Debra Kirby

Share this post

Sep 1, 2022

The details of active assailant attacks sear through our inboxes, browsers and TVs daily. There have been incidents in Buffalo, Boulder, El Paso, Highland Park, and many other cities. And in each case we hear about, it’s clear that the killer spent weeks signaling his awful intent on social media before taking action. The Federal Bureau of Investigation (FBI) reported 61 active shooter incidents in 2021, reflecting an increase of more than 50% compared to the previous year.

Social media has been increasingly linked with these mass shootings. For example, the assailant in the Buffalo, New York, mass shooting was reported to have used several social media platforms to plan his attack, the extent of which remains under review. However, in this case and many others, no one looked at the attacker’s social media activity until after people died. That’s a shame because, for entities such as large cities, employers and school systems, a proactive approach using open-source intelligence (OSINT) and threat monitoring might have saved many lives.

What Is OSINT?

Think of it as online research, assessment, and monitoring of social media platforms, public websites, online discussions, message boards, and other public forums to uncover issues impacting an organization's or individual's safety, assets, or interests.

Typically, OSINT is structured in one of three ways: (1) as a critical component of ensuring special event security; (2) as a one-time review or investigation supporting any number of corporate, organizational or individual objectives; or (3) as ongoing OSINT monitoring, with a periodic reporting schedule, supporting a broader approach to strategic risk management and prevention. It can also take the form of a stand-alone task, focusing on a specific individual’s or group’s activity on social media.

What Are the Primary Activities Associated With OSINT?

Our team at Jensen Hughes provides a range of OSINT support for our clients based on their needs and risk issues. A well-trained OSINT team commonly approaches monitoring with three tactics:

  • Finding and ranking influencers around a discrete and specific topic of interest, such as a planned event, issue of concern or a corporate brand.
  • Focusing on geographical locations or areas where publicly posted items originate.
  • Locating and identifying individuals making relevant references or expressing negative sentiments about the organization or individuals at risk.

What Do OSINT Monitors Look For?

In general, the OSINT monitoring and analysis team scans for damaging reputational statements, false information, posts that reflect behaviors of concern, and criticisms or threats referring to the organization or individual. Each one of these may represent “red flags” (e.g., WAVR21) that can, in some cases, reflect behaviors signaling a potential attacker’s pathway to violence.

Think of this journey as often starting with an original “trigger event” (e.g., loss of a job, bankruptcy, discontinuation of medications). Research conducted by the FBI and other entities into the behaviors of would-be attackers confirms that many attackers evolve along a path, from violent ideation to research and planning to pre-attack behaviors such as probing and breaches. Often, this information is identified after an event as part of the investigation. OSINT assessment can be used proactively to determine where and how far along an individual is relative to the behaviors that signal a pathway to violence.

How Do OSINT Teams Go About Uncovering Red Flags?

Using tools supported by manual analysis, open-source intelligence teams monitor social platforms such as Twitter, Instagram, YouTube, VK and Tumblr, as well as various message boards and blogs. They conduct keyword searches that may reveal potential issues related to unknown factors, negative sentiment, criminal behavior, and references to key locations, parties and functions. They can also focus their monitoring by geography. Examining social media generated from a particular location of interest allows for insight into potential criminal conduct, intentional or inadvertent posting of confidential information, and virtual surveillance of events or areas of interest.

Using link analysis, OSINT teams also seek to identify key influencers for insight into the actions of organized groups or criminal networks. For example, they’ll look at who the influencers are, what their intent may be and whether their postings provide any information that can help focus additional research or even trigger intervention.

Finally, OSINT teams spend a lot of time on analysis. They look to establish a broader context for evidence of interest, such as determining whether it relates directly or indirectly to risks, threats, or vulnerabilities of the client’s people, brand, assets, and reputation.

What Happens When an OSINT Team Makes a Significant Discovery?

It depends on the client. The OSINT team should alert the client immediately at any time during the process if concerning information arises. Less than urgent information is typically compiled in a report that identifies specifics and trends – either as a single report or as a series of ongoing daily, weekly or monthly monitoring updates.

Upon receipt of this information, the client has several choices. First, they can elect to take no further action, whether monitoring is continued or not. Second, the client can direct the monitoring team to capture and preserve the evidence (including metadata) for potential future reference or action. Third, they can enhance security and workplace violence prevention activities to address the threats identified.

The client might choose to enhance OSINT monitoring by focusing on one or several areas, increasing monitoring frequency, or expanding to include additional individuals, events, locations or keywords. Based upon the threat level, they could also choose to authorize physical surveillance or direct engagement with the individuals if their identity and location can be determined.

Finally, the client could decide to take legal action or bring law enforcement into the picture, especially if a prosecutable crime had occurred (e.g., stalking, trespassing). In any case, OSINT provides the opportunity to understand the threat environment and help inform a formal risk assessment of any threats faced by the client.

We Have the Tools to Help Save Lives. We Need to Use Them.

Open-source intelligence monitoring and analysis isn’t a magic wand you wave and - poof! - the risk of workplace violence just disappears. As with any investigation, planning, skill, tools and expertise are required to be effective in assessing risk and threat. However, OSINT can inform and prevent workplace violence. For example, although school officials had been monitoring students' social media before the deadly shooting in Uvalde, Texas, they failed to pick up on posts from the gunman, including those that reportedly stated his intent.

Ideally, as part of the review, officials will identify what did not work in the monitoring program so that harm to others can be prevented in the future. They can then share this finding with the larger community of threat assessors and OSINT teams. We know that, for schools in particular, children communicate through social media platforms.

The focus should be on continuing to include OSINT as one countermeasure in a layered approach to violence prevention, ensuring it is supported by a logical, investigative plan and review and appropriately trained personnel. Such an approach will identify opportunities to intervene and help save lives in the future.

Headshot of Debra K. Kirby

About the author

Debra K. Kirby
Debra brings command experience in patrol operations, investigations, organized crime, law enforcement training, policy development, data-led policing and internal affairs with an acute focus on integrity systems, covert operations and the need for strong accountability practices in support of operational priorities.