Close Protection Domain
Welcome to Close Protection Domain,

Please Log In or Register.
Security is our main priority and you will not be able to view posts or navigate on CPD until you register or Log In.

Great article on surveillance detection

Go down

Great article on surveillance detection

Post by Ted-Pencry on 8/1/2014, 16:12

Last week's Security Weekly discussed the fact that terrorism is a tactic used by many different classes of actors and that, while the perpetrators and tactics of terrorism may change in response to shifts in larger geopolitical cycles, these changes will never result in the end of terrorism. 

Since that analysis was written, there have been jihadist-related attacks in Afghanistan, Nigeria, Yemen and Pakistan, an assassination attempt against the president of Abkhazia, and a failed timed-incendiary attack against the Athens subway. (The latter incident, which militant anarchists claimed, reinforces that jihadists are not the only ones who practice terrorism.)

But while terrorism is a continuing concern, it can be understood, and measures can be taken to thwart terrorist plots and mitigate the effects of attacks. Perhaps the most important and fundamental point to understand about terrorism is that attacks do not appear out of nowhere. Individuals planning a terrorist attack follow a discernible cycle -- and that cycle and the behaviors associated with it can be observed if they are being looked for. We refer to these points where terrorism-related behavior can be most readily observed as vulnerabilities in the terrorist attack cycle.


The Attack Cycle


Many different actors can commit terrorist attacks, including sophisticated transnational terrorist groups like al Qaeda; regional militant groups like India's Maoist Naxalites; small, independent cells like the anarchists in Greece; and lone wolves like Oslo attacker Anders Breivik. There can be great variance in attack motives and in the time and process required to radicalize these different actors to the point that they decide to conduct a terrorist attack. But once any of these actors decides to launch an attack, there is remarkable similarity in the planning process.

First, there is the process of selecting or identifying a target. Often an actor will come up with a list of potential targets and then select one to focus on. In some cases, the actor has preselected a method of attack, such as a vehicle-borne improvised explosive device, and wants to find a target that would be vulnerable to that specific type of attack. In other cases, the actor will pick a target and then devise a method of attack based on that target's characteristics and vulnerabilities. 

Simply put, the execution of these steps can be somewhat fluid; some degree of planning or preparation can come before target selection, and sometimes target selection will be altered during the planning process. The time required to execute these steps can also vary considerably. Some attacks can be planned and executed within hours or days, while more complex plans, such as those used in the 9/11 or Mumbai attacks, may take months or even years to complete.

Frequently, those planning an attack will conduct detailed surveillance of potential targets to determine what security measures are in place around the target and to gauge whether they have the ability to successfully attack it. If the target is too difficult to attack -- commonly known as a hard target -- the attack planners will typically move on to their next target, which may prove easier to attack. (When they do continue with attacks against targets whose security measures exceed the attackers' capabilities, those attacks fail.) We refer to this stage as preoperational surveillance, which means surveillance that is conducted before the operation is fully planned.

After the target has been selected, a second round of surveillance is conducted. This round will be far more detailed and is intended to provide all the details necessary for planning the attack. For example, if the attack is being planned against a static facility, this round of surveillance will generally try to obtain a detailed description of the target's physical security features and security force procedures. It will also focus on establishing a baseline understanding of the activity that can be expected around the facility at the time of day the attack is anticipated.

If the target of the attack is an individual, the individual's residence, office and other places the individual frequents will be surveilled. Additionally, the surveillance team will look for patterns and routines that the target follows between these known locations. The team will often analyze the target's usual routes looking for choke points, or places the target must pass to get from one point to another. If the surveillance team identifies a choke point that the target passes through predictably, it will then try to determine whether that point will allow the attackers to deploy in secret, permit them to spot and control the target, and provide them with good escape routes. If it does, this point will frequently be chosen as the attack site.

In the case of large organizations, different groups or individuals may conduct different phases of the surveillance. Many organizations use specialized operatives for surveillance, though the operational planner will often attempt to get eyes on the target to help with the planning process. For instance, it is known from court testimony in the Mumbai case that David Headley made five extended trips to Mumbai as those attacks were being planned. The repeated trips were required because the operational commanders in Pakistan considered India a hostile environment and the operational planners could not go there to conduct the surveillance themselves. As a result, Headley was sent to observe and report on specific things as planning for the attacks progressed.

During the planning phase, the personnel to be used in the attacks are identified and trained in any special skills they may require for the mission, including languages, marksmanship, hand-to-hand combat, small-boat handling or land navigation. To protect operational security, the operatives may not be briefed in any great detail about the target of their operation until they are very close to being deployed.

Many times the planning phase will end with a dry run, as the preparation did for the 9/11 attacks, when some of the hijackers took their assigned flights in August 2001. While conducting a dry run, the attackers will generally be unarmed to ensure they do not needlessly bring law enforcement attention to themselves.
Sometimes an attacker will have acquired weapons for the attack before the planning phase. Other times the concept of the operation will be constrained by the weapons and money available. But quite frequently, the weapons for the attack will be acquired during the planning phase, after the target has been selected and the means of attack have been established.

Once planning, training and weapons acquisition are complete, the attack team can be deployed. The attack team frequently will again conduct surveillance of the target, especially if the target is mobile and the attack team is deployed and waiting at a predetermined attack site.

If it was properly planned, an attack is very likely to succeed once it has moved to the operational phase. Sometimes attacks do fail because of mistakes or bad luck, but by and large there is no way to stop an attack once it has been set in motion.

At the attack's conclusion, the attackers will seek to escape the scene. The exception is suicide attacks or when, like Breivik, the attacker intends to be captured as part of the media exploitation phase, the final step in the cycle.

Regardless of whether the attack is a suicide attack against a church in Nigeria or a timed-incendiary attack against a subway in Athens, the same attack cycle is followed. With an eye toward averting future attacks, a thoughtful observer can use the attack cycle model to understand how an attack was planned and executed.

Vulnerabilities


While plots are occasionally thwarted at the last second, for the most part law enforcement and security personnel must detect and interdict the plot before it gets to the attack phase to have any chance of stopping it. Once the bullets fly or the explosive device is detonated, there is little security forces can do but initiate their immediate action drills in an effort to reduce the body count. This means that an emphasis must be placed on identifying attackers earlier in the process, well before they are in a position to strike.

Unless security forces have a source inside the group that is planning the attack or manage to intercept the group's communications, the only way to identify attack planners is by noting their actions. This is especially true of a lone wolf attack, where no external communication occurs. The earliest point in the attack cycle that the attackers can be identified by their actions is during the preoperational surveillance required for target identification.

There is a widely held conception that terrorist surveillance is generally sophisticated and almost invisible, but when viewed in hindsight, it is frequently discovered that individuals who conduct terrorist surveillance tend to be quite sloppy and even amateurish in their surveillance tradecraft. We will discuss what bad surveillance looks like, and how to recognize it, in more detail next week, but for now it is sufficient to say that poor surveillance tradecraft is a significant vulnerability in the terrorist attack cycle.

As noted above, additional surveillance is often conducted at later stages of the attack cycle, such as in the planning stage and even sometimes in the attack stage, as the attackers track the target from a known location to the attack site. Each instance of surveillance provides an additional opportunity for the assailants to be identified and the attack to be prevented.

During the planning phase and as the operatives prepare to deploy, communication between and movement of group members often increases. Additionally, group members may engage in outside training that can attract attention, such as playing paintball, visiting the firing range or, as was the case with the 9/11 pilots, attending flight schools. This increase in activity, which also might include money transfers, leaves signs that could tip off the authorities.

Another significant vulnerability during the attack cycle is weapons acquisition. This vulnerability is especially pronounced when dealing with inexperienced grassroots operatives, who tend to aspire to conduct spectacular attacks that are far beyond their capabilities. For example, they may decide they want to conduct a bombing attack even though they do not know how to make improvised explosive devices. It is also not uncommon for such individuals to try to acquire Stinger anti-aircraft missiles, automatic firearms or hand grenades. When confronted by this gap between their capability and their aspirations, grassroots operatives will often reach out to someone for help with their attack instead of settling on an attack that is within their ability. Increasingly, the people such would-be attackers are encountering when they reach out are police or domestic security agency informants.

As far back as 2010, jihadist leaders such as Nasir al-Wahayshi of al Qaeda in the Arabian Peninsula recognized this problem and began to encourage grassroots jihadists to focus on conducting simple attacks against soft targets. Nevertheless, grassroots jihadists are consistently drawn toward spectacular attacks, as seen in the Feb. 17 arrest near the U.S. Capitol of a Moroccan man who thought his handler, who was in fact an FBI informant, had equipped him for a suicide attack. Unlike most jihadists, other types of grassroots militants, such as anarchists, are far more comfortable conducting simple attacks with readily available items.

Personality traits and psychological profiles aside, anyone desiring to plan a terrorist attack must follow the attack planning cycle, which at certain stages will necessarily open them up to detection.
As we noted last week, terrorist attacks do not materialize out of thin air. In fact, quite the opposite is true. Those planning terrorist attacks follow a discernable process referred to as the terrorist attack cycle. We also discussed last week how terrorism planners are vulnerable to detection at specific points during their attack cycle and how their poor surveillance tradecraft is one of these vulnerable junctures.
While surveillance is a necessary part of the planning process, the fact that it is a requirement does not necessarily mean that terrorist planners are very good at it. With this in mind, let's take a closer look at surveillance and discuss what bad surveillance looks like.


Eyes on a Potential Target
As noted above, surveillance is an integral part of the terrorist planning process for almost any type of attack, although there are a few exceptions to this rule, like letter-bomb attacks. The primary objective of surveillance is to assess a potential target for value, security measures and vulnerabilities. Some have argued that physical surveillance has been rendered obsolete by the Internet, but from an operational standpoint, there simply is no substitute for having eyes on the potential target -- even more so if a target is mobile. A planner is able to see the location of a building and its general shape on Google Earth, but Google Earth does not provide the planner with the ability to see what the building's access controls are like, the internal layout of the building or where the guards are located and what procedures they follow.

The amount of time devoted to the surveillance process will vary depending on the type of operation. A complex operation involving several targets and multiple teams, such as the 9/11 operation or 2008 Mumbai attacks, will obviously require more planning (and more surveillance) than a rudimentary pipe-bomb attack against a stationary soft target. Such complex operations may require weeks or even months of surveillance, while a very simple operation may require only a few minutes. 

The amount of surveillance required for most attacks will fall somewhere between these two extremes. Regardless of the amount of time spent observing the target, almost all terrorist planners will conduct surveillance, and they are vulnerable to detection during this time.

Given that surveillance is so widely practiced, it is amazing that, in general, those conducting surveillance as part of a terrorist plot are usually terrible at it. There are some exceptions, of course. Many of the European Marxist terrorist groups trained by the KGB and Stasi practiced very good surveillance tradecraft, but such sophisticated surveillance is the exception rather than the rule.

The term "tradecraft" is often used in describing surveillance technique. Tradecraft is an espionage term that refers to techniques and procedures used in the field, but the term also implies that effectively practicing these techniques and procedures requires a bit of finesse. Tradecraft skills tend to be as much art as they are science, and surveillance tradecraft is no exception. 

As with any other art, you can be taught the fundamentals, but it takes time and practice to become a skilled surveillance practitioner. Most individuals involved in terrorist planning simply do not devote the time necessary to master the art of surveillance, and because of this, they display terrible technique, use sloppy procedures and generally lack finesse when they are conducting surveillance.

The main reason that people planning terrorist attacks are able to get by with such a poor level of surveillance tradecraft is because most victims simply are not looking for them. Most people do not practice situational awareness, something we are going to discuss in more detail next week. For those who do practice good situational awareness, the poor surveillance tradecraft exhibited by those planning terrorist attacks is good news. It provides them time to avoid an immediate threat and contact the authorities.
Keying on Demeanor

The behavior a person displays to those watching him or her is called demeanor. In order to master the art of surveillance tradecraft, one needs to master the ability to display appropriate demeanor for whatever situation one is in. Practicing good demeanor is not intuitive. In fact, the things one has to do to maintain good demeanor while conducting surveillance frequently run counter to human nature. Because of this, intelligence, law enforcement and security professionals assigned to work surveillance operations receive extensive training that includes many hours of heavily critiqued practical exercises, often followed by field training with a team of experienced surveillance professionals. This training teaches and reinforces good demeanor. Terrorist operatives typically do not receive this type of training -- especially those who are grassroots or lone wolf militants.

At its heart, surveillance is watching someone while attempting not to be caught doing so. As such, it is an unnatural activity, and a person doing it must deal with strong feelings of self-consciousness and of being out of place. People conducting surveillance frequently suffer from what is called "burn syndrome," the belief that the people they are watching have spotted them. Feeling "burned" will cause surveillants to do unnatural things, such as hiding their faces or suddenly ducking back into a doorway or turning around abruptly when they unexpectedly come face to face with the person they are watching.

People inexperienced in the art of surveillance find it difficult to control this natural reaction. A video that recently went viral on the Internet shows the husband of the president of Finland getting caught staring down the blouse of a Danish princess. The man's reaction to being caught by the princess was a textbook example of the burn syndrome. Even experienced surveillance operatives occasionally have the feeling of being burned; the difference is they have received a lot of training and they are better able to control their reaction and behave normally despite the feeling of being burned. They are able to maintain a normal-looking demeanor while their insides are screaming that the person they are watching has seen them.

In addition to doing something unnatural or stupid when feeling burned, another very common mistake made by amateurs when conducting surveillance is the failure to get into proper "character" for the job or, when in character, appearing in places or carrying out activities that are incongruent with the character's "costume." The terms used to describe these role-playing aspects of surveillance are "cover for status" and "cover for action." Cover for status is a person's purported identity -- his costume. A person can pretend to be a student, a businessman, a repairman, etc. Cover for action explains why the person is doing what he or she is doing -- why that guy has been standing on that street corner for half an hour.

The purpose of using good cover for action and cover for status is to make the presence of the person conducting the surveillance look routine and normal. When done right, the surveillance operative fits in with the mental snapshot subconsciously taken by the target as the target goes about his or her business. Inexperienced people who conduct surveillance frequently do not use proper (if any) cover for action or cover for status, and they can be easily detected.

An example of bad cover for status would be someone dressed as "a businessman" walking in the woods or at the beach. An example of bad cover for action is someone pretending to be sitting at a bus stop who remains at that bus stop even after several buses have passed. For the most part, however, inexperienced operatives conducting surveillance practice little or no cover for action or cover for status. They just lurk and look totally out of place. There is no apparent reason for them to be where they are or doing what they are doing.

In addition to plain old lurking, other giveaways include a person moving when the target moves, communicating when the target moves, avoiding eye contact with the target, making sudden turns or stops, or even using hand signals to communicate with other members of a surveillance team or criminal gang. Surveillants also can tip off the person they are watching by entering or leaving a building immediately after the person they are watching or simply by running in street clothes.

Sometimes, people who are experiencing the burn syndrome exhibit almost imperceptible behaviors that the target can sense more than observe. It may not be something that can be articulated, but the target just gets the gut feeling that there is something wrong or odd about the way a certain person is behaving toward them. Innocent bystanders who are not watching someone usually do not exhibit this behavior or trigger these feelings.

Principles of Surveillance Detection


The U.S. government often uses the acronym "TEDD" to illustrate the principles that can be used to identify surveillance conducted by counterintelligence agencies, but these same principles also can be used to identify terrorist surveillance. TEDD stands for time, environment, distance and demeanor. In other words, if a person sees someone repeatedly over time, in different environments and at a distance, or someone who displays poor surveillance demeanor, then that person can assume he or she is under surveillance.

However, for an individual, TEDD is really only relevant if you are being specifically targeted for an attack. In such an instance, you will likely be exposed to the time, environment and distance elements. However, if the target of the attack is a subway car or a building you work in rather than you as an individual, you likely will not have an opportunity to make environment and distance correlations, and perhaps not even time. You will likely only have the demeanor of the surveillant to key on. 

Therefore, when we are talking about recognizing surveillance, demeanor is the most critical of the four elements. Demeanor also works in tandem with all the other elements, and poor demeanor will often help the target spot the surveillant at a different time and place or in a different environment.

Time, environment and distance also have little bearing in an instance like the Fort Hood shooting, where the assailant is an insider, works at a facility and has solid cover for action and cover for status. In such instances, demeanor is also critical in identifying bad intent.

The fact that operatives conducting surveillance over an extended period can change their clothing and wear hats, wigs or other light disguises -- and use different vehicles or license plates -- also demonstrates why watching for mistakes in demeanor is critical. Because of a surveillant's ability to make superficial changes in appearance, it is important to focus on the things that cannot be changed as easily as clothing or hair, such as a person's facial features, build, mannerisms and gait. Additionally, while a surveillant can change the license plate on a car, it is not as easy to alter other aspects of the vehicle such as body damage (scratches and dents). Paying attention to small details can be the difference between a potential attacker being identified and the attacker going unnoticed.

One technique that can be helpful in looking for people conducting long-term surveillance is to identify places that provide optimal visibility of a critical place the surveillant would want to watch (for example, the front door of a potential target's residence or office, or a choke point on a route the potential target frequently travels). It is also important to look for places that provide optimal visibility, or "perches" in surveillance jargon. Elevated perches tend to be especially effective since surveillance targets rarely look up. Perches should be watched for signs of hostile surveillance, such as people who don't belong there, people lurking, or people making more subtle demeanor mistakes.

Paying attention to the details of what is happening around you (what we call practicing good situational awareness) does not mean being paranoid or obsessively concerned about security. Living in a state of paranoia and looking for a terrorist behind every bush not only is dangerous to one's physical and mental health but also results in poor security. We are going to talk more about practicing a healthy and sustainable level of situational awareness next week.

_________________
Close Protection Domain
Contact: info@cp-domain.com

Please make sure you read the forum rules before posting.

avatar
Ted-Pencry
CPD Founder & Administrator
CPD Founder & Administrator

Posts : 1977
Join date : 2012-08-23
Location : London

https://www.linkedin.com/pub/ted-pancri/5a/170/7a4

Back to top Go down

Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum