and produce volumes of information in less time than it takes to empty a K-cup. To others however we represent the best scam going. Unfortunately we’ve done this to ourselves, and if we keep it up, we will go the way of 3 ½ inch floppies.

If you walk into any law enforcement conference in the US and throw a rock, you will likely hit seven open source subject matter experts. They openly describe their art as OSINT, or open source intelligence. Their self-ascribed accolades are almost as dubious as the job they perform. Many will tell you how awesome they are, how smart they are, and how much you really need them. Some of them are products of one or two open source gathering platforms on the market. When you ask them what they do, the truth usually comes out after a few minutes of self-aggrandizement; they surf the Internet…period. Most OSINT “SME’s” use such a broad-based approach to OSINT they end up producing volumes of useless information. In some of the worst cases, they creep through Face Book, Instagram, and others looking for photographs of Marijuana, guns, and “gang indicia.” These folks will demand a high priced OSINT gathering platform, three or four screens at their desk, and will end up costing departments thousands in overtime while producing nothing but strands of useless information. On their best days they might snag a photograph of a teenager smoking a blunt, and if the OSINT god smiles upon them they will hit the jackpot with a photograph of weed lying next to a gun in a nondescript hotel room. Huzza!

The law enforcement community is saturated with these people and they are killing the discipline one deployment at a time. The problem with their approach is they see OSINT as a way to impress others with tech-savvy and screen-shots of drugs all while solidifying a position for themselves in the future. They rarely produce anything with evidentiary value and if they do, courts have a field day stripping their methods and reducing them to something akin to a modern day peeping tom. At large events, they basically troll the internet looking for that one terrorist who decides to Tweet his attack minutes before he executes. In short, they are more like street cops roaming the city waiting to get lucky.

In the meantime, a small cadre of well-trained law enforcement intelligence professionals are working silently in the OSINT realm. It is these people that are the true future of LE-OSINT. These few don’t need a high priced platform, but if they have one it will be one tool in their box. OSINTers of this genre may be involved in evidence gathering, but they approach it with subpoenas and court orders. Most of them however see OSINT as an intelligence art like HUMINT and SIGINT which take time to learn proper gathering and analysis techniques. OSINTers of this level use targeted gathering approaches so as not to waste time rifling through hundreds of spring break photos. These OSINTers spend hours preparing for large events, establishing a baseline of behavior and seeking out grass roots trends. Finally, these OSINTers respect the privacy of other users and keep an eye towards civil liberties protections.

Back to the commander and I. We spent three hours together in the command center; me working my “Matrix” style voodoo and he watching over my shoulder between trips to the meatball tray. It wasn’t till a moment wherein I was able to provide a SITREP of the entire venue footprint that he finally sat back and shot a look of approval. I don’t know what it was he wanted to see, but it was clear I’d earned my spot in the command center for several games to come. Hopefully as we progress we show how this new method of public safety is worthy of the time and money that will be spent. It is my hope that in 10 years, LE-OSINT will take its place beside special investigations and computer forensics as a respected and reputable discipline.

What is a threat assessment?

After yesRisk Assessmentterday’s post, it became evident many people had never heard of threat assessments in terms of  mental health and crime prevention. Typically assessments are not added to the calculus of overall preventative measures on a local law enforcement level. In most cases this is due to a misunderstanding of their usefulness. In other cases unfortunately, assessments are willfully avoided in an effort to limit agency liability. In the end, we all do assessments of people, situations, buildings, syndicates and so on daily, we just don’t formalize them and distribute them outside of a controlled group. After having conducted well over 400 assessments in the last five years, I’ve learned the only good assessment is one that can be acted upon. For this to happen, they have to be sent to the people who need them most. This piece will focus on some basic tenets of an assessment. Later, I will discuss the “to whom…” portion. Understand, an in-person class on assessments lasts 10 hours so what follows is a very compressed version.

The first thing to remember is threat assessments are dynamic. This is to say, what is accurate now may not be so in 10 minutes. For this reason, assessors expend a lot of energy keeping the assessment as accurate as possible. Most times, the assessment will hold for the time needed to take action whether that be mental health intervention or detainment. There are times however when the ink will have barely dried and the assessment needs to be updated. This point is very important to remember for two groups of people; the customer and the command staff. For this reason both the customer and command staff must dedicate a person to continually liaise with the assessment team so pertinent updates can be pushed quickly to the end users.

The next critical element of an assessment is research. Knowing the risk a subject poses comes in part from understanding from where they came both literally and figuratively. Assessors must dive deep into the history of the subject for this information. For law enforcement this means reading potentially dozens of police reports, arrest records, and field contact cards. The work can be tedious, but one nugget of information can make a life or death difference. For corporate security or contractors, research may be a major obstacle but it’s not one that cannot be overcome. Most counties across the country publish court records on-line and most police departments will provide copies of reports for a nominal fee. If that is all you have, then do what you can. Take a moment to research the subject’s digital world as well. For some, you may only find a digital shadow, while others have a significant digital footprint.

Once the research is complete, the assessor moves to the analysis phase. In reality, an assessment team would simultaneously dig and analyze, however in most agencies assessments fall on one or two people. For this reason, it is necessary to set aside time strictly for analysis. During this phase the assessor begins building a profile of the subject. They will answer questions like, is there a history of violence? What motivated the violence? What are the subject’s stressors? Based on known information, does the subject have a plan to commit violence? Do they have means, motivation, and opportunity? What is the subject’s pattern of life? Finally, as a byproduct of good analysis, the assessor should start seeing shatter-points or weak spots in the subject’s behavior. These become critical in the conclusion phase.

Post analysis, the assessment team needs to make a decision; what is the threat level? The assumption here is a threat matrix already exists. If it does not, then an assessment is nothing more than a research project. The best threat matrices are simple and contain at a minimum three levels. Threat matrices with five or more levels can be cumbersome and not conducive to true assessments. Once the assessment team has made a decision on the threat level, they need to be prepared to defend their choice. This is where the research and analysis will be scrutinized and tested. If done correctly, the threat level will coincide with the known information.

Finally, the conclusion of the assessment is where the customer will start their approach. The conclusion should highlight weaknesses in the subject’s pattern of life, violent plans, or criminal tendencies. These areas need to be exploited in order to frustrate the subject’s plan. By the time the customer reads the conclusion they should have already fo
rmulated a plan and know where their best chances of success lay. The conclusion is where analysis meets actions.

As you have probably noted by now, a full scale assessment will take time. For this reason, assessment teams should have a plan in place for short term assessments that can be used in the interim until a full scale product arrives. Regardless of the length, all assessments should provide actionable intelligence that can be taken by the customer and immediately applied to whatever operation is needed.

Exploiting Criminal Syndicate Risks

Combating organized crime is like cleaning oil off your driveway. There are dozens of methods to clean up the mess, yet none of them will do the job alone. Deciding how to clean the mess is just as frustrating as actually cleaning. In the same manner, many law enforcement organizations don’t know where to begin when routing out syndicate crime. In most cases law enforcement aims their resources at the most obvious areas; street level criminals and money. These are not altogether bad tactics however just like cleaning the sludge off your driveway a few methods alone will not eradicate the syndicate. Instead of traditional methods for combating organized crime, law enforcement can learn a few tricks from traditional risk analysis.

Syndicates thrive off the fact they don’t appear complicated on the surface. However, they typically sink deep roots into one or more methods of preserving their existence which adds layers of complexity. Their diffused rooting, while necessary for survival, is also a weakness and can be exploited through common risk analysis.  For example, when examining supply chains, business continuity plans, or site security we look at several factors including communication, redundancy, and resiliency. Using this same tactic we can expose risks within organized criminal syndicates and exploit them to collapse the enterprise.

The first step in analyzing a syndicate’s risk is to map their internal structure. For example, all successful criminal syndicates have at least three levels of organization; upper leadership, mid-level management, and foot soldiers. Many syndicates will have other operational and management levels. To adequately collapse the order you need to know the structure from top to bottom and understand how each level interacts with ones above and below. Mapping may not be easy if the syndicate utilized a cellular structure however that too has weaknesses that can be exploited.

The next step is to detail what the syndicate needs to survive. In most cases you find common needs like communication, recruits, and possibly money. There may be several “needs” and the more the better because with more needs comes more risk. Once you have mapped out the groups’ needs, overlay them on the structure. This will let you see which level of the group is responsible for these needs. At this point, several “red flags” will become obvious. These red flags are what we call “risks.” If no red flags are obvious then deeper analysis may be needed to expose other facets of the group like ideology and cultural dependency.

Similar to prioritizing risks for mitigation, you now prioritize the syndicate’s risks for exploitation. Target one element and become the threat directly associated to that risk. In some cases where the risks are cultural this will require non-traditional law enforcement techniques like outreach and collaboration. In syndicates where the risks are not cultural and easily identified, exploiting the weakness will threaten the group’s entire stability.

Combating organized crime through risk analysis is of course more complicated than described above, however the basic template will not change. Every criminal syndicate has weaknesses, it’s up to law enforcement to find the weaknesses, exploit them fully, and eradicate the group.