Threats operate in all shapes and sizes, and whether by design or not they tend to follow a common process, which can be identified as the Hostile Events Attack Cycle. Whether it is a physical attack designed to inflict mass casualties or an attack on facilities or infrastructure, this process helps aspiring attackers plan, prepare, execute, and sometimes escape. While not discounting attacks that are a result of spur-of-the-moment emotional or life-changing events, most physical terrorist or criminal attacks require immense planning and preparation in order to achieve operational success. In a three-part series, we will explore these individual steps in greater detail, focusing on what they are, how the attacker conducts each step, and what organizations can do to defend against potential attacks. In this first part, we will discuss the overall cycle, the importance on early identification and some of the ways to mitigate the potential risk, ultimately protecting organizations, people and facilities.
Over the past several years, incidents demonstrate attackers’ adherence to the Hostile Events Attack Cycle. One textbook example of this was evidenced with convicted South Carolina church shooter Dylann Roof. Roof conducted several, if not all, of elements of the cycle. He conducted operational planning up to nine months prior to executing his attack. During this time, he routinely traveled to the target location, practiced shooting in his backyard, and posed for pictures with items commonly associated with White Supremacist movements. Most of these actions were known to associates or relatives but were never reported to authorities. While there is no documented evidence that Roof followed a specific planning process, he was by all accounts following the Hostile Events Attack Cycle. He clearly identified the target, even visiting the attack location as a church-goer; he conducted initial surveillance followed by more intense observation; he rehearsed his actions with shooting and magazine exchange exercises; he finally conducted the attack and attempted to evade authorities prior to his ultimate arrest.
Several other examples include:
- In the 2017 Barcelona attack, the cell behind the attacks had been planning for the attack up to two months prior and had been building bombs at another location in support of the attack. It was also learned that the group had plans for larger attacks at other tourist locations.
- The 2017 Egypt Mosque attack in which over 300 worshippers were attacked by a group of 25-30 individuals dressed in military uniforms and using heavy weapons that exhibited a sophistication in which planning and preparedness were clearly evident. The attack was initiated by an explosion outside the mosque, which caused worshippers to try to flee the mosque, at which time they were met by the assault group. Based on the surprise and speed of the attack, the attackers were also able to escape the attack site.
- The attacker in the 2017 Las Vegas massacre attended similar concerts prior to his attack and had 23 weapons in his hotel room to be used in the attack. Additionally, he established defensive measures around his hotel room.
- Terrorist attacks in Europe have utilized established support networks on the continent helping attackers in Brussels and Paris identify potential targets, assist with operational planning, and remain in safe environs while providing escape routes and safehouses in the aftermath of their attacks.
- The attacker in the 2015 Berlin Christmas market attack fled through the Netherlands before traveling to Italy where he was ultimately killed. Authorities believe his escape was an attempt to evade detection, and thus provide a level of forethought and planning.
- In Canada, an attacker entered a Quebec City mosque during prayer time and fired indiscriminately at worshippers, killing five. The attacker was known to have anti-Immigrant and anti-Muslim beliefs, and had a base level of understanding about when the most people would be at the target location in order to initiate the attack.
Depending on the attack method, prevention can vary. For lone-actor attacks such as Dylann Roof or Nidal Hasan (the convicted killer at Fort Hood), and with individuals who are isolated or ostracized within their community, it can be extremely difficult to prevent their planning. However, there are some common indicators of an individual’s movement toward violent action that can be detected and provide opportunities to frustrate plots and prevent tragedy. By following a routine attack cycle, individuals repeatedly expose themselves to detection and disruption, whether they know it or not. Some of these exposure points provided windows of opportunity, albeit limited in most cases, but they can be identified. According to a recent FBI analysis, “Each bystander in a person of concern’s sphere represents an opportunity to identify potential warning behaviors.” Behavior supports assessments as to the appropriate level of concern and guides management strategies. While some attacks are thwarted at the “last second,” security personnel, supported by a trained and aware workforce, have the opportunity to detect and interdict many plots before they reach the lethal attack phase.
Threat briefings remain important in helping employees recognize behavior patterns. These briefings should not just focus on nation-state sponsored or terrorist-inspired attacks. These should include active shooter and workplace violence attacks. Case studies and field studies by law enforcement organizations are excellent training aids to help train employees and alert them to warning signs. In another study conducted by the FBI, 50 active shooter incidents between 2016 and 2017 were identified in 21 states. Those incidents resulted in 221 deaths and almost 722 wounded, which is up from 231 casualties between 2014 and 2015. Within each incident, there are certain behavior patterns that could potentially identify a trigger which could cause a frustrated employee to become violent. In a 2016 Washington, D.C., incident, an employee voiced his anger to a co-worker and threatened to kill specified employees when he learned his contract would not be renewed. The co-worker promptly alerted authorities and ultimately prevented a potential disaster.
Phase 1: Initial Target Consideration. In the initial planning stages of an attack, attackers will consider many targets based on or influenced through a multitude of factors including personal beliefs, inspiration from terrorist groups or individuals in the way of propaganda, or a reaction to an event in their life. As part of the process to whittle those choices down, the attacker will need to identify which target represents the best opportunity to achieve their desired end state, whether that is to inflict a desired amount of damage and bring notoriety to themselves or their cause. The attacker will conduct initial research to identify basic background information about each potential target and identify questions that need to be answered prior to ultimately selecting a target. This research will be done through a variety of means, but will most likely start off with online searches through various social media platforms or a target’s website. Once that research is done, the attacker will need to validate that research through physical target surveillance.
Phase 2: Initial Surveillance. Initial surveillance is the first time that the hostile entity will go out and physically observe the potential target(s). The main objectives of initial surveillance are to validate the information already collected through open-source research, identify and collect new information not available through research, and eliminate potential targets prior to settling on a final target. This surveillance allows the attacker to confirm what their research has shown and to identify areas that could not be learned through this research, such as physical facility security. Through direct “eyes-on” surveillance, the attacker can get a first-hand look at the outward-facing security such as guard posts and security patrols, or counter-measures such as identification card checks, bag checks or other screening measures. If the target of the attack is a person or group, the attacker may use surveillance to monitor routes to and from various locations – i.e., home to work, work to regular meeting sites, or common travel patterns the target takes.
In the 2015 Turkey nightclub shooting on New Year’s Eve, indications point to detailed surveillance conducted by the attacker; specifically, investigators questioned how the attacker knew very detailed information about the club. He knew all the secret doors within the club, assumed to be known only by club employees; he knew the guards were not carrying guns and furthermore that weapons were not allowed in the facility; and he had no issue escaping from the club. Some of the investigators even questioned whether the attacker had insider help. Additional investigative acts revealed the attacker took video of himself at various locations. This is a possible indication of his initial surveillance and whittling down potential target location before ultimately choosing the nightclub.
The physical act of surveillance can be conducted through various means. There are static positions, in which surveillance is done from a fixed position, such as a vehicle, or from buildings adjacent to the target areas (think coffee shop) in order to observe and detect patterns. If the attack location is in a remote area, these static positions could include observations posts, which are hastily set up positions that use the natural scenery as cover and concealment from security elements, such as a wooded area. Surveillance could also be done via mobile means, which includes observation from cars or on foot. The attacker can pass by the target location or position during various times to observe behaviors during specific points in time. Another element of mobile surveillance that has changed with technology is mobile surveillance through drones. Drones represent inexpensive ways to conduct surveillance without increasing the level of scrutiny on individuals or groups associated with the attack element.
The attacker will use the surveillance to augment the research and further refine operational planning. They may draw maps or diagrams of target locations and continue to refine and refocus further collection. It is also during initial surveillance that the attacker is vulnerable to detection from security elements, employees, and other personnel who are alert and aware of suspicious incidents – and not just recognizing suspicious incidents, but knowledgeable on reporting those incidents to the appropriate people. While discreet surveillance is a very skilled operation, not everyone is capable of executing it without fail. They may remain on location too long or during unusual periods; they may not have answers to questions if questioned by security or building managers; they may ask too many questions in an attempt to gain more information than needed. Returning to convicted shooter Dylann Roof, he conducted various types of surveillance up to nine months prior to executing his attack. Most of these actions were known to associates or relatives but were never reported to authorities and could have made the difference.
Another important consideration is who the attacker may use to help surveil or collect information against a target. They may use social engineering or elicitation techniques to engage unwitting employees to pull out information about important times for security changes, or security measures within the facility. The attacker could also co-opt employees to serve as their eyes and ears and help the planning process. Every employee, whether they were a parking attendant, retail worker, or housecleaning, has information that can aid an attacker.
These two phases are just the beginning for the attacker. They represent the foundation for all that is to come. Initial target considerations provide why they want to conduct the attack and for what purpose. Once they conduct some preliminary research, they will then need to conduct initial surveillance to confirm or deny their initial research. They will also need to understand whether this target is viable and what the intial security situation looks like. These phases are largely internally focused and there are not a lot of opportunities for security teams to notice unusual activity. However, it does remind security teams that threats are always evaluating potential targets. As such, employing random access meausures that change security patterns and conducting vulnerability assessments of all phases of an organization, from online presence to physical security measures on the ground and through the air, can help cause enough doubt in an attacker’s mind to change the plan.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email HSTodayMag@gtscoalition.com. Our editorial guidelines can be found here.