56.9 F
Washington D.C.
Thursday, April 25, 2024

PERSPECTIVE: Hostile Events Attack Cycle from Target Selection Through Rehearsal Stage

This is the second part of an ongoing series focused on the Hostile Events Attack Cycle. Previously the discussion centered on initial surveillance in potential targets. Specifically, as part of the research into the potential targets, the attacker will typically conduct open-source searches and/or initial physical surveillance. The next phases of the Hostile Events Attack Cycle focus on target selection, intense surveillance, and planning and rehearsals, effectively finalizing the target. Depending upon the intentions of the attack (individual or group), targets are often selected for symbolic value, or to create the biggest media event to gain publicity for their cause. For example, a terrorist organization may choose a target that could cause the most harm to the most people possible, while an ideologue might choose a target that may not result in death and destruction but rather focus on something that runs contrary to their beliefs. No matter the reason, these next steps will determine the success of the attack.


During the initial surveillance phase, attackers will conduct various types of research on potential targets to identify the best opportunity for success. Whether it be through online research or through physical surveillance of people or places, this helps set the stage of target selection. The attackers will then spend time to review their observations, make notes, potentially follow up with additional surveillance and research, and then ultimately made a decision on the target.

From a threat perspective, target selection is based on a number of factors that attacker(s) work through consciously or subconsciously, and may be different from group to group. Some of these factors include the stated goals, direction, or guidance of the core or central leaders; resources and means available for the attacker(s) to carry out the attack; the security of the potential target; and desired effect or result of the attack. The guidance from higher levels of command takes into consideration what specific guidance has been pushed down from those in leadership positions, or those that an attacker may associate or recognize as a leader. A lone actor may not have a direct line leader or supervisor, but they do receive guidance and direction, directly and indirectly from those that have been assigned or associated with leadership roles. Rumiyah is one such example, as is Inspire magazine, the most famous of al-Qaeda’s online propaganda. In 2016, ISIS released “The Murtad Vote,” an essay advising would-be attackers to target the American voter with the suggestion that the voter was just as culpable because they have a decision in whom they choose as a representative. In Rumiyah 9, they encouraged their members to acquire weapons and take hostages not for ransom but “to create as much carnage and terror as one possibly can.” The primary motivation is simply carnage and destruction. While details on holding hostages are elaborated on, this type of attack sets a dangerous, open-ended targeting model. Effectively, everything is in play as long as “carnage and terror” is achieved.

This type of ideological or directed guidance helps establish a dangerous precedent and should be included in security planning and updating threat intelligence updates and courses of action. Again, within Rumiyah 9, the “Just Terror Tactics” highlights Truck Attacks and lists “ideal targets” including “Large Outdoor Festivals, Conventions, Celebrations, and Parades” among other targets. However, target selection can also be influenced through grievances as outlined in the recent FBI analysis in “A Study of the Pre-Attack Behaviors of Active Shooters in the United States Between 2000 and 2013”: “the cause of the active shooter’s distress or resentment – not necessarily based in reality – of having been wronged or treated unfairly or inappropriately.” Furthermore, the grievance leads to a sense of injustice and needing to right the wrong; it serves as the rationale for the attacker to carry out their attack and can help with target selection and will push the attacker into the next phase.


Once the target is selected, the attacker will answer all the outstanding questions, expand collection efforts through surveillance, and lock down all the unknowns in order to make sure their attack is as successful as possible as was done in the preceding phases. Intense surveillance is a heightened activity. Whereas initial surveillance will help identify potential weaknesses, it does not go further than passive actions; attackers want to find the best target, but not because that target to be alerted to suspicious incidents. Building upon the initial surveillance, the period of intense surveillance will go into much more detail and will involve a lot more “time on target,” or time that is spent observing and getting to know the target in-depth. This allows the attacker to learn as much as possible and help build the attack plan. Going into the surveillance and target selection, the attacker will likely have an initial concept in mind, but the surveillance will help determine if that is a viable course of action. And it may even identify additional vulnerabilities that may make the target much more susceptible to a larger attack.

While all phases of the attack cycle are important, it can be argued that the intense surveillance phase can have the most impact in determining success or failure of the attack. As a result, this phase of the Hostile Events Attack Cycle can take a long period of time. The attacker will want to know definitively that the attack will be a success, or at least guarantee themselves of success on some level. It is also important to point out that the act of surveillance does not need to be a covert activity wherein an individual or group strictly hides in bushes. Attackers can conduct surveillance as part of their normal day-to-day activities, such as going to the mall or visiting a tourist location. They will know the target simply because they have seen it enough to know. Additionally, terrorist and extremist groups provide advice and information regarding targets in their communications channels or in propaganda to help attackers understand without having to do much physical surveillance.

Nevertheless, an attacker can utilize several different methods to conduct this surveillance. The two most basic forms are mobile (surveillance in which the attacker follows the target, or drives by the target via foot, or vehicle), and static, or fixed point, surveillance (surveillance from one location, i.e., an observation post outside a target location). The attacker can use either or, but good surveillance incorporates both to learn as much as possible. In addition to the basic forms, there are other tools attackers can use such as online surveillance – learning about the target through analysis of their online footprint (websites, social media, etc.) – and, as an offshoot of mobile surveillance, aerial surveillance which incorporated drones to discreetly follow a target or surveil a fixed location. Aerial surveillance can be considered part of mobile or static surveillance; it is also important to single it out as a separate area to signify the emerging threats and planning and preparedness consideration of drones.

Depending on the target, some key examples of what intense surveillance will want to determine include, but are certainly not limited to:

  • Target is a person:
    • Confirm daily schedule – to and from work, after-work activities, weekend activities
    • Does target vary travel patterns
    • Identify known associates
    • Identify locations the target frequently visits; what is the level of security at those locations
  • Target is a location:
    • What are the layers of security outside and inside the location, are there roving patrols on foot by security personnel or vehicle patrols, how often and how many people are involved?
    • Does the facility have external surveillance platforms?
    • Does the facility have a receptionist or check in area; what is that like?
    • Are there alternate entrances that are not secure?
    • Does the facility have a loading dock or delivery area; what is that security like?
    • How often are deliveries made and on what schedule?
    • What is the security response to suspicious events or materials?

It’s important to point out and dispel a misconception: surveillance of the target does not always have to be done strictly at the target site. For example, the Manchester concert bombing attack in 2017 happened at a sports arena, and while the attacker wanted to know as much as possible about this one specific arena, for this type of attack, specific details may not have been necessary. So, the attacker can also use similar type locations to identify potential vulnerabilities. Recognizing that arenas will follow similar protocols in their security plans (why reinvent the wheel, right?), the attacker may have done surveillance in other locations. Organizations should recognize that the threat is present.


The period immediately preceding Planning and Rehearsals, Intense Surveillance, is particularly heightened activity for the attacker and target. The attacker will have spent more “time on target” to get to know the target in-depth. This information will help shape the attack plan and, in many ways, make it clear to the attacker the type of attack needed. However, as the phases change, the level of exposure does as well. Whereas surveillance requires a level of visibility with the target, which can potentially expose the attacker to the target in varying degrees, planning and rehearsals are done independent of the target. Taking all the information developed to date, the attacker will formalize the plan and begin to build the various phases of the attack: pre-attack, to include logistics planning; actions at the target; and post-attack (escape/evasion/death). A great example to show the level of detail that goes into planning was during the Charleston, S.C., church shooting in 2015. Not only did the attacker do intensive surveillance, but this was followed by detailed planning and rehearsals that included firing his weapon and reloading it at various outdoor locations and in his backyard. The attacker understood the target, visited the site, and even made phone calls to the location. He knew when a group meeting was taking place because his surveillance (discreet and open source) had validated it, and he knew it was the oldest black church in the South. He carried eight magazines with 11 rounds each, even though they could hold up to 13, to ensure there were 88 rounds. The number 88 is a symbolic reference to Hitler. His original plan was to use a remaining round to commit suicide when the cops arrived, but since they did not come, he fled the scene and was on the run for 17 hours before being caught. This was part of the plan that failed him – he had no backup for suicide.

Depending on the size of the attack and the number of attackers, there may be formalized or informal planning meetings to discuss the specific details of the attack. The details of each phase are important to understand the level of detail that goes into an attack as well as to help assess security and possibly implement changes as needed. Some of the planning considerations are listed below:

  • Pre-Attack Planning:
    • Of critical importance is ensuring the attacker has the right tools, equipment and weapons available to accomplish the task, or at least develop a way to acquire those.
    • Logistics planning will also include how the attacker will arrive, and whether or not the attacker will need to escape and evade law enforcement.
  • Attack Planning:
    • The attacker will need to identify how to approach the target and leave the target location. If the target is a building, then how will the attacker enter and exit. This is where surveillance is critically important. The attacker will need to know what obstacles/security could be in the way of their objective and how to defeat those obstacles.
    • The attacker will need to ensure they have the best chance to accomplish their mission, so depending on the attack method they will need to ensure that they know where they are going and where to set up the attack.
    • If the attack involves multiple people, they will each have assigned roles and responsibilities. The attack planning will finalize this and assign tasks.
    • The attacker will also need to identify the response from security and outsiders and consider possible variables that may impact accomplishing the task.
  • Post-Attack Planning:
    • Much of this depends on whether the attacker intends to give their life in order to inflict as much damage and casualties as possible, or if the attacker intends to escape and evade security/law enforcement.
    • If survival is a consideration, then some escape and evasion considerations will incorporate disposal of equipment and weapons.
    • An additional planning consideration is whether a support network is used to help the escape and the plan for leaving the immediate area.

 Once the attack planning has taken place, it will be necessary for the attacker to rehearse the plan and especially the key elements of the plan in order to ensure they can properly execute the plan. This can be accomplished in a manner similar to a tabletop exercise or using a scalable model, which is a more advanced method. If possible, a scaled mock-up would be beneficial to the attacker to rehearse properly. This will help the team identify potential issues. This may also cause the attacker to go back and conduct additional surveillance or change the plan slightly, which could be a good opportunity to identify indicators of a potential attack. Familiarity with the target will have an impact on this as it did with surveillance. So, whether the rehearsal is a full-scale model or a mental walk through, reviewing and rehearsing the plan often takes place.

To understand whether your organization is a potential target, it is important to first understand the threat environment and the potential threats to your organization(s), and their potential end state – KNOW THE THREAT. Obtaining and consuming Threat Intelligence through information-sharing organizations, as well through government partners, local neighbors, professional services and/or open-source information, and other means are important to ascertaining the threat level and the potential threat courses of action to plan against. Understanding this and recognizing how attacks against your organization may occur will enable security teams to develop informed risk assessments and develop sound mitigation strategies.


The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected]. Our editorial guidelines can be found here.

author avatar
David Pounder
David Pounder is the Director, Threat and Risk Analysis at Gate 15 and serves as an Information Security Officer for a leading financial organization. He advises on both physical and cyber security issues, and specializes in counterterrorism, force protection, and counterintelligence efforts.
David Pounder
David Pounder
David Pounder is the Director, Threat and Risk Analysis at Gate 15 and serves as an Information Security Officer for a leading financial organization. He advises on both physical and cyber security issues, and specializes in counterterrorism, force protection, and counterintelligence efforts.

Related Articles

- Advertisement -

Latest Articles