Actionable Open Source Intelligence. Sounds Like a Spy Movie?

Two weeks ago, we discussed reducing the risk of workplace violence.  One tool that is useful is the gathering of actionable open source intelligence. Open source intelligence is that which is available in the public domain.  This is intelligence that people say or post publically and no phone lines, etc. are being tapped.  In today’s world, people are talking on social media.  When someone has ill intent, 80% of the time one other person knows, and 67% of the time two or more people know.  Social media might seem random, but it is not.  The intent to damage your business is targeted.  How can you know what people are talking about?  You must listen and then look. 

Can you predict your next crisis?  We can, through the gathering of predictive actionable intelligence.  What is on social media today will be on your doorstep tomorrow.  The “craft” with this technology is distinguishing between actionable intelligence and noise.  The social media conversation is a complex one that involves semantics of speech, syntax, context, and idioms.  The words used on social media to describe something vary between locations.  Did you know that a gun in a social media conversation might be referred to as a cuete, chopper, fire stick, boom stick, gatt, gat, 9, nine, or burner?  This list grows exponentially and is often driven from song lyrics.  If you’re listening for the wrong word, you won’t hear that danger might be at your doorstep.  These words might be used for “legitimate” conversations, song lyrics, or might represent danger.  How will you know the difference?

Firestorm uses two different tools of specialized software to monitor social media.  The craft is listening for words and phrases that are meaningful, while disregarding the noise.  How to know the difference requires skill and expertise.  After you’ve selected the words and phrases you’re going to listen for, the first piece the software alerts you to when these terms are used on social media.  However, this first software is not very useful in investigation.  It simply alerts you to something you ought to be aware of.  The second piece of software is useful for investigating.  We can look back in time into previous conversations had by or about the person of interest.  We can see posts by others linked to the person of interest and identify their sphere of influence.  Usually, we can track locations of the postings.

Last year, throughout the course of our daily monitoring around “guns” and “schools”, our analysts discovered a post that read, “im takin my gun to school” at 10am EST.  Within thirty minutes, using the open source tools at our disposal, we learned that the ‘poster’ was probably female, was one of two possible names, and we learned the initials of the school.  We saw that much of the positing activity was within a four-mile radius of a school on the west coast matching those initials.  We knew that school would begin in that area within minutes and were able to notify the school and authorities.

In another incident last year, our staff was alerted to the following post - “Holy [Expletive] he brought a gun to school!” [with a photo of a young person in class with a hand gun].  Response: “is this even our school?”  Response: “yes in my 2nd block”

After first determining that the image posted did not appear to be a joke, our analysts were able to determine the identities of some of the persons commenting on the posts, and their location.  We learned which class the photo was probably taken in as well as the identity of the teacher.  Within a few hours, we had notified the school’s principal and provided the photo and the intelligence we had gathered.  We subsequently learned from the principal that there was a gun in the school, but the incident was a joke.  The school had a policy against jokes of this kind.  The principal was most disappointed in the school’s strong “see something say something” program that was recently implemented.  Thirty-two students had seen, “favorited”, or re-shared the original post and not one had said anything or reported.  The second phone call received that morning about the incident came from a concerned parent who had seen the post also.  I suspect this second phone call went much better as the principal already had the intelligence and solved the problem.  Intelligence is power.

This kind of open source intelligence is available to anyone with the skill to look for it and is available for a few hundred dollars a month in most organizations depending on the complexity of the “conversations”.  It’s too inexpensive not to learn more about this technology.

For more information, I can be reached at 410-303-0635 or kmercer@firestorm.com.  www.firestorm.com.  Please join me in two weeks for my next topic on responding to a cyber-attack crisis.

Firestorm